Skip to content

fix(backend): Fix cross-origin handshake bypass#9145

Open
dominic-clerk wants to merge 2 commits into
mainfrom
dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts
Open

fix(backend): Fix cross-origin handshake bypass#9145
dominic-clerk wants to merge 2 commits into
mainfrom
dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts

Conversation

@dominic-clerk

@dominic-clerk dominic-clerk commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Description

Fix a cross-origin handshake bypass where isKnownClerkReferrer() trusted overly broad referrer hosts as Clerk-owned: any accounts.* host (e.g. accounts.attacker.com), plus dev account-portal domains (*.accounts.dev and legacy suffixes) on production instances. These let unrelated origins skip the handshake and its session-freshness check. The referrer is now trusted only for the accounts portal derived from the instance's frontend API, plus dev account-portal domains on non-production instances.

Fixes SDK-143

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

  • Bug Fixes
    • Strengthened cross-origin authentication checks to prevent untrusted accounts.* referrers from bypassing the handshake and session freshness validation.
    • Restricted trusted production account-portal referrers to the instance’s configured portal origin derived from its frontend API.
    • Improved handling of development account-portal referrers so they no longer trigger cross-origin handshake on non-production instances, while still triggering it on production instances.

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jul 13, 2026 2:48pm
swingset Ready Ready Preview, Comment Jul 13, 2026 2:48pm

Request Review

Fix a cross-origin handshake bypass where `isKnownClerkReferrer()`
trusted overly broad referrer hosts as Clerk-owned: any `accounts.*`
host (e.g. `accounts.attacker.com`), plus dev account-portal domains
(`*.accounts.dev` and legacy suffixes) on production instances. These
let unrelated origins skip the handshake and its session-freshness check.
The referrer is now trusted only for the accounts portal derived from
the instance's frontend API, plus dev account-portal domains on
non-production instances.
@dominic-clerk dominic-clerk force-pushed the dominic/sec-322-cross-origin-handshake-bypass-via-overly-broad-accounts branch from db0893d to 67c3fdc Compare July 13, 2026 14:11
@dominic-clerk dominic-clerk changed the title fix(backend): Fix cross-origin handshakre bypass fix(backend): Fix cross-origin handshake bypass Jul 13, 2026
@changeset-bot

changeset-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 9bee8e1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@clerk/backend Minor
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jul 13, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9145

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9145

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9145

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9145

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9145

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9145

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9145

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9145

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9145

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9145

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9145

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9145

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9145

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9145

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9145

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9145

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9145

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9145

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9145

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9145

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9145

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9145

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9145

commit: 9bee8e1

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-07-13T14:49:35.763Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 1
🔴 Breaking changes 1
🟡 Non-breaking changes 0
🟢 Additions 0

Warning
1 breaking change(s) detected - Major version bump required

🤖 This report was reviewed by claude-sonnet-4-6.

🔴 Breaking changes index (1)

Every breaking change, up front. Full diffs are in the package sections below.

Package Subpath Change
@clerk/shared ./utils timeLimit

@clerk/shared

Current version: 4.25.2
Recommended bump: MAJOR → 5.0.0

Subpath ./utils

🔴 Breaking Changes (1)

Changed: timeLimit
- declare function timeLimit<T>(value: T | PromiseLike<T>, ms: number, abortController?: Pick<AbortController, 'abort'>): Promise<T>;

Static analyzer: Removed function timeLimit

🤖 AI review (confirmed) (99%): The timeLimit function was removed entirely from the public API; any consumer calling it will fail to compile.

Migration: Remove all calls to timeLimit or vendor the implementation locally in your codebase.


Report generated by Break Check

Last ran on 9bee8e1.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The backend now restricts trusted Clerk referrers to instance-derived accounts portals, permits development portals only for non-production instances, and expands cross-origin handshake tests for unrelated and production referrers.

