Skip to content

fix(clerk-js): Remove condition to always send redirect_url for SSO with after-auth #6498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(clerk-js): Remove condition to always send redirect_url for SSO with after-auth #6498

wants to merge 2 commits into from

Conversation

LauraBeatris
Copy link
Member

@LauraBeatris LauraBeatris commented Aug 9, 2025
edited by coderabbitai bot
Loading

Description

Context

This was previously introduced for FAPI to avoid redirecting to, for example, /dashboard, if the sign-in/sign-up was complete but with a pending session.

The problem is that the SDK couldn't know ahead of time if the session created by sign-in/sign-up would be pending, and it was navigating to /sso-callback for all sign-ins/sign-ups, even when the task was already satisfied.

What's the fix now

We're removing this condition, and thinking whether is worth moving the logic to FAPI: https://github.com/clerk/clerk_go/pull/13037

For SPAs, as long as their apps are protected with SignedIn or SignedOut on private routes, or for server-side protections like auth.protect, it should also handle the case where FAPI redirects to redirect_url_complete while the PR above isn't merged.

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

Summary by CodeRabbit

  • Bug Fixes
    • Improved redirect URL handling during single sign-on (SSO) flows after authentication, ensuring more consistent and predictable redirection behavior for users.
    • Enhanced test cleanup by fully removing test user records from both the OAuth provider and the app after test completion.

@LauraBeatris LauraBeatris self-assigned this Aug 9, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 9, 2025
edited
Loading

🦋 Changeset detected

Latest commit: d336777

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Aug 9, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
clerk-js-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 10, 2025 3:13pm

@LauraBeatris LauraBeatris requested a review from a team August 9, 2025 01:00
@LauraBeatris LauraBeatris marked this pull request as ready for review August 9, 2025 01:04
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 21b4f5e to 5657b07 Compare August 9, 2025 01:04
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 9, 2025
edited
Loading

📝 Walkthrough

Walkthrough

The changes update the redirect URL handling logic for single sign-on (SSO) flows in the @clerk/clerk-js package. Specifically, the logic that previously modified or augmented the redirect_url parameter—by appending an auth token or conditionally using redirect_url_complete—has been removed from both the SignIn and SignUp resource modules. The code now directly passes the original or complete redirect URL without additional processing or conditional logic based on internal flags. Associated utility imports and related comments were also removed. Additionally, the test suite was modified to use two distinct fake users for standard and OAuth sign-up flows, with enhanced cleanup logic that explicitly deletes the OAuth user from both the OAuth provider instance and the app's internal user service after all tests complete.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Aug 9, 2025
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6498

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6498

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6498

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6498

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6498

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6498

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6498

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6498

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6498

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6498

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6498

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6498

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6498

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6498

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6498

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6498

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6498

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6498

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6498

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6498

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6498

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6498

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6498

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6498

commit: 4dfd13b

coderabbitai[bot]
coderabbitai bot reviewed Aug 9, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🔭 Outside diff range comments (1)
.changeset/mighty-ducks-occur.md (1)

6-6: Remove stray character on the last line

There’s a lone "6" on the final line that will end up in release notes and can confuse readers.

Apply this diff:

-6
+
🧹 Nitpick comments (4)
.changeset/mighty-ducks-occur.md (1)

5-5: Optional: tighten up the summary sentence

Add a period and optionally clarify “after-auth flows” to improve the release note readability.

-Remove sending `redirect_url_complete` as `redirect_url` for SSO with after-auth flows
+Remove sending `redirect_url_complete` as `redirect_url` for SSO with after-auth flows.
packages/clerk-js/src/core/resources/SignUp.ts (1)

291-303: Parity check: confirm whether redirectUrl should still include auth token here

SignUp still uses redirectUrlWithAuthToken while SignIn switched to passing raw redirectUrl during the initial create path (but still uses buildUrlWithAuth in prepare-first-factor for SSO). If the intent is to unify semantics across SignIn/SignUp, consider passing the raw redirectUrl here as well. Otherwise, please confirm this difference is intentional.

