Merge branch 'main' into jacek/re-enable-renovate

Author: jacekradko

.changeset/fix-release-npm-upgrade.md

@@ -79,7 +79,7 @@
     "@clerk/testing": "workspace:*",
     "@commitlint/cli": "^19.8.0",
     "@commitlint/config-conventional": "^19.8.0",
-    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/eslintrc": "^3.3.5",
     "@eslint/js": "9.31.0",
     "@faker-js/faker": "^9.9.0",
     "@octokit/rest": "^20.1.2",
@@ -107,12 +107,12 @@
     "eslint-plugin-import": "2.32.0",
     "eslint-plugin-jsdoc": "50.8.0",
     "eslint-plugin-jsx-a11y": "6.10.2",
-    "eslint-plugin-playwright": "2.2.0",
+    "eslint-plugin-playwright": "2.10.1",
     "eslint-plugin-react": "7.37.5",
     "eslint-plugin-react-hooks": "5.2.0",
     "eslint-plugin-simple-import-sort": "12.1.1",
     "eslint-plugin-turbo": "2.5.5",
-    "eslint-plugin-unused-imports": "4.1.4",
+    "eslint-plugin-unused-imports": "4.4.1",
     "eslint-plugin-yml": "1.18.0",
     "execa": "^5.1.1",
     "expect-type": "^0.20.0",
@@ -145,7 +145,7 @@
     "typedoc-plugin-markdown": "4.6.4",
     "typedoc-plugin-replace-text": "4.2.0",
     "typescript": "catalog:repo",
-    "typescript-eslint": "8.38.0",
+    "typescript-eslint": "8.58.0",
     "uuid": "8.3.2",
     "vitest": "3.2.4",
     "zx": "catalog:repo"

package.json

@@ -1,5 +1,12 @@
 # @clerk/agent-toolkit
 
+## 0.3.11
+
+### Patch Changes
+
+- Updated dependencies [[`bedad42`](https://github.com/clerk/javascript/commit/bedad42b3a3bce899e23b38ef0b0f8d5b8d1149d)]:
+  - @clerk/backend@3.2.7
+
 ## 0.3.10
 
 ### Patch Changes

packages/agent-toolkit/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/agent-toolkit",
-  "version": "0.3.10",
+  "version": "0.3.11",
   "description": "Clerk Toolkit for AI Agents",
   "homepage": "https://clerk.com/",
   "bugs": {

packages/agent-toolkit/package.json

@@ -1,5 +1,12 @@
 # @clerk/astro
 
+## 3.0.11
+
+### Patch Changes
+
+- Updated dependencies [[`bedad42`](https://github.com/clerk/javascript/commit/bedad42b3a3bce899e23b38ef0b0f8d5b8d1149d)]:
+  - @clerk/backend@3.2.7
+
 ## 3.0.10
 
 ### Patch Changes

packages/astro/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/astro",
-  "version": "3.0.10",
+  "version": "3.0.11",
   "description": "Clerk SDK for Astro",
   "keywords": [
     "auth",

packages/astro/package.json

@@ -1,5 +1,11 @@
 # Change Log
 
+## 3.2.7
+
+### Patch Changes
+
+- Fix POST requests with `sec-fetch-dest: document` incorrectly triggering handshake redirects, resulting in 405 errors from FAPI. Non-GET requests (e.g. native form submissions) are now excluded from handshake and multi-domain sync eligibility. ([#8045](https://github.com/clerk/javascript/pull/8045)) by [@jacekradko](https://github.com/jacekradko)
+
 ## 3.2.6
 
 ### Patch Changes

packages/backend/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@clerk/backend",
-  "version": "3.2.6",
+  "version": "3.2.7",
   "description": "Clerk Backend SDK - REST Client for Backend API & JWT verification utilities",
   "homepage": "https://clerk.com/",
   "bugs": {

