feat(clerk-js,backend,types): Add enterprise_sso for session reverification

[LauraBeatris]

Description

This PR introduces enterprise_sso as a strategy for session reverification, as well as adding a new property to the user's SAML account which is lastAuthenticatedAt, that can be leveraged to manually trigger reverification from our customer's app.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Enterprise SSO supported as a first-factor option for session verification (includes UI icon and redirect handling).

• Enhancements

  • Enterprise and SAML accounts show a “last authenticated” timestamp for recent sign‑in visibility (experimental).
  • Enterprise SSO config gains an optional emailAddressId (experimental); session verification types expanded to accept enterprise SSO and additional attempt options.

• Chores

  • Patch updates published for backend and related packages.

[changeset-bot]

🦋 Changeset detected

Latest commit: 45fad17

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/backend	Patch
@clerk/clerk-js	Patch
@clerk/types	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/localizations	Patch
@clerk/clerk-react	Patch
@clerk/shared	Patch
@clerk/themes	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Oct 10, 2025 6:34pm

[coderabbitai]

Walkthrough

Adds enterprise_sso as a first-factor option and an optional emailAddressId on EnterpriseSSOConfig. Introduces last_authenticated_at on Enterprise and SAML account JSON and resource models (backend and clerk-js). Updates UI icon mapping and adds changeset entries.

Changes

Cohort / File(s)	Summary of changes
Release metadata .changeset/plenty-shirts-tease.md, .changeset/thick-jokes-talk.md	Adds changeset entries documenting the patch and public/data additions: enterprise_sso support and last_authenticated_at.
Types: enterprise SSO + account timestamps packages/types/src/factors.ts, packages/types/src/json.ts, packages/types/src/session.ts, packages/types/src/sessionVerification.ts	Adds emailAddressId?: string to EnterpriseSSOConfig; includes an experimental variant of EnterpriseSSOConfig in SessionVerifyPrepareFirstFactorParams; adds EnterpriseSSOFactor to SessionVerificationFirstFactor; adds `last_authenticated_at?: number
Backend SAML model updates packages/backend/src/api/resources/JSON.ts, packages/backend/src/api/resources/SamlAccount.ts	Adds `last_authenticated_at?: number
clerk-js account resources packages/clerk-js/src/core/resources/EnterpriseAccount.ts, packages/clerk-js/src/core/resources/SamlAccount.ts	Adds `lastAuthenticatedAt: Date
Session first-factor flow packages/clerk-js/src/core/resources/Session.ts	Adds 'enterprise_sso' branch in prepareFirstFactorVerification, constructing an EnterpriseSSOConfig (includes emailAddressId, enterpriseConnectionId, redirectUrl) and handling it as a first-factor option.
UI: verification method icon packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx	Maps enterprise_sso to the Organization icon in getButtonIcon.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User
  participant UI as AlternativeMethods (UI)
  participant S as clerk-js Session
  participant B as Backend
  participant IdP as Enterprise IdP

  U->>UI: Select "Enterprise SSO"
  UI->>S: prepareFirstFactorVerification('enterprise_sso', EnterpriseSSOConfig)
  S->>B: POST prepare first factor (enterprise_sso, config)
  alt success
    B->>S: Response (redirect URL / instructions)
    S->>U: Redirect to IdP
    U->>IdP: Authenticate
    IdP-->>B: Assertion / callback
    B-->>S: Verification complete
  else error
    B-->>S: Error
    S-->>UI: Surface error
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A hop, a bop, I add SSO cheer,
Last-auth ticks kept, the timeline near.
Buttons don icons, redirects take flight,
Timestamps round-trip, serialized right.
Patch in my pouch — carrot crunch delight! 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the primary feature of adding the enterprise_sso strategy for session reverification, follows a clear conventional commit style, references the affected packages, and aligns with the pull request’s main change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch laura/reverification-with-enterprise-sso

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 82711af and 45fad17.