If alignment is desired, here’s a minimal change:

-    const redirectUrlWithAuthToken = SignUp.clerk.buildUrlWithAuth(redirectUrl);
-
     const authenticateFn = () => {
       const authParams = {
         strategy,
-        redirectUrl: redirectUrlWithAuthToken,
+        redirectUrl,
         actionCompleteRedirectUrl: redirectUrlComplete,
         unsafeMetadata,
         emailAddress,
         legalAccepted,
         oidcPrompt,
       };
       return continueSignUp && this.id ? this.update(authParams) : this.create(authParams);
     };

Also, please add tests to ensure:

  • actionCompleteRedirectUrl is forwarded as redirectUrlComplete.
  • redirectUrl is not replaced with redirect_url_complete.
packages/clerk-js/src/core/resources/SignIn.ts (2)

587-595: Align SignInFuture.sso with the new semantics (optional)

This path still constructs redirectUrlWithAuthToken for the initial create. To avoid divergent behavior between SignIn.authenticateWithRedirectOrPopup and SignInFuture.sso, consider passing the raw redirectUrl and relying on FAPI + prepare flow to handle auth URL construction where needed.

-      const redirectUrlWithAuthToken = SignIn.clerk.buildUrlWithAuth(redirectUrl);
-
       if (!this.resource.id) {
         await this.create({
           strategy,
-          redirectUrl: redirectUrlWithAuthToken,
+          redirectUrl,
           actionCompleteRedirectUrl: redirectUrlComplete,
         });
       }

Please also add/update tests to cover:

  • create receives raw redirectUrl in this path.
  • end-to-end navigation remains correct for SSO via SignInFuture.sso.

282-294: Add tests to lock the new behavior

Please add unit/integration tests verifying:

  • create is invoked with raw redirectUrl and actionCompleteRedirectUrl = redirectUrlComplete.
  • For SSO strategies, prepare-first-factor uses the appropriate URL builder (if still required).
  • The SDK does not navigate to /sso-callback prematurely when the session is not pending.

I can draft the test scaffolding for these flows (mocks for FAPI client + navigation), if helpful.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf284ee and 5657b07.

📒 Files selected for processing (3)
  • .changeset/mighty-ducks-occur.md (1 hunks)
  • packages/clerk-js/src/core/resources/SignIn.ts (1 hunks)
  • packages/clerk-js/src/core/resources/SignUp.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
.changeset/**

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

  • .changeset/mighty-ducks-occur.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (22)
  • GitHub Check: Unit Tests (22, **)
  • GitHub Check: Integration Tests (quickstart, chrome)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (elements, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 14)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (expo-web, chrome)
  • GitHub Check: Integration Tests (tanstack-react-router, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
  • GitHub Check: Publish with pkg-pr-new
  • GitHub Check: Static analysis
  • GitHub Check: semgrep-cloud-platform/scan
🔇 Additional comments (4)
.changeset/mighty-ducks-occur.md (1)

2-5: Changeset entry is appropriate (patch) and message is clear

Patch bump for '@clerk/clerk-js' aligns with the described behavioral change. Looks good.

packages/clerk-js/src/core/resources/SignUp.ts (1)

294-299: Directly using redirectUrlComplete for actionCompleteRedirectUrl is correct

This aligns the responsibility with FAPI and removes the SDK-side conditional. Good step toward simplifying after-auth SSO.

packages/clerk-js/src/core/resources/SignIn.ts (2)

252-261: Good: SDK stops replacing redirect_url and delegates completion to FAPI

Using actionCompleteRedirectUrl = redirectUrlComplete and passing raw redirectUrl during create simplifies the flow and aligns with the stated direction.

264-271: SSO prepare flow: No changes needed to buildUrlWithAuth

We scanned every occurrence of buildUrlWithAuth—it’s applied uniformly across all redirect-based authentication flows (SignIn, SignUp, email-link verification, enterprise SSO/SAML, third-party redirects, popup flows, etc.) to ensure development-mode tokens are bound to those URLs. Removing it here would introduce an inconsistency and break token binding in non-production environments.

