Skip to content

Commit 9bee8e1

Browse files
committed
Address review comments
1 parent 67c3fdc commit 9bee8e1

2 files changed

Lines changed: 16 additions & 6 deletions

File tree

packages/backend/src/tokens/__tests__/request.test.ts

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2098,6 +2098,7 @@ describe('tokens.authenticateRequest(options)', () => {
20982098
{
20992099
__session: mockJwt,
21002100
__client_uat: '12345',
2101+
__clerk_db_jwt: mockJwt,
21012102
},
21022103
'https://primary.com/dashboard',
21032104
);
@@ -2110,7 +2111,11 @@ describe('tokens.authenticateRequest(options)', () => {
21102111
signInUrl: 'https://primary.com/sign-in',
21112112
});
21122113

2113-
expect(requestState.reason).not.toBe(AuthErrorReason.PrimaryDomainCrossOriginSync);
2114+
expect(requestState).toBeSignedIn({
2115+
domain: 'primary.com',
2116+
isSatellite: false,
2117+
signInUrl: 'https://primary.com/sign-in',
2118+
});
21142119
});
21152120

21162121
test('does not trigger cross-origin handshake when referer is from dev accounts portal on a dev instance (legacy format)', async () => {
@@ -2123,6 +2128,7 @@ describe('tokens.authenticateRequest(options)', () => {
21232128
{
21242129
__session: mockJwt,
21252130
__client_uat: '12345',
2131+
__clerk_db_jwt: mockJwt,
21262132
},
21272133
'https://primary.com/dashboard',
21282134
);
@@ -2135,7 +2141,11 @@ describe('tokens.authenticateRequest(options)', () => {
21352141
signInUrl: 'https://primary.com/sign-in',
21362142
});
21372143

2138-
expect(requestState.reason).not.toBe(AuthErrorReason.PrimaryDomainCrossOriginSync);
2144+
expect(requestState).toBeSignedIn({
2145+
domain: 'primary.com',
2146+
isSatellite: false,
2147+
signInUrl: 'https://primary.com/sign-in',
2148+
});
21392149
});
21402150

21412151
// A production instance must not trust dev-portal referrers, which are freely obtainable.

packages/backend/src/tokens/authenticateContext.ts

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -216,11 +216,11 @@ class AuthenticateContext implements AuthenticateContext {
216216
}
217217

218218
/**
219-
* Determines if the referrer URL is from a Clerk domain (accounts portal or FAPI).
220-
* This includes both development and production account portal domains, as well as FAPI domains
221-
* used for redirect-based authentication flows.
219+
* Determines if the referrer URL is from a Clerk domain: the instance's FAPI domain, the accounts
220+
* portal derived from its frontend API, or — on non-production instances only — a development
221+
* account-portal domain.
222222
*
223-
* @returns {boolean} True if the referrer is from a Clerk accounts portal or FAPI domain, false otherwise
223+
* @returns {boolean} True if the referrer is a trusted Clerk domain, false otherwise
224224
*/
225225
public isKnownClerkReferrer(): boolean {
226226
if (!this.referrer) {

0 commit comments

Comments
 (0)