📒 Files selected for processing (3)

• packages/clerk-js/src/core/resources/Session.ts (2 hunks)
• packages/types/src/session.ts (2 hunks)
• packages/types/src/sessionVerification.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/clerk-js/src/core/resources/Session.ts
• packages/types/src/sessionVerification.ts

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/types/src/session.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/types/src/session.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/types/src/session.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/types/src/session.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/types/src/session.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/types/src/session.ts

🧬 Code graph analysis (1)

packages/types/src/session.ts (1)

packages/types/src/factors.ts (4)

• EmailCodeConfig (103-103)
• PhoneCodeConfig (107-107)
• PassKeyConfig (110-110)
• EnterpriseSSOConfig (123-135)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/types/src/session.ts (2)

5-5: Import addition is necessary and correct.

The EnterpriseSSOConfig import is required for the new experimental Enterprise SSO variant in the type union below.

---

355-362: Confirm no references to omitted property
Automated search for prepareFirstFactorVerification handling enterprise_sso and for any actionCompleteRedirectUrl references returned no matches; manually verify implementations don’t access the omitted property.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[NicolasLopes7]

!snapshot

[NicolasLopes7]

!snapshot

[NicolasLopes7]

!snapshot

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx (1)

106-135: Critical: Missing label case for enterprise_sso strategy.

The getButtonIcon function at line 131 adds support for enterprise_sso, but the getButtonLabel function (lines 106-123) does not handle this strategy. When an enterprise_sso factor is rendered, getButtonLabel will hit the default case at line 121 and throw an error: Invalid sign in strategy: "enterprise_sso".

Apply this diff to add the missing label case:

 export function getButtonLabel(factor: SessionVerificationFirstFactor): LocalizationKey {
   switch (factor.strategy) {
     case 'email_code':
       return localizationKeys('reverification.alternativeMethods.blockButton__emailCode', {
         identifier: formatSafeIdentifier(factor.safeIdentifier) || '',
       });
     case 'phone_code':
       return localizationKeys('reverification.alternativeMethods.blockButton__phoneCode', {
         identifier: formatSafeIdentifier(factor.safeIdentifier) || '',
       });
     case 'password':
       return localizationKeys('reverification.alternativeMethods.blockButton__password');
     case 'passkey':
       return localizationKeys('reverification.alternativeMethods.blockButton__passkey');
+    case 'enterprise_sso':
+      return localizationKeys('reverification.alternativeMethods.blockButton__enterpriseSSO');
     default:
       throw new Error(`Invalid sign in strategy: "${(factor as any).strategy}"`);
   }
 }

Note: You'll need to add the corresponding localization key reverification.alternativeMethods.blockButton__enterpriseSSO to the localization resources as well.

🧹 Nitpick comments (4)

packages/clerk-js/src/core/resources/EnterpriseAccount.ts (1)

27-27: Consider adding JSDoc documentation for the new field.

The new lastAuthenticatedAt field is part of the public API but lacks documentation. Adding a JSDoc comment would help developers understand its purpose in the reverification flow.

Example:

+  /**
+   * The date when the user last authenticated with this enterprise account.
+   * Used for session reverification flows.
+   */
   lastAuthenticatedAt: Date | null = null;

As per coding guidelines.

packages/clerk-js/src/core/resources/SamlAccount.ts (2)

26-26: Consider adding JSDoc documentation for the new field.

The new lastAuthenticatedAt field is part of the public API but lacks documentation. Adding a JSDoc comment would help developers understand its purpose in the reverification flow.

Example:

+  /**
+   * The date when the user last authenticated with this SAML account.
+   * Used for session reverification flows.
+   */
   lastAuthenticatedAt: Date | null = null;

As per coding guidelines.

---

56-57: Deserialization logic is correct; consider removing extra blank line.

The logic correctly converts the Unix timestamp to a Date object and handles the nullable field appropriately. The extra blank line on line 57 could be removed for consistency with the rest of the method.

Apply this diff to remove the extra blank line:

   this.lastAuthenticatedAt = data.last_authenticated_at ? unixEpochToDate(data.last_authenticated_at) : null;
-
   return this;

packages/backend/src/api/resources/SamlAccount.ts (1)

63-63: Simplify redundant ternary operation.

The ternary operation is redundant since data.last_authenticated_at is already typed as number | null in the JSON interface.

