fix(clerk-js): Client trust msg only displayed if no 2FA opts are available

[tmilewski]

Description

This helps to ensure that the messaging of "You're signing in from a new device. We're asking for verification to keep your account secure." is ONLY displayed on new devices WITHOUT any currently enabled 2FA.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes
  • Enhanced the sign-in experience by refining the conditions for displaying client trust and new device verification notices, ensuring these security messages appear only when no two-factor authentication options are configured for the user, delivering more precise and contextually relevant security guidance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 42254b9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 25, 2025 9:13pm

[coderabbitai]

Walkthrough

This PR adds a changeset entry for a patch release of @clerk/clerk-js and modifies the SignInFactorTwoCodeForm component to display client trust messaging only when no 2FA options are available. Legacy feature flag logic is replaced with environment-based state computation.

Changes

Cohort / File(s)	Summary
Changeset Documentation .changeset/plenty-lights-eat.md	New changeset entry documenting patch release and UI behavior change for client trust messaging display conditions.
SignIn Component Logic packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx	Added useMemo and useEnvironment imports; removed legacy isNewDevice function; introduced showNewDeviceVerificationNotice computed state to conditionally display client trust messaging based on clientTrustState and absence of second-factor attributes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the new conditional logic in showNewDeviceVerificationNotice correctly checks for no 2FA options
• Ensure the useMemo dependency array is complete and appropriate
• Confirm removal of isNewDevice doesn't break any other references in the codebase

Poem

🐰 Trust messages now align with fate,
Only showing when 2FA's late,
Legacy flags hop away in the night,
Memoized logic keeps the UI right!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: fixing how the client trust message is displayed, specifically that it should only appear when no 2FA options are available.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tom/user-4086-client-trust-messaging-displaying-more-than-necessary

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.changeset/plenty-lights-eat.md (1)

1-5: Clarify whether “no 2FA options are available” is environment‑ or user‑level

The description is accurate at a high level, but “no 2FA options are available” can be read as “the user has not enabled any 2FA,” while the implementation in SignInFactorTwoCodeForm appears to gate on environment configuration (env.userSettings.attributes), not per‑user factor state.

If the intent is “no second‑factor methods are configured for this instance,” consider tightening the phrasing (e.g., “no 2FA methods are configured in this instance”) to avoid ambiguity between environment vs. user settings.

packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx (1)

38-55: Verify that the new “no 2FA options” check covers all second‑factor types (including non‑attribute factors)

The new showNewDeviceVerificationNotice logic:

const showNewDeviceVerificationNotice = useMemo(() => {
  const anyAttributeUsedForSecondFactor = Object.values(env.userSettings.attributes).some(
    attr => attr.used_for_second_factor,
  );
  return signIn.clientTrustState === 'new' && !anyAttributeUsedForSecondFactor;
}, [signIn.clientTrustState, env.userSettings.attributes]);

and its use in:

cardNotice={
  showNewDeviceVerificationNotice
    ? localizationKeys('signIn.newDeviceVerificationNotice')
    : undefined
}

does a good job of restricting the notice to new devices and gating it behind the absence of any attributes marked used_for_second_factor.

Two things to double‑check against the actual env/sign‑in models:

1. Coverage of all 2FA mechanisms
   If there are non‑attribute second‑factor types (e.g., TOTP or similar) that aren’t represented under env.userSettings.attributes with used_for_second_factor, this condition may still show the “new device verification” notice even when such factors are configured and in use. If the product intent is “suppress this notice whenever any 2FA mechanism is configured,” you may need to also factor in the corresponding environment or sign‑in flags for those mechanisms.

2. Env availability assumptions
   This code assumes env.userSettings.attributes is always defined by the time SignInFactorTwoCodeForm renders. If there’s any loading state where env or userSettings could be undefined/null, adding a defensive default (e.g., empty object) or using optional chaining would avoid a possible runtime error when Object.values is called.

If both of the above are guaranteed by the surrounding system (i.e., all 2FA methods are expressed via attributes.used_for_second_factor and env is fully hydrated here), then the implementation aligns with the PR objective and looks good.

Also applies to: 118-118

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a3e14b1 and 42254b9.

📒 Files selected for processing (2)

• .changeset/plenty-lights-eat.md (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx (4 hunks)

🧰 Additional context used

📓 Path-based instructions (11)

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should be written in camelCase
Use useCardState for card-level state management
Use useFormState for form-level state management
Use useLoadingStatus for managing loading states
Use useFormControl hook for form field state management with validation and localization support
All rendered values must be localized using useLocalizations hook - hard coded values are not allowed
Use localizationKeys for translating UI text with support for parameters and error messages
Use handleError utility for API error handling and provide field states for proper error mapping
Use the styled system sx prop with theme tokens for custom styling instead of inline styles
Use the Card component pattern with Card.Root, Card.Header, Card.Title, Card.Content, and Card.Footer for consistent card layouts
Use FormContainer with headerTitle and headerSubtitle localization keys combined with Form.Root and FormButtons for consistent form layouts
When form submission occurs, manage loading and error states by calling status.setLoading(), card.setLoading(), and card.setError() appropriately

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Prefer importing types from @clerk/shared/types instead of the deprecated @clerk/types alias

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.tsx: Use error boundaries in React components
Minimize re-renders in React components

**/*.tsx: Use proper type definitions for props and state in React components
Leverage TypeScript's type inference where possible in React components
Use proper event types for handlers in React components
Implement proper generic types for reusable React components
Use proper type guards for conditional rendering in React components

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.{md,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Update documentation for API changes

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components (e.g., UserProfile, NavigationMenu)
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Separate UI components from business logic components
Use useState for simple state management in React components
Use useReducer for complex state logic in React components
Implement proper state initialization in React components
Use proper state updates with callbacks in React components
Implement proper state cleanup in React components
Use Context API for theme/authentication state management
Implement proper state persistence in React applications
Use React.memo for expensive components
Implement proper useCallback for handlers in React components
Use proper useMemo for expensive computations in React components
Implement proper virtualization for lists in React components
Use proper code splitting with React.lazy in React applications
Implement proper cleanup in useEffect hooks
Use proper refs for DOM access in React components
Implement proper event listener cleanup in React components
Use proper abort controllers for fetch in React components
Implement proper subscription cleanup in React components
Use proper HTML elements for semantic HTML in React components
Implement proper ARIA attributes for accessibility in React components
Use proper heading hierarchy in React components
Implement proper form labels in React components
Use proper button types in React components
Implement proper focus management for keyboard navigation in React components
Use proper keyboard shortcuts in React components
Implement proper tab order in React components
Use proper ...

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/clerk-js/src/ui/components/SignIn/SignInFactorTwoCodeForm.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7313

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7313

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7313

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7313

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7313

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7313

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7313

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7313

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7313

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7313

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7313

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7313

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7313

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7313

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7313

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7313

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7313

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7313

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7313

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7313

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7313

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7313

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7313

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7313

commit: 42254b9