refactor(backend): use getAutoProxyUrlFromEnvironment instead of header-based detection

Author: Railly

packages/backend/src/tokens/__tests__/authenticateContext.test.ts

@@ -259,7 +259,21 @@ describe('AuthenticateContext', () => {
   });
 
   describe('auto-proxy for eligible hosts', () => {
-    it('auto-derives proxyUrl for production instances on eligible hostnames', async () => {
+    const originalEnv = process.env;
+
+    beforeEach(() => {
+      process.env = {
+        ...originalEnv,
+        VERCEL_TARGET_ENV: 'production',
+        VERCEL_PROJECT_PRODUCTION_URL: 'myapp-abc123.vercel.app',
+      };
+    });
+
+    afterEach(() => {
+      process.env = originalEnv;
+    });
+
+    it('auto-derives proxyUrl when Vercel env vars indicate production vercel.app', async () => {
       const clerkRequest = createClerkRequest(new Request('https://myapp-abc123.vercel.app/dashboard'));
       const context = await createAuthenticateContext(clerkRequest, {
         publishableKey: pkLive,
@@ -268,7 +282,7 @@ describe('AuthenticateContext', () => {
       expect(context.proxyUrl).toBe('https://myapp-abc123.vercel.app/__clerk');
     });
 
-    it('does NOT auto-derive proxyUrl for development instances on eligible hostnames', async () => {
+    it('does NOT auto-derive proxyUrl for development keys', async () => {
       const clerkRequest = createClerkRequest(new Request('https://myapp-abc123.vercel.app/dashboard'));
       const context = await createAuthenticateContext(clerkRequest, {
         publishableKey: pkTest,
@@ -277,8 +291,10 @@ describe('AuthenticateContext', () => {
       expect(context.proxyUrl).toBeUndefined();
     });
 
-    it('does NOT auto-derive proxyUrl for ineligible domains', async () => {
-      const clerkRequest = createClerkRequest(new Request('https://myapp.com/dashboard'));
+    it('does NOT auto-derive proxyUrl when Vercel env vars are absent', async () => {
+      delete process.env.VERCEL_TARGET_ENV;
+      delete process.env.VERCEL_PROJECT_PRODUCTION_URL;
+      const clerkRequest = createClerkRequest(new Request('https://myapp-abc123.vercel.app/dashboard'));
       const context = await createAuthenticateContext(clerkRequest, {
         publishableKey: pkLive,
       });

packages/backend/src/tokens/authenticateContext.ts

@@ -1,6 +1,5 @@
 import { buildAccountsBaseUrl } from '@clerk/shared/buildAccountsBaseUrl';
-import { isProductionFromPublishableKey } from '@clerk/shared/keys';
-import { AUTO_PROXY_PATH, shouldAutoProxy } from '@clerk/shared/proxy';
+import { AUTO_PROXY_PATH, getAutoProxyUrlFromEnvironment } from '@clerk/shared/proxy';
 import type { Jwt } from '@clerk/shared/types';
 import { isCurrentDevAccountPortalOrigin, isLegacyDevAccountPortalOrigin } from '@clerk/shared/url';
 
@@ -72,14 +71,16 @@ class AuthenticateContext implements AuthenticateContext {
     private clerkRequest: ClerkRequest,
     options: AuthenticateRequestOptions,
   ) {
-    // Auto-detect proxy for supported platform deployments (production only).
-    // Note: hostname is derived from X-Forwarded-Host when present, which is
-    // authoritative on Vercel's edge but spoofable behind misconfigured proxies.
-    if (!options.proxyUrl && !options.domain && isProductionFromPublishableKey(options.publishableKey ?? '')) {
-      const hostname = clerkRequest.clerkUrl.hostname;
-      if (shouldAutoProxy(hostname)) {
-        options = { ...options, proxyUrl: `${clerkRequest.clerkUrl.origin}${AUTO_PROXY_PATH}` };
-      }
+    // Auto-detect proxy for supported platform deployments using environment
+    // variables (e.g. VERCEL_TARGET_ENV, VERCEL_PROJECT_PRODUCTION_URL) instead
+    // of request headers, which avoids X-Forwarded-Host spoofing concerns.
+    const autoProxyPath = getAutoProxyUrlFromEnvironment({
+      publishableKey: options.publishableKey ?? '',
+      hasProxyUrl: !!options.proxyUrl,
+      hasDomain: !!options.domain,
+    });
+    if (autoProxyPath) {
+      options = { ...options, proxyUrl: `${clerkRequest.clerkUrl.origin}${autoProxyPath}` };
     }
 
     if (options.acceptsToken === TokenType.M2MToken || options.acceptsToken === TokenType.ApiKey) {