Apply this diff to simplify:

-      data.last_authenticated_at ? data.last_authenticated_at : null,
+      data.last_authenticated_at ?? null,

Or even simpler (if the constructor accepts undefined):

-      data.last_authenticated_at ? data.last_authenticated_at : null,
+      data.last_authenticated_at,

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a66357e and 3890a56.

📒 Files selected for processing (11)

• .changeset/plenty-shirts-tease.md (1 hunks)
• packages/backend/src/api/resources/JSON.ts (1 hunks)
• packages/backend/src/api/resources/SamlAccount.ts (2 hunks)
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts (3 hunks)
• packages/clerk-js/src/core/resources/SamlAccount.ts (3 hunks)
• packages/clerk-js/src/core/resources/Session.ts (2 hunks)
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx (2 hunks)
• packages/types/src/factors.ts (1 hunks)
• packages/types/src/json.ts (2 hunks)
• packages/types/src/session.ts (2 hunks)
• packages/types/src/sessionVerification.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/types/src/factors.ts
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
• packages/types/src/sessionVerification.ts
• packages/types/src/json.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• packages/types/src/session.ts
• packages/backend/src/api/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/types/src/factors.ts
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
• packages/types/src/sessionVerification.ts
• packages/types/src/json.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• packages/types/src/session.ts
• packages/backend/src/api/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/types/src/factors.ts
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
• packages/types/src/sessionVerification.ts
• packages/types/src/json.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• packages/types/src/session.ts
• packages/backend/src/api/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/types/src/factors.ts
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
• packages/types/src/sessionVerification.ts
• packages/types/src/json.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• packages/types/src/session.ts
• packages/backend/src/api/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/types/src/factors.ts
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
• packages/types/src/sessionVerification.ts
• packages/types/src/json.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• packages/types/src/session.ts
• packages/backend/src/api/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/types/src/factors.ts
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx
• packages/types/src/sessionVerification.ts
• packages/types/src/json.ts
• packages/clerk-js/src/core/resources/Session.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• packages/types/src/session.ts
• packages/backend/src/api/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx

**/*.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx

**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/plenty-shirts-tease.md

🧬 Code graph analysis (3)

packages/types/src/sessionVerification.ts (1)

packages/types/src/factors.ts (1)

• EnterpriseSSOFactor (64-74)

packages/clerk-js/src/core/resources/Session.ts (1)

packages/types/src/factors.ts (1)

• EnterpriseSSOConfig (123-135)

packages/types/src/session.ts (1)

packages/types/src/factors.ts (4)

• EmailCodeConfig (103-103)
• PhoneCodeConfig (107-107)
• PassKeyConfig (110-110)
• EnterpriseSSOConfig (123-135)

🔇 Additional comments (16)

.changeset/plenty-shirts-tease.md (1)

1-7: LGTM!

The changeset follows the correct format and appropriately documents the introduction of enterprise_sso for session reverification with patch version bumps for the affected packages.

packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx (1)

13-13: LGTM!

The Organization icon import is appropriate for representing enterprise SSO.

packages/types/src/json.ts (2)

255-255: LGTM!

The addition of last_authenticated_at to EnterpriseAccountJSON enables tracking of the last authentication timestamp, which aligns with the PR's goal of supporting manual reverification triggers.

---

283-283: LGTM!

The addition of last_authenticated_at to SamlAccountJSON is consistent with the EnterpriseAccountJSON change and maintains type consistency across account types.

packages/backend/src/api/resources/JSON.ts (1)

249-249: LGTM!

The addition of last_authenticated_at to SamlAccountJSON is consistent with the types package and enables proper serialization/deserialization of the last authentication timestamp in the backend.

packages/types/src/factors.ts (1)

127-130: LGTM!

The addition of the optional emailAddressId field to EnterpriseSSOConfig is properly marked as experimental and follows the same pattern as the existing enterpriseConnectionId field. This enables passing an email address identifier for enterprise SSO flows.

packages/clerk-js/src/core/resources/Session.ts (2)

9-9: LGTM!

