fix(backend): Fix infinite redirect loops on handshake for invalid se…

…cret key (#3259) By returning a signed-out state for production instances and throwing an error on development instances when the secret key is incorrect we avoid infinite redirect loops.
clerk · Apr 25, 2024 · 4e5de11 · 4e5de11
1 parent d46ab11
commit 4e5de11
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/.changeset/perfect-pumpkins-beg.md b/.changeset/perfect-pumpkins-beg.md
@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Fix infinite redirect loops for production instances with incorrect secret keys
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -230,7 +230,10 @@ ${error.getFullMessage()}`,
             throw new Error(`Clerk: Handshake token verification failed: ${error.getFullMessage()}.`);
           }
 
-          if (error.reason === TokenVerificationErrorReason.TokenInvalidSignature) {
+          if (
+            error.reason === TokenVerificationErrorReason.TokenInvalidSignature ||
+            error.reason === TokenVerificationErrorReason.InvalidSecretKey
+          ) {
             // Avoid infinite redirect loops due to incorrect secret-keys
             return signedOut(
               authenticateContext,