• Key usages in SSO prepare flow

  • packages/clerk-js/src/core/resources/SignIn.ts (lines 264–271 and 586–590)
  • packages/clerk-js/src/core/resources/SignUp.ts (lines 291–294)
  • packages/elements/src/internals/machines/third-party/third-party.actors.ts (lines 32–36)
  • packages/utils/authenticateWithPopup.ts (lines 33–39)

All other flows rely on the same augmentation, so we should keep calling buildUrlWithAuth(redirectUrl) here.

@LauraBeatris LauraBeatris mentioned this pull request Aug 9, 2025
Open
9 tasks
coderabbitai[bot]
coderabbitai bot reviewed Aug 10, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
integration/tests/session-tasks-sign-up.test.ts (1)

26-27: Clarifying comment and provider cleanup — LGTM

Good call documenting and keeping the provider-side cleanup explicit. If there’s no ordering dependency with app-side deletion, consider running both deletions concurrently after org cleanup to reduce test duration.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5657b07 and 4dfd13b.

📒 Files selected for processing (1)
  • integration/tests/session-tasks-sign-up.test.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**

📄 CodeRabbit Inference Engine (.cursor/rules/global.mdc)

Framework integration templates and E2E tests should be placed under the integration/ directory

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

End-to-end tests and integration templates must be located in the 'integration/' directory.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*.{test,spec}.{js,ts}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Integration tests should use Playwright.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (tanstack-react-router, chrome)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Integration Tests (expo-web, chrome)
  • GitHub Check: Integration Tests (quickstart, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 14)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (elements, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Unit Tests (22, **)
  • GitHub Check: Publish with pkg-pr-new
  • GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
  • GitHub Check: Static analysis
  • GitHub Check: Formatting | Dedupe | Changeset
  • GitHub Check: semgrep/ci
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: semgrep-cloud-platform/scan

@LauraBeatris LauraBeatris marked this pull request as draft August 10, 2025 14:41
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 4dfd13b to 569356b Compare August 10, 2025 15:10
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 569356b to d336777 Compare August 10, 2025 15:12
@LauraBeatris LauraBeatris marked this pull request as ready for review August 10, 2025 17:13
coderabbitai[bot]
coderabbitai bot reviewed Aug 10, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
integration/tests/session-tasks-sign-up.test.ts (1)

32-48: Make teardown unconditional and avoid suite failure on cleanup errors; move user deletions out of afterAll

  • Risk: If any deletion throws, app.teardown() won’t run.
  • Also, combined with beforeEach, this deletes only the last-created users, leaking users from prior tests.

Wrap teardown in finally and remove user deletions from afterAll. We'll handle deletions per test in afterEach (see separate comment).

-    test.afterAll(async () => {
-      const u = createTestUtils({ app });
-      await u.services.organizations.deleteAll();
-      await regularFakeUser.deleteIfExists();
-
-      // Delete user from OAuth provider instance
-      const client = createClerkClient({
-        secretKey: instanceKeys.get('oauth-provider').sk,
-        publishableKey: instanceKeys.get('oauth-provider').pk,
-      });
-      const users = createUserService(client);
-      await users.deleteIfExists({ email: fakeUserForOAuth.email });
-      // Delete OAuth user from `with-session-tasks` instance
-      await u.services.users.deleteIfExists({ email: fakeUserForOAuth.email });
-
-      await app.teardown();
-    });
+    test.afterAll(async () => {
+      const u = createTestUtils({ app });
+      try {
+        await u.services.organizations.deleteAll();
+      } finally {
+        await app.teardown();
+      }
+    });
🧹 Nitpick comments (1)
integration/tests/session-tasks-sign-up.test.ts (1)

71-73: Avoid double createFakeOrganization calls; mutate the slug once

Simplifies intent and avoids extra object allocations.