The import of EnterpriseSSOConfig is correctly added to support the new enterprise SSO first-factor verification flow.

---

183-190: enterprise_sso preparation is correct; no attempt step is needed
Verify that session flows (and the UI) never invoke attemptFirstFactorVerification for enterprise_sso, as that method currently only handles passkey.

packages/types/src/session.ts (2)

5-5: LGTM!

The import of EnterpriseSSOConfig is necessary to extend the SessionVerifyPrepareFirstFactorParams type.

---

355-359: LGTM!

The extension of SessionVerifyPrepareFirstFactorParams to include EnterpriseSSOConfig properly enables enterprise SSO as a valid first-factor option in session verification flows. This change is consistent with the implementation in Session.ts and other type definitions.

packages/types/src/sessionVerification.ts (2)

4-4: LGTM!

The import of EnterpriseSSOFactor is necessary to extend the SessionVerificationFirstFactor union type.

---

53-58: LGTM!

The extension of SessionVerificationFirstFactor to include EnterpriseSSOFactor completes the type system integration for enterprise SSO as a first-factor verification option. This change is consistent with the broader PR updates across types, session handling, and UI components.

packages/clerk-js/src/core/resources/EnterpriseAccount.ts (2)

50-50: LGTM!

The deserialization logic correctly converts the Unix timestamp to a Date object and handles the nullable field appropriately.

---

76-76: LGTM!

The serialization logic correctly converts the Date object back to a Unix timestamp and handles the nullable field appropriately.

packages/clerk-js/src/core/resources/SamlAccount.ts (1)

73-73: LGTM!

The serialization logic correctly converts the Date object back to a Unix timestamp and handles the nullable field appropriately.

packages/backend/src/api/resources/SamlAccount.ts (1)

46-50: LGTM!

The constructor parameter and JSDoc documentation are well-defined and follow the established pattern in the class.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a958ac1 and 7f6815f.

📒 Files selected for processing (3)

• .changeset/plenty-shirts-tease.md (1 hunks)
• .changeset/thick-jokes-talk.md (1 hunks)
• packages/backend/src/api/resources/SamlAccount.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .changeset/plenty-shirts-tease.md

🧰 Additional context used

📓 Path-based instructions (7)

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/thick-jokes-talk.md

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/backend/src/api/resources/SamlAccount.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/api/resources/SamlAccount.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/api/resources/SamlAccount.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/backend/src/api/resources/SamlAccount.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/backend/src/api/resources/SamlAccount.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/backend/src/api/resources/SamlAccount.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/backend/src/api/resources/SamlAccount.ts (2)

46-49: LGTM! Field and documentation are correctly implemented.

The new lastAuthenticatedAt field follows class conventions with proper TypeScript typing, JSDoc documentation, and readonly modifier.

---

63-63: Past review concern has been correctly addressed.

The nullish coalescing operator (??) is now used instead of a truthy check, which correctly preserves a timestamp value of 0 (Unix epoch) rather than coercing it to null.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix casing inconsistency in resource name.

The description uses SAMLAccount, but the actual class name is SamlAccount (PascalCase with mixed case). Additionally, while "represents the date" is technically correct, consider clarifying that it's a Unix timestamp for precision.

Apply this diff:

-- Add `last_authenticated_at` to `SAMLAccount` resource, which represents the date when the SAML account was last authenticated
+- Add `last_authenticated_at` to `SamlAccount` resource, which represents the Unix timestamp when the SAML account was last authenticated

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Add `last_authenticated_at` to `SAMLAccount` resource, which represents the date when the SAML account was last authenticated
	- Add `last_authenticated_at` to `SamlAccount` resource, which represents the Unix timestamp when the SAML account was last authenticated

🤖 Prompt for AI Agents

In .changeset/thick-jokes-talk.md around line 6, fix the casing and clarity:
replace the reference to `SAMLAccount` with the actual class name `SamlAccount`
and update the description to state that `last_authenticated_at` is a Unix
timestamp (e.g., seconds since epoch) representing when the SamlAccount was last
authenticated.

