Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(backend): Limit handshake to document requests #2352

Merged
merged 6 commits into from Dec 15, 2023
Merged

feat(backend): Limit handshake to document requests #2352

merged 6 commits into from Dec 15, 2023

Conversation

BRKalow
Copy link
Member

@BRKalow BRKalow commented Dec 14, 2023
edited

Description

Limit the handshake flow to document requests. We identify this by checking for the presence of the Sec-Fetch-Dest header with the value document. For browsers that don't support this header, we check that the Accept header value starts with text/html, which is a reasonable enough indication that it's a document request.

Checklist

  • npm test runs as expected.
  • npm run build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Packages affected

  • @clerk/backend
  • @clerk/chrome-extension
  • @clerk/clerk-js
  • @clerk/clerk-expo
  • @clerk/fastify
  • gatsby-plugin-clerk
  • @clerk/localizations
  • @clerk/nextjs
  • @clerk/clerk-react
  • @clerk/remix
  • @clerk/clerk-sdk-node
  • @clerk/shared
  • @clerk/themes
  • @clerk/types
  • build/tooling/chore

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Dec 14, 2023
edited

🦋 Changeset detected

Latest commit: df9aba8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages
Name Type
@clerk/backend Patch
@clerk/fastify Patch
gatsby-plugin-clerk Patch
@clerk/nextjs Patch
@clerk/remix Patch
@clerk/clerk-sdk-node Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@BRKalow BRKalow changed the title feat(backend): Support dev handshake when the redirect ends up tainted feat(backend): Limit handshake to document requests Dec 14, 2023
@BRKalow BRKalow marked this pull request as ready for review December 14, 2023 22:14
BRKalow
BRKalow commented Dec 15, 2023
View reviewed changes
packages/backend/src/tokens/__tests__/request.test.ts
@@ -388,12 +388,13 @@ export default (QUnit: QUnit) => {
assert.strictEqual(requestState.toAuth(), null);
});

test('cookieToken: returns undefined when crossOriginReferrer in development and is satellite [6n]', async assert => {
test('cookieToken: returns signedIn when satellite but valid token and clientUat', async assert => {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test name was inaccurate 🧐

packages/backend/src/tokens/__tests__/request.test.ts
@@ -299,6 +298,7 @@ export default (QUnit: QUnit) => {
mockRequestWithCookies(
{
...defaultHeaders,
'sec-fetch-dest': 'empty',
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we're defaulting to sec-fetch-dest: document, we need to explicitly set it to empty for this test case

packages/backend/src/tokens/request.ts
function isRequestEligibleForHandshake(authenticateContext: { secFetchDest?: string; accept?: string }) {
const { accept, secFetchDest } = authenticateContext;

// NOTE: we could also check sec-fetch-mode === navigate here, but according to the spec, sec-fetch-dest: document should indicate that the request is the result of a user navigation.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, you can't overwrite sec-fetch-mode, so testing became difficult.

packages/backend/src/tokens/request.ts
Comment on lines +181 to +193
function handleMaybeHandshakeStatus(
context: typeof authenticateContext,
reason: AuthErrorReason,
message: string,
headers?: Headers,
) {
if (isRequestEligibleForHandshake(context)) {
// Right now the only usage of passing in different headers is for multi-domain sync, which redirects somewhere else.
// In the future if we want to decorate the handshake redirect with additional headers per call we need to tweak this logic.
return handshake(context, reason, message, headers ?? buildRedirectToHandshake());
}
return signedOut(context, reason, message, new Headers());
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This felt like a reasonable abstraction, easy to tweak the handshake heuristic in one place going forward.

@SokratisVidros SokratisVidros merged commit 1e98187 into main Dec 15, 2023
6 of 8 checks passed
@SokratisVidros SokratisVidros deleted the brk.feat/handshake-fetch branch December 15, 2023 14:05
@clerk-cookie clerk-cookie mentioned this pull request Dec 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SokratisVidros SokratisVidros SokratisVidros approved these changes

@colinclerk colinclerk Awaiting requested review from colinclerk

Assignees
No one assigned
Labels
backend fastify integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@BRKalow @SokratisVidros @clerk-cookie