-      const fakeOrganization = Object.assign(u.services.organizations.createFakeOrganization(), {
-        slug: u.services.organizations.createFakeOrganization().slug + '-with-sign-up',
-      });
+      const org = u.services.organizations.createFakeOrganization();
+      org.slug = `${org.slug}-with-sign-up`;
+      const fakeOrganization = org;
-      const fakeOrganization = Object.assign(u.services.organizations.createFakeOrganization(), {
-        slug: u.services.organizations.createFakeOrganization().slug + '-with-sign-in-sso',
-      });
+      const org = u.services.organizations.createFakeOrganization();
+      org.slug = `${org.slug}-with-sign-in-sso`;
+      const fakeOrganization = org;

Also applies to: 102-104

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dfd13b and d336777.

📒 Files selected for processing (1)
  • integration/tests/session-tasks-sign-up.test.ts (4 hunks)
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**

📄 CodeRabbit Inference Engine (.cursor/rules/global.mdc)

Framework integration templates and E2E tests should be placed under the integration/ directory

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

End-to-end tests and integration templates must be located in the 'integration/' directory.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*.{test,spec}.{js,ts}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Integration tests should use Playwright.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
🔇 Additional comments (4)
integration/tests/session-tasks-sign-up.test.ts (4)

1-1: Imports look good for test-only backend ops

Adding createClerkClient, instanceKeys, and createUserService is appropriate for cross-instance cleanup in integration tests.

Also applies to: 5-5, 8-8

15-16: Good separation of users for email/password vs OAuth flows

Using distinct regularFakeUser and fakeUserForOAuth avoids cross-contamination between test paths.

61-63: Usage of per-flow fake users is correct

Correctly wires the regular and OAuth users into their respective flows.

Also applies to: 91-91

50-54: Move user deletions into afterEach to avoid orphaned test accounts

The current afterAll cleanup only deletes the last-allocated users and leaves all earlier fake users undeleted when running multiple tests. Shifting the deletions into afterEach ensures each test cleans up its own users immediately, and using Promise.allSettled prevents non-critical cleanup failures from failing the suite.

Please update integration/tests/session-tasks-sign-up.test.ts as follows:

-  test.afterEach(async ({ page, context }) => {
-    const u = createTestUtils({ app, page, context });
-    await u.page.signOut();
-    await u.page.context().clearCookies();
-  });
+  test.afterEach(async ({ page, context }) => {
+    const u = createTestUtils({ app, page, context });
+    // Tear down session to avoid bleed
+    await u.page.signOut();
+    await u.page.context().clearCookies();
+
+    // Best-effort per-test user cleanup
+    const deletions: Promise<unknown>[] = [];
+
+    if (regularFakeUser) {
+      deletions.push(regularFakeUser.deleteIfExists());
+    }
+
+    const oauth = instanceKeys.get('oauth-provider');
+    if (oauth && fakeUserForOAuth?.email) {
+      // Delete from both the OAuth provider and our app
+      const client = createClerkClient({
+        secretKey: oauth.sk,
+        publishableKey: oauth.pk,
+      });
+      const usersService = createUserService(client);
+      deletions.push(usersService.deleteIfExists({ email: fakeUserForOAuth.email }));
+      deletions.push(u.services.users.deleteIfExists({ email: fakeUserForOAuth.email }));
+    }
+
+    const results = await Promise.allSettled(deletions);
+    for (const r of results) {
+      if (r.status === 'rejected') {
+        console.warn('[cleanup] user deletion failed:', r.reason);
+      }
+    }
+  });

• Confirm that your CI always provides an oauth-provider entry via instanceKeys.get('oauth-provider'); if not, the guard prevents failures, but you may want to test.skip the OAuth flow when keys are missing.
• Remove the existing test.afterAll deletions for these users (they’re now in afterEach).

integration/tests/session-tasks-sign-up.test.ts
Comment on lines +95 to +99
// TODO - Remove this once FAPI changes are deployed to redirect
// to `redirect_url` for pending sessions on SSO callback
await u.page.waitForAppUrl('/');
await u.page.goToRelative('/page-protected');

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Make SSO wait resilient across pre/post FAPI change

Instead of hardcoding '/', wait for either '/' or '/sso-callback' so the test passes regardless of where FAPI redirects during pending sessions.