[NicolasLopes7]

Just removing the action_complete_redirect_url

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

packages/backend/src/api/resources/SamlAccount.ts (1)

46-49: LGTM! The nullish coalescing fix correctly handles timestamp 0.

The implementation properly preserves 0 as a valid Unix epoch timestamp and correctly maps the JSON field to the constructor parameter.

---

Optional: Clarify JSDoc for timestamp format and null semantics.

Consider specifying whether lastAuthenticatedAt is in seconds or milliseconds, and what null represents (e.g., never authenticated, unknown, etc.).

Example:

 /**
- * The date when the SAML account was last authenticated.
+ * Unix timestamp (in milliseconds) of the last successful authentication, or `null` if never authenticated.
  */

Also applies to: 63-63

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7f6815f and 82711af.

📒 Files selected for processing (12)

• .changeset/plenty-shirts-tease.md (1 hunks)
• .changeset/thick-jokes-talk.md (1 hunks)
• packages/backend/src/api/resources/JSON.ts (1 hunks)
• packages/backend/src/api/resources/SamlAccount.ts (2 hunks)
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts (3 hunks)
• packages/clerk-js/src/core/resources/SamlAccount.ts (3 hunks)
• packages/clerk-js/src/core/resources/Session.ts (2 hunks)
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx (2 hunks)
• packages/types/src/factors.ts (1 hunks)
• packages/types/src/json.ts (2 hunks)
• packages/types/src/session.ts (2 hunks)
• packages/types/src/sessionVerification.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (8)

• packages/types/src/json.ts
• .changeset/plenty-shirts-tease.md
• packages/types/src/factors.ts
• packages/clerk-js/src/core/resources/SamlAccount.ts
• packages/backend/src/api/resources/JSON.ts
• packages/clerk-js/src/core/resources/EnterpriseAccount.ts
• .changeset/thick-jokes-talk.md
• packages/clerk-js/src/ui/components/UserVerification/AlternativeMethods.tsx

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/backend/src/api/resources/SamlAccount.ts
• packages/types/src/sessionVerification.ts
• packages/types/src/session.ts
• packages/clerk-js/src/core/resources/Session.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/api/resources/SamlAccount.ts
• packages/types/src/sessionVerification.ts
• packages/types/src/session.ts
• packages/clerk-js/src/core/resources/Session.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/api/resources/SamlAccount.ts
• packages/types/src/sessionVerification.ts
• packages/types/src/session.ts
• packages/clerk-js/src/core/resources/Session.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/backend/src/api/resources/SamlAccount.ts
• packages/types/src/sessionVerification.ts
• packages/types/src/session.ts
• packages/clerk-js/src/core/resources/Session.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/backend/src/api/resources/SamlAccount.ts
• packages/types/src/sessionVerification.ts
• packages/types/src/session.ts
• packages/clerk-js/src/core/resources/Session.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/backend/src/api/resources/SamlAccount.ts
• packages/types/src/sessionVerification.ts
• packages/types/src/session.ts
• packages/clerk-js/src/core/resources/Session.ts

🧬 Code graph analysis (3)

packages/types/src/sessionVerification.ts (1)

packages/types/src/factors.ts (5)

• EmailCodeFactor (19-24)
• PhoneCodeFactor (33-40)
• PasswordFactor (48-50)
• PasskeyFactor (52-54)
• EnterpriseSSOFactor (64-74)

packages/types/src/session.ts (1)

packages/types/src/factors.ts (4)

• EmailCodeConfig (103-103)
• PhoneCodeConfig (107-107)
• PassKeyConfig (110-110)
• EnterpriseSSOConfig (123-135)

packages/clerk-js/src/core/resources/Session.ts (1)

packages/types/src/factors.ts (1)

• EnterpriseSSOConfig (123-135)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

packages/clerk-js/src/core/resources/Session.ts (1)

183-189: LGTM! Implementation aligns with the intended enterprise SSO factor.

The configuration correctly constructs the enterprise SSO config with the necessary fields (emailAddressId, enterpriseConnectionId, redirectUrl) while appropriately omitting actionCompleteRedirectUrl. This implementation will work correctly once the property name in the type definition is fixed (see comment on packages/types/src/session.ts).