refactor(nextjs): factor runHandlerWithRequestState out of baseNextMiddleware#8368
Merged
jacekradko merged 4 commits intomainfrom Apr 22, 2026
Merged
refactor(nextjs): factor runHandlerWithRequestState out of baseNextMiddleware#8368jacekradko merged 4 commits intomainfrom
jacekradko merged 4 commits intomainfrom
Conversation
…ddleware Extracts the post-authentication pipeline (handler invocation, CSP, redirects, response decoration) into a private helper. Also adds createBootstrapSignedOutState to @clerk/backend/internal for synthesizing a signed-out RequestState without a publishable key — intended for framework integrations that must run authorization logic before real Clerk keys are available (e.g. the Next.js keyless bootstrap window). Pure refactor — no behavioral change.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 2d6d771 The changes in this PR will be included in the next version bump. This PR includes changesets to release 10 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughAdds a new internal helper Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
6 tasks
wobsoriano
approved these changes
Apr 22, 2026
Member
wobsoriano
left a comment
wobsoriano
left a comment
There was a problem hiding this comment.
this looks straightforward and good to me 👍🏼 thanks
The helper hard-coded isSatellite/domain/proxyUrl, which meant a satellite keyless app would lose the __clerk_status=needs-sync marker that createRedirect adds to cross-origin sign-in return URLs. Accept them as optional params so callers can forward their resolved middleware options.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Starting work on fixing the issue with keyless mode skipping middleware auth checks.
Groundwork for SDK-70. Pure refactor — no behavioral change.
@clerk/backend— exports a newcreateBootstrapSignedOutStatehelper from@clerk/backend/internal. Returns a syntheticUnauthenticatedState<'session_token'>without requiring a publishable key or anAuthenticateContext. Intended for framework integrations that need to run authorization logic before real Clerk keys are available (e.g. the Next.js keyless bootstrap window).@clerk/nextjs— factors the post-authentication pipeline insidebaseNextMiddleware(handler invocation, CSP, redirects, response decoration) into a privaterunHandlerWithRequestStatehelper. TheauthenticateRequestcall and subsequent pipeline now live in a single, testable unit, making it possible for a follow-up to feed a synthesizedRequestStateinto the same pipeline when there's no real publishable key yet.Why split this PR?
The follow-up (SDK-70 proper) will flip
keylessMiddleware's no-key branch to synthesize a signed-out state and run the user's middleware handler, closing a middleware-bypass window during the keyless bootstrap. That change is small on its own — most of the work is the plumbing to route a non-authenticateRequest-producedRequestStatethrough the same post-auth pipeline. Landing the plumbing first keeps the behavioral change's diff small and reviewable.Test plan
pnpm turbo build --filter=@clerk/backend --filter=@clerk/nextjspassespnpm --filter=@clerk/backend test— 1186/1186 pass (includes the updatedexports.test.tssnapshot)pnpm --filter=@clerk/nextjs test— 369 pass / 50 fail; all 50 failures are a pre-existingAbortSignal/createClerkRequesttest-env issue that reproduces identically onmain(unrelated to this refactor)baseNextMiddlewarewere preserved)