packages/backend/package.json

@@ -94,6 +94,7 @@ describe('HandshakeService', () => {
       clerkUrl: new URL('https://example.com'),
       frontendApi: 'api.clerk.com',
       instanceType: 'production',
+      method: 'GET',
       usesSuffixedCookies: () => true,
       secFetchDest: 'document',
       accept: 'text/html',
@@ -139,6 +140,25 @@ describe('HandshakeService', () => {
       mockAuthenticateContext.accept = 'image/png';
       expect(handshakeService.isRequestEligibleForHandshake()).toBe(false);
     });
+
+    it('should return false for POST requests with document secFetchDest', () => {
+      mockAuthenticateContext.method = 'POST';
+      mockAuthenticateContext.secFetchDest = 'document';
+      expect(handshakeService.isRequestEligibleForHandshake()).toBe(false);
+    });
+
+    it('should return false for PUT requests with document secFetchDest', () => {
+      mockAuthenticateContext.method = 'PUT';
+      mockAuthenticateContext.secFetchDest = 'document';
+      expect(handshakeService.isRequestEligibleForHandshake()).toBe(false);
+    });
+
+    it('should return false for POST requests with text/html accept without secFetchDest', () => {
+      mockAuthenticateContext.method = 'POST';
+      mockAuthenticateContext.secFetchDest = undefined;
+      mockAuthenticateContext.accept = 'text/html';
+      expect(handshakeService.isRequestEligibleForHandshake()).toBe(false);
+    });
   });
 
   describe('buildRedirectToHandshake', () => {

packages/backend/src/tokens/__tests__/handshake.test.ts

@@ -1925,6 +1925,39 @@ describe('tokens.authenticateRequest(options)', () => {
       });
     });
 
+    test('does not trigger handshake for cross-origin POST document request on primary domain', async () => {
+      const cookieStr = Object.entries({
+        __session: mockJwt,
+        __client_uat: '12345',
+      })
+        .map(([k, v]) => `${k}=${v}`)
+        .join(';');
+
+      const request = new Request('https://primary.com/dashboard', {
+        method: 'POST',
+        headers: {
+          ...defaultHeaders,
+          referer: 'https://satellite.com/form',
+          'sec-fetch-dest': 'document',
+          cookie: cookieStr,
+        },
+      });
+
+      const requestState = await authenticateRequest(request, {
+        ...mockOptions(),
+        publishableKey: PK_LIVE,
+        domain: 'primary.com',
+        isSatellite: false,
+        signInUrl: 'https://primary.com/sign-in',
+      });
+
+      expect(requestState).toBeSignedIn({
+        domain: 'primary.com',
+        isSatellite: false,
+        signInUrl: 'https://primary.com/sign-in',
+      });
+    });
+
     test('does not trigger handshake for non-document requests', async () => {
       const request = mockRequestWithCookies(
         {
@@ -2205,4 +2238,62 @@ describe('tokens.authenticateRequest(options)', () => {
       });
     });
   });
+
+  describe('POST requests with sec-fetch-dest: document', () => {
+    const mockPostRequest = (headers = {}, cookies = {}, requestUrl = 'http://clerk.com/path') => {
+      const cookieStr = Object.entries(cookies)
+        .map(([k, v]) => `${k}=${v}`)
+        .join(';');
+
+      return new Request(requestUrl, {
+        method: 'POST',
+        headers: { ...defaultHeaders, 'sec-fetch-dest': 'document', cookie: cookieStr, ...headers },
+      });
+    };
+
+    test('returns signed out instead of handshake when clientUat > 0 and no cookieToken', async () => {
+      const requestState = await authenticateRequest(
+        mockPostRequest({}, { __client_uat: '12345' }),
+        mockOptions({ secretKey: 'deadbeef', publishableKey: PK_LIVE }),
+      );
+
+      expect(requestState).toBeSignedOut({ reason: AuthErrorReason.ClientUATWithoutSessionToken });
+    });
+
+    test('returns signed out instead of handshake for satellite app needing sync', async () => {
+      const requestState = await authenticateRequest(
+        mockPostRequest({}, { __client_uat: '0' }),
+        mockOptions({
+          publishableKey: PK_LIVE,
+          secretKey: 'deadbeef',
+          isSatellite: true,
+          signInUrl: 'https://primary.dev/sign-in',
+          domain: 'satellite.dev',
+        }),
+      );
+
+      expect(requestState).toBeSignedOut({
+        reason: AuthErrorReason.SessionTokenAndUATMissing,
+        isSatellite: true,
+        signInUrl: 'https://primary.dev/sign-in',
+        domain: 'satellite.dev',
+      });
+    });
+
+    test('returns signed out instead of handshake when clientUat > cookieToken.iat', async () => {
+      const requestState = await authenticateRequest(
+        mockPostRequest(
+          {},
+          {
+            __clerk_db_jwt: 'deadbeef',
+            __client_uat: `${mockJwtPayload.iat + 10}`,
+            __session: mockJwt,
+          },
+        ),
+        mockOptions(),
+      );
+
+      expect(requestState).toBeSignedOut({ reason: AuthErrorReason.SessionTokenIATBeforeClientUAT });
+    });
+  });
 });