Skip to content

fix(backend): Fix cross-origin handshake bypass#9145

Merged
dominic-clerk merged 3 commits into
mainfrom
dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts
Jul 18, 2026
Merged

fix(backend): Fix cross-origin handshake bypass#9145
dominic-clerk merged 3 commits into
mainfrom
dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts

Conversation

@dominic-clerk

@dominic-clerk dominic-clerk commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Description

Fix a cross-origin handshake bypass where isKnownClerkReferrer() trusted overly broad referrer hosts as Clerk-owned: any accounts.* host (e.g. accounts.attacker.com), plus dev account-portal domains (*.accounts.dev and legacy suffixes) on production instances. These let unrelated origins skip the handshake and its session-freshness check. The referrer is now trusted only for the accounts portal derived from the instance's frontend API, plus dev account-portal domains on non-production instances.

Fixes SDK-143

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jul 17, 2026 10:57pm
swingset Ready Ready Preview, Comment Jul 17, 2026 10:57pm

Request Review

Fix a cross-origin handshake bypass where `isKnownClerkReferrer()`
trusted overly broad referrer hosts as Clerk-owned: any `accounts.*`
host (e.g. `accounts.attacker.com`), plus dev account-portal domains
(`*.accounts.dev` and legacy suffixes) on production instances. These
let unrelated origins skip the handshake and its session-freshness check.
The referrer is now trusted only for the accounts portal derived from
the instance's frontend API, plus dev account-portal domains on
non-production instances.
@dominic-clerk
dominic-clerk force-pushed the dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts branch from db0893d to 67c3fdc Compare July 13, 2026 14:11
@dominic-clerk dominic-clerk changed the title fix(backend): Fix cross-origin handshakre bypass fix(backend): Fix cross-origin handshake bypass Jul 13, 2026
@changeset-bot

changeset-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 0cd1824

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@clerk/backend Minor
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jul 13, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9145

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9145

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9145

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9145

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9145

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9145

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9145

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9145

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9145

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9145

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9145

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9145

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9145

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9145

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9145

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9145

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9145

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9145

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9145

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9145

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9145

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9145

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9145

commit: 0cd1824

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-07-17T22:58:31.902Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 0
🔴 Breaking changes 0
🟡 Non-breaking changes 0
🟢 Additions 0

No API Changes Detected

All packages have stable APIs with no detected changes.


Report generated by Break Check

Last ran on 0cd1824.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: cf939caa-c68e-48a1-ac14-cc89d6e1c727

📥 Commits

Reviewing files that changed from the base of the PR and between 9bee8e1 and 0cd1824.

📒 Files selected for processing (1)
  • packages/backend/src/tokens/__tests__/request.test.ts
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • clerk/clerk_go (manual)
  • clerk/dashboard (manual)
  • clerk/accounts (manual)
  • clerk/backoffice (manual)
  • clerk/clerk (manual)
  • clerk/clerk-docs (manual)
  • clerk/cloudflare-workers (manual)
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/backend/src/tokens/tests/request.test.ts

📝 Walkthrough

Walkthrough

The backend now restricts trusted Clerk referrers to instance-derived accounts portals, permits development portals only for non-production instances, and expands cross-origin handshake tests for unrelated and production referrers.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested reviewers: wobsoriano

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: fixing a backend cross-origin handshake bypass.
Description check ✅ Passed The description matches the changeset and explains the handshake bypass fix and its scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

});
});

test('does not trigger handshake when referer is from production accounts portal', async () => {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We revert the logic of this test because it tested that example.com's account portal wouldn't trigger a handshake on another (primary.com's) instance.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
packages/backend/src/tokens/__tests__/request.test.ts (1)

2091-2139: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Weak assertion in the new "does not trigger handshake" tests.

Both new tests only assert requestState.reason is not PrimaryDomainCrossOriginSync. This doesn't confirm the request actually reached a signed-in state — a regression producing some other error/reason would still pass. Consider asserting the actual expected signed-in shape (e.g. status/isSignedIn), similar to how the sibling "triggers" tests use the full toMatchHandshake matcher.

As per coding guidelines: "Unit tests are required for all new functionality... Verify proper error handling and edge cases."

✅ Example strengthened assertion
-      expect(requestState.reason).not.toBe(AuthErrorReason.PrimaryDomainCrossOriginSync);
+      expect(requestState.reason).not.toBe(AuthErrorReason.PrimaryDomainCrossOriginSync);
+      expect(requestState.status).toBe(AuthStatus.SignedIn);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/tokens/__tests__/request.test.ts` around lines 2091 -
2139, Strengthen both dev accounts portal tests around authenticateRequest by
asserting the complete expected signed-in request state, using the existing
toMatchHandshake matcher or the established status/isSignedIn assertions from
sibling tests. Keep the checks for both current and legacy referer formats, and
ensure each test verifies successful authentication rather than only excluding
PrimaryDomainCrossOriginSync.

Source: Coding guidelines

packages/backend/src/tokens/authenticateContext.ts (1)

218-224: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

JSDoc no longer matches the tightened trust behavior.

The doc comment still says referrer trust "includes both development and production account portal domains" unconditionally, but the implementation below now only trusts dev account-portal domains when instanceType !== 'production', and no longer trusts any accounts.* host. If this method's JSDoc is surfaced in generated reference docs, it should be updated to reflect the new production/non-production distinction; if AuthenticateContext is purely internal, this may not apply — could you confirm which is the case?

As per path instructions: "If a PR adds or changes public/reference-facing API surface area, check whether the corresponding JSDoc is present, accurate, and aligned with the implementation... When unsure whether a symbol is public/reference-facing, ask for clarification instead of asserting that documentation is required."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/tokens/authenticateContext.ts` around lines 218 - 224,
Confirm whether the referrer-validation method on AuthenticateContext is
public/reference-facing; if so, update its JSDoc to state that only
non-production instances trust development account-portal domains, production
instances do not trust them, and FAPI domains remain supported. If
AuthenticateContext is internal, leave the documentation unchanged.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/backend/src/tokens/__tests__/request.test.ts`:
- Around line 2091-2139: Strengthen both dev accounts portal tests around
authenticateRequest by asserting the complete expected signed-in request state,
using the existing toMatchHandshake matcher or the established status/isSignedIn
assertions from sibling tests. Keep the checks for both current and legacy
referer formats, and ensure each test verifies successful authentication rather
than only excluding PrimaryDomainCrossOriginSync.

In `@packages/backend/src/tokens/authenticateContext.ts`:
- Around line 218-224: Confirm whether the referrer-validation method on
AuthenticateContext is public/reference-facing; if so, update its JSDoc to state
that only non-production instances trust development account-portal domains,
production instances do not trust them, and FAPI domains remain supported. If
AuthenticateContext is internal, leave the documentation unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 3656d6fa-398a-4d3b-9669-6c3884df8c9c

📥 Commits

Reviewing files that changed from the base of the PR and between d8fc1d7 and 67c3fdc.

📒 Files selected for processing (3)
  • .changeset/khaki-chairs-kiss.md
  • packages/backend/src/tokens/__tests__/request.test.ts
  • packages/backend/src/tokens/authenticateContext.ts

@wobsoriano wobsoriano left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to rebase because break check somehow reports a breaking change, even when there's none

👍🏼

@dominic-clerk
dominic-clerk merged commit ff5d991 into main Jul 18, 2026
53 checks passed
@dominic-clerk
dominic-clerk deleted the dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts branch July 18, 2026 01:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants