fix(clerk-js): backport monotonic session token guard for Core 2#9090
fix(clerk-js): backport monotonic session token guard for Core 2#9090nikosdouvlis wants to merge 1 commit into
Conversation
Backport of #9030 to the Core 2 maintenance line. Prevents a staler session token from overwriting a fresher one on the same tab, protecting the __session cookie and the in-memory lastActiveToken. Freshness is ranked by the JWT oiat header, then iat; tokens without oiat pass through. Core 2 predates the token-cache substrate the original built on (no resolvedToken or baseline chaining and no background-refresh timers), so the tokenCache rework and its tests are omitted. The two write-site guards, the AuthCookieService cookie write and the Session lastActiveToken assignment, deliver the user-facing guarantee on their own.
🦋 Changeset detectedLatest commit: 48ab952 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/elements
@clerk/clerk-expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/clerk-react
@clerk/react-router
@clerk/remix
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/themes
@clerk/types
@clerk/upgrade
@clerk/vue
commit: |
Why
Core 2 is still loaded into production apps, and it has the same bug #9030 fixed on main: a stale edge-minted session token (lower JWT
oiat) can overwrite a fresher one on the same tab, clobbering the__sessioncookie or the in-memorylastActiveToken.What changed
Ports the two write-site guards from #9030: the cookie-write guard in
AuthCookieServiceand thelastActiveTokenguard inSession, plus thetokenFreshnesshelpers they use. Freshness is ranked by the JWToiatheader, theniat; tokens withoutoiatpass through untouched. ThetokenCacherework from #9030 (baseline/resolvedToken chaining, background-refresh timers) is left out on purpose: Core 2 predates that cache substrate, and the two guards deliver the guarantee on their own without pulling in unrelated features.Blockers / related
Backports #9030.