-      // TODO - Remove this once FAPI changes are deployed to redirect
-      // to `redirect_url` for pending sessions on SSO callback
-      await u.page.waitForAppUrl('/');
-      await u.page.goToRelative('/page-protected');
+      // Handle both current and future FAPI behaviors:
+      // - current: redirect to `/sso-callback` for pending sessions
+      // - future: redirect directly to the final `redirect_url` (`/`)
+      await page.waitForURL(/\/($|sso-callback)$/);
+      await u.page.goToRelative('/page-protected');

If preferred to keep using wrappers, we can switch back once waitForAppUrl supports regex or multiple targets.

🏁 Script executed:

#!/bin/bash
# Locate the definition of waitForAppUrl to verify its capabilities
rg "waitForAppUrl" -n .

Length of output: 8323

🏁 Script executed:

#!/bin/bash
# Display the implementation of waitForAppUrl to confirm its signature and capabilities
awk 'NR>=1 && NR<=200' packages/testing/src/playwright/unstable/page-objects/app.ts | sed -n 's/\t/    /g'

Length of output: 108

🏁 Script executed:

#!/bin/bash
# Show the implementation of waitForAppUrl with surrounding context
rg -nC5 "waitForAppUrl" packages/testing/src/playwright/unstable/page-objects/app.ts

Length of output: 493

🏁 Script executed:

#!/bin/bash
# Show the implementation block of waitForAppUrl to confirm its behavior
sed -n '70,120p' packages/testing/src/playwright/unstable/page-objects/app.ts

Length of output: 1682

🏁 Script executed:

#!/bin/bash
# Show the beginning of the test file to inspect how `page` and `u` are used
sed -n '1,50p' integration/tests/session-tasks-sign-up.test.ts

Length of output: 1826

🏁 Script executed:

#!/bin/bash
# Display the header and creation of page objects to inspect returned structure
sed -n '1,70p' packages/testing/src/playwright/unstable/page-objects/app.ts

Length of output: 2473

Make SSO wait resilient across pre/post FAPI change

Handle both current and future FAPI redirect patterns by using Playwright’s built-in waitForURL with a regex instead of the wrapper:

File: integration/tests/session-tasks-sign-up.test.ts
Lines: 95–99

-      // TODO - Remove this once FAPI changes are deployed to redirect
-      // to `redirect_url` for pending sessions on SSO callback
-      await u.page.waitForAppUrl('/');
+      // Handle both current (redirect to `/sso-callback`) and future (direct `/`) FAPI behaviors
+      await u.page.waitForURL(/\/(?:sso-callback)?$/);
       await u.page.goToRelative('/page-protected');

This covers both “/sso-callback” and “/” without changing the wrapper; once waitForAppUrl supports regex or multiple targets, you can revert to it.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// TODO - Remove this once FAPI changes are deployed to redirect
// to `redirect_url` for pending sessions on SSO callback
await u.page.waitForAppUrl('/');
await u.page.goToRelative('/page-protected');
// Handle both current (redirect to `/sso-callback`) and future (direct `/`) FAPI behaviors
await u.page.waitForURL(/\/(?:sso-callback)?$/);
await u.page.goToRelative('/page-protected');
🤖 Prompt for AI Agents 
In integration/tests/session-tasks-sign-up.test.ts around lines 95 to 99,
replace the current use of the custom wrapper u.page.waitForAppUrl('/') with
Playwright's built-in waitForURL method using a regex pattern that matches both
"/sso-callback" and "/" URLs. This change will make the SSO wait resilient to
both pre- and post-FAPI redirect behaviors. Use page.waitForURL with a regex
covering these paths directly, and keep the subsequent navigation to
'/page-protected' as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@nikosdouvlis nikosdouvlis nikosdouvlis approved these changes

Assignees

@LauraBeatris LauraBeatris

Labels
clerk-js integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LauraBeatris @nikosdouvlis @clerk-cookie