feat(backend): Handles cross origin syncing on primary domains

[brkalow]

Description

Introduces a new case in the authenticateRequest() where a signed in request has a cross-origin referrer domain. In this case, the auth state might have changed on the satellite domain, and so we need to force a handshake.

fixes USER-2298

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Enhanced security by detecting and enforcing a handshake for cross-origin document requests from satellite domains to the primary domain.
  • Added a new error reason for cross-origin sync scenarios.
  • Introduced a method to identify cross-origin referrer requests.

• Tests

  • Expanded test coverage to include various cross-origin request scenarios and handshake enforcement.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 2, 2025 8:05pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 87a854f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@clerk/backend	Minor
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce logic to enforce a handshake when a cross-origin document request is made to the primary domain from a satellite domain, even if a valid session token is present. A new error reason (PrimaryDomainCrossOriginSync) is added, and a method (isCrossOriginReferrer) is implemented to detect cross-origin referrers. The main authentication flow in authenticateRequestWithTokenInCookie now checks for cross-origin document requests and, if detected, triggers a handshake state. The test suite is expanded to cover these scenarios, and a new constant for the sec-fetch-site header is added.

Assessment against linked issues

Objective	Addressed	Explanation
Detect cross-origin document requests from satellite to primary domain and force handshake (USER-2298)	✅
Add logic to check if request is a document and referrer is cross-origin (USER-2298)	✅
Introduce explicit error reason for cross-origin sync handshake (USER-2298)	✅
Add/extend tests to cover cross-origin handshake enforcement (USER-2298)	✅

Suggested reviewers

• wobsoriano
• aeliox

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a6e29b and 87a854f.

📒 Files selected for processing (3)

• packages/backend/src/constants.ts (1 hunks)
• packages/backend/src/tokens/__tests__/request.test.ts (1 hunks)
• packages/backend/src/tokens/authenticateContext.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• packages/backend/src/constants.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/backend/src/tokens/authenticateContext.ts
• packages/backend/src/tokens/tests/request.test.ts

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/orange-bikes-prove.md (1)

5-5: Hyphenate compound adjectives for clarity & consistency

Use hyphens in compound modifiers to align with project style and remove the LanguageTool warning.

-Trigger a handshake on a signed in, cross origin request to sync session state from a satellite domain.
+Trigger a handshake on a signed-in, cross-origin request to sync session state from a satellite domain.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c1afe34 and 25bd759.

📒 Files selected for processing (2)

• .changeset/orange-bikes-prove.md (1 hunks)
• packages/backend/src/tokens/__tests__/request.test.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/backend/src/tokens/tests/request.test.ts

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: dstaley
PR: clerk/javascript#6116
File: .changeset/tangy-garlics-say.md:1-2
Timestamp: 2025-06-13T16:09:53.061Z
Learning: In the Clerk JavaScript repository, contributors create intentionally empty changeset files (containing only the YAML delimiters) when a PR touches only non-published parts of the codebase (e.g., sandbox assets). This signals that no package release is required, so such changesets should not be flagged as missing content.

.changeset/orange-bikes-prove.md (3)

Learnt from: dstaley
PR: clerk/javascript#6116
File: .changeset/tangy-garlics-say.md:1-2
Timestamp: 2025-06-13T16:09:53.061Z
Learning: In the Clerk JavaScript repository, contributors create intentionally empty changeset files (containing only the YAML delimiters) when a PR touches only non-published parts of the codebase (e.g., sandbox assets). This signals that no package release is required, so such changesets should not be flagged as missing content.

Learnt from: jacekradko
PR: clerk/javascript#5905
File: .changeset/six-ears-wash.md:1-3
Timestamp: 2025-06-26T03:27:05.535Z
Learning: In the Clerk JavaScript repository, changeset headers support single quotes syntax (e.g., '@clerk/backend': minor) and work fine with their current changesets integration, so there's no need to change them to double quotes.

Learnt from: CR
PR: clerk/javascript#0
File: .cursor/rules/monorepo.mdc:0-0
Timestamp: 2025-06-30T10:30:56.197Z
Learning: Applies to .changeset/config.json : Automated releases must be managed with Changesets.

🪛 LanguageTool

.changeset/orange-bikes-prove.md

[misspelling] ~5-~5: This word is normally spelled with a hyphen.
Context: ...-- Trigger a handshake on a signed in, cross origin request to sync session state from a sa...

(EN_COMPOUNDS_CROSS_ORIGIN)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript-typescript)

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6238

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6238

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6238

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6238

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6238

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6238

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6238

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6238

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6238

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6238

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6238

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6238

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6238

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6238

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6238

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6238

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6238

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6238

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6238

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6238

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6238

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6238

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6238

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6238

commit: 87a854f

[jacekradko]

I think this should work. We can probably enhance this check in the future