fix(backend): Remove __dev_session and refactor to use constants (#2883)

Co-authored-by: Nikos Douvlis <nikosdouvlis@gmail.com>
clerk · Feb 28, 2024 · 15af02a · 15af02a
1 parent f8328de
commit 15af02a
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 43 deletions.
diff --git a/.changeset/fair-peas-promise.md b/.changeset/fair-peas-promise.md
@@ -0,0 +1,6 @@
+---
+'@clerk/backend': patch
+---
+
+Remove `__dev_session` legacy query param used to pass the Dev Browser token in previous major version.
+This param will be visible only when using Account Portal with "Core 1" version.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/backend/src/constants.ts b/packages/backend/src/constants.ts
@@ -23,6 +23,11 @@ const Cookies = {
 const QueryParameters = {
   ClerkSynced: '__clerk_synced',
   ClerkRedirectUrl: '__clerk_redirect_url',
+  // use the reference to Cookies to indicate that it's the same value
+  DevBrowser: Cookies.DevBrowser,
+  Handshake: Cookies.Handshake,
+  HandshakeHelp: '__clerk_help',
+  LegacyDevBrowser: '__dev_session',
 } as const;
 
 const Headers = {

diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -74,16 +74,25 @@ export async function authenticateRequest(
     assertProxyUrlOrDomain(authenticateContext.proxyUrl || authenticateContext.domain);
   }
 
+  function removeDevBrowserFromURL(url: URL) {
+    const updatedURL = new URL(url);
+
+    updatedURL.searchParams.delete(constants.QueryParameters.DevBrowser);
+    // Remove legacy dev browser query param key to support local app with v5 using AP with v4
+    updatedURL.searchParams.delete(constants.QueryParameters.LegacyDevBrowser);
+
+    return updatedURL;
+  }
+
   function buildRedirectToHandshake() {
-    const redirectUrl = new URL(authenticateContext.clerkUrl);
-    redirectUrl.searchParams.delete('__clerk_db_jwt');
+    const redirectUrl = removeDevBrowserFromURL(authenticateContext.clerkUrl);
     const frontendApiNoProtocol = pk.frontendApi.replace(/http(s)?:\/\//, '');
 
     const url = new URL(`https://${frontendApiNoProtocol}/v1/client/handshake`);
     url.searchParams.append('redirect_url', redirectUrl?.href || '');
 
     if (pk?.instanceType === 'development' && authenticateContext.devBrowserToken) {
-      url.searchParams.append('__clerk_db_jwt', authenticateContext.devBrowserToken);
+      url.searchParams.append(constants.QueryParameters.DevBrowser, authenticateContext.devBrowserToken);
     }
 
     return new Headers({ location: url.href });
@@ -101,15 +110,15 @@ export async function authenticateRequest(
     let sessionToken = '';
     cookiesToSet.forEach((x: string) => {
       headers.append('Set-Cookie', x);
-      if (x.startsWith('__session=')) {
+      if (x.startsWith(`${constants.Cookies.Session}=`)) {
         sessionToken = x.split(';')[0].substring(10);
       }
     });
 
     if (instanceType === 'development') {
       const newUrl = new URL(authenticateContext.clerkUrl);
-      newUrl.searchParams.delete('__clerk_handshake');
-      newUrl.searchParams.delete('__clerk_help');
+      newUrl.searchParams.delete(constants.QueryParameters.Handshake);
+      newUrl.searchParams.delete(constants.QueryParameters.HandshakeHelp);
       headers.append('Location', newUrl.toString());
     }
 
@@ -255,7 +264,7 @@ ${error.getFullMessage()}`,
       constants.QueryParameters.ClerkRedirectUrl,
     );
     if (instanceType === 'development' && !authenticateContext.isSatellite && redirectUrl) {
-      // Dev MD sync from primary, redirect back to satellite w/ __clerk_db_jwt
+      // Dev MD sync from primary, redirect back to satellite w/ dev browser query param
       const redirectBackToSatelliteUrl = new URL(redirectUrl);
 
       if (authenticateContext.devBrowserToken) {