Changes

Cross-origin referrer trust

Layer / File(s) Summary
Restrict trusted referrer origins
packages/backend/src/tokens/authenticateContext.ts
Development account portals are trusted only on non-production instances; generic accounts.* production hosts are no longer accepted.
Validate handshake scenarios
packages/backend/src/tokens/__tests__/request.test.ts, .changeset/khaki-chairs-kiss.md
Tests cover unrelated, current, and legacy account-portal referrers across development and production instances, with a minor backend release changeset.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant authenticateRequest
  participant AuthenticateContext
  participant PrimaryDomainCrossOriginSync
  authenticateRequest->>AuthenticateContext: Check referrer origin
  AuthenticateContext-->>authenticateRequest: Return trusted or untrusted
  authenticateRequest->>PrimaryDomainCrossOriginSync: Start handshake for untrusted referrer
Loading

Poem

I’m a rabbit guarding the portal gate,
“Only known hosts may pass,” I state.
Dev paths hop where devs belong,
Production strangers get a handshake song.
Safer referrers, carrots in flight!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main backend security fix in the changeset.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands.

});
});

test('does not trigger handshake when referer is from production accounts portal', async () => {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We revert the logic of this test because it tested that example.com's account portal wouldn't trigger a handshake on another (primary.com's) instance.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
packages/backend/src/tokens/__tests__/request.test.ts (1)

2091-2139: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Weak assertion in the new "does not trigger handshake" tests.

Both new tests only assert requestState.reason is not PrimaryDomainCrossOriginSync. This doesn't confirm the request actually reached a signed-in state — a regression producing some other error/reason would still pass. Consider asserting the actual expected signed-in shape (e.g. status/isSignedIn), similar to how the sibling "triggers" tests use the full toMatchHandshake matcher.

As per coding guidelines: "Unit tests are required for all new functionality... Verify proper error handling and edge cases."

✅ Example strengthened assertion
-      expect(requestState.reason).not.toBe(AuthErrorReason.PrimaryDomainCrossOriginSync);
+      expect(requestState.reason).not.toBe(AuthErrorReason.PrimaryDomainCrossOriginSync);
+      expect(requestState.status).toBe(AuthStatus.SignedIn);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/tokens/__tests__/request.test.ts` around lines 2091 -
2139, Strengthen both dev accounts portal tests around authenticateRequest by
asserting the complete expected signed-in request state, using the existing
toMatchHandshake matcher or the established status/isSignedIn assertions from
sibling tests. Keep the checks for both current and legacy referer formats, and
ensure each test verifies successful authentication rather than only excluding
PrimaryDomainCrossOriginSync.

Source: Coding guidelines

packages/backend/src/tokens/authenticateContext.ts (1)

218-224: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

JSDoc no longer matches the tightened trust behavior.

The doc comment still says referrer trust "includes both development and production account portal domains" unconditionally, but the implementation below now only trusts dev account-portal domains when instanceType !== 'production', and no longer trusts any accounts.* host. If this method's JSDoc is surfaced in generated reference docs, it should be updated to reflect the new production/non-production distinction; if AuthenticateContext is purely internal, this may not apply — could you confirm which is the case?

As per path instructions: "If a PR adds or changes public/reference-facing API surface area, check whether the corresponding JSDoc is present, accurate, and aligned with the implementation... When unsure whether a symbol is public/reference-facing, ask for clarification instead of asserting that documentation is required."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/tokens/authenticateContext.ts` around lines 218 - 224,
Confirm whether the referrer-validation method on AuthenticateContext is
public/reference-facing; if so, update its JSDoc to state that only
non-production instances trust development account-portal domains, production
instances do not trust them, and FAPI domains remain supported. If
AuthenticateContext is internal, leave the documentation unchanged.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/backend/src/tokens/__tests__/request.test.ts`:
- Around line 2091-2139: Strengthen both dev accounts portal tests around
authenticateRequest by asserting the complete expected signed-in request state,
using the existing toMatchHandshake matcher or the established status/isSignedIn
assertions from sibling tests. Keep the checks for both current and legacy
referer formats, and ensure each test verifies successful authentication rather
than only excluding PrimaryDomainCrossOriginSync.

In `@packages/backend/src/tokens/authenticateContext.ts`:
- Around line 218-224: Confirm whether the referrer-validation method on
AuthenticateContext is public/reference-facing; if so, update its JSDoc to state
that only non-production instances trust development account-portal domains,
production instances do not trust them, and FAPI domains remain supported. If
AuthenticateContext is internal, leave the documentation unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 3656d6fa-398a-4d3b-9669-6c3884df8c9c

📥 Commits

Reviewing files that changed from the base of the PR and between d8fc1d7 and 67c3fdc.

📒 Files selected for processing (3)
  • .changeset/khaki-chairs-kiss.md
  • packages/backend/src/tokens/__tests__/request.test.ts
  • packages/backend/src/tokens/authenticateContext.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant