chore: precise check using isOAuthJWT

wobsoriano · wobsoriano · commit 91b12ed34ce7 · 2026-02-04T11:53:55.000-08:00
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -14,7 +14,7 @@ import { AuthErrorReason, handshake, signedIn, signedOut, signedOutInvalidToken
 import { createClerkRequest } from './clerkRequest';
 import { getCookieName, getCookieValue } from './cookie';
 import { HandshakeService } from './handshake';
-import { getMachineTokenType, isMachineToken, isTokenTypeAccepted } from './machine';
+import { getMachineTokenType, isMachineToken, isOAuthJwt, isTokenTypeAccepted } from './machine';
 import { OrganizationMatcher } from './organizationMatcher';
 import type { MachineTokenType, SessionTokenType } from './tokenTypes';
 import { TokenType } from './tokenTypes';
@@ -411,12 +411,11 @@ export const authenticateRequest: AuthenticateRequest = (async (
   async function authenticateRequestWithTokenInHeader() {
     const { tokenInHeader } = authenticateContext;
 
-    // SECURITY: Reject machine tokens (M2M, OAuth, API keys) when expecting session tokens.
-    // OAuth JWTs (RFC 9068) are valid JWTs signed by Clerk and will pass verifyToken() verification,
-    // but they should not be accepted as session tokens. We must explicitly check the token type
-    // before verification to prevent machine tokens from being incorrectly authenticated as sessions.
+    // Reject OAuth JWTs that may appear in headers when expecting session tokens.
+    // OAuth JWTs are valid Clerk-signed JWTs and will pass verifyToken() verification,
+    // but should not be accepted as session tokens.
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    if (isMachineToken(tokenInHeader!)) {
+    if (isOAuthJwt(tokenInHeader!)) {
       return signedOut({
         tokenType: TokenType.SessionToken,
         authenticateContext,
@@ -622,19 +621,6 @@ export const authenticateRequest: AuthenticateRequest = (async (
       return handleSessionTokenError(decodedErrors[0], 'cookie');
     }
 
-    // SECURITY: Defense-in-depth check to reject machine tokens in cookies.
-    // While machine tokens should only be in headers, this prevents potential security issues
-    // if a machine token somehow ends up in the session cookie.
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    if (isMachineToken(authenticateContext.sessionTokenInCookie!)) {
-      return signedOut({
-        tokenType: TokenType.SessionToken,
-        authenticateContext,
-        reason: AuthErrorReason.TokenTypeMismatch,
-        message: '',
-      });
-    }
-
     if (decodeResult.payload.iat < authenticateContext.clientUat) {
       return handleMaybeHandshakeStatus(authenticateContext, AuthErrorReason.SessionTokenIATBeforeClientUAT, '');
     }
