Skip to content

fix(clerk-js): Remove condition to always send redirect_url for SSO with after-auth #6498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 11, 2025
Merged

fix(clerk-js): Remove condition to always send redirect_url for SSO with after-auth #6498

merged 3 commits into from
Aug 11, 2025
+34 −31

Conversation

LauraBeatris
Copy link
Member

@LauraBeatris LauraBeatris commented Aug 9, 2025
edited by coderabbitai bot
Loading

Description

Context

This was previously introduced for FAPI to avoid redirecting to, for example, /dashboard, if the sign-in/sign-up was complete but with a pending session.

The problem is that the SDK couldn't know ahead of time if the session created by sign-in/sign-up would be pending, and it was navigating to /sso-callback for all sign-ins/sign-ups, even when the task was already satisfied.

What's the fix now

We're removing this condition, and thinking whether is worth moving the logic to FAPI: https://github.com/clerk/clerk_go/pull/13037

For SPAs, as long as their apps are protected with SignedIn or SignedOut on private routes, or for server-side protections like auth.protect, it should also handle the case where FAPI redirects to redirect_url_complete while the PR above isn't merged.

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

  • Bug Fixes

    • Simplified SSO/after-auth redirect behavior so users are consistently sent to the final completion URL after sign-in.

  • Tests

    • Improved test isolation by using separate accounts for standard and OAuth sign-ups and adding full cleanup of test users from provider and app.

  • Chores

    • Added a changeset to publish a patch release.

@LauraBeatris LauraBeatris self-assigned this Aug 9, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 9, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 44c7726

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Aug 9, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
clerk-js-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 11, 2025 5:09pm

@LauraBeatris LauraBeatris requested a review from a team August 9, 2025 01:00
@LauraBeatris LauraBeatris marked this pull request as ready for review August 9, 2025 01:04
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 21b4f5e to 5657b07 Compare August 9, 2025 01:04
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 9, 2025
edited
Loading

📝 Walkthrough

Walkthrough

A changeset was added for a patch release removing the practice of sending an auth-token-augmented redirect URL for SSO/after-auth flows. In packages/clerk-js, SignIn and SignUp were simplified to stop constructing or conditionally using redirectUrlWithAuthToken; action-complete redirect values now use redirectUrlComplete (or the original redirectUrl) directly. Integration tests were updated to use two separate fake users (regular and OAuth), added cleanup to remove the OAuth user from the external OAuth provider and the app’s user service, and adjusted the OAuth sign-up test flow to await signUp-mounted state.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Aug 9, 2025
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6498

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6498

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6498

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6498

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6498

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6498

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6498

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6498

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6498

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6498

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6498

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6498

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6498

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6498

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6498

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6498

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6498

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6498

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6498

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6498

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6498

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6498

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6498

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6498

commit: 28eb889

coderabbitai[bot]
coderabbitai bot reviewed Aug 9, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🔭 Outside diff range comments (1)
.changeset/mighty-ducks-occur.md (1)

6-6: Remove stray character on the last line

There’s a lone "6" on the final line that will end up in release notes and can confuse readers.

Apply this diff:

-6
+
🧹 Nitpick comments (4)
.changeset/mighty-ducks-occur.md (1)

5-5: Optional: tighten up the summary sentence

Add a period and optionally clarify “after-auth flows” to improve the release note readability.

-Remove sending `redirect_url_complete` as `redirect_url` for SSO with after-auth flows
+Remove sending `redirect_url_complete` as `redirect_url` for SSO with after-auth flows.
packages/clerk-js/src/core/resources/SignUp.ts (1)

291-303: Parity check: confirm whether redirectUrl should still include auth token here

SignUp still uses redirectUrlWithAuthToken while SignIn switched to passing raw redirectUrl during the initial create path (but still uses buildUrlWithAuth in prepare-first-factor for SSO). If the intent is to unify semantics across SignIn/SignUp, consider passing the raw redirectUrl here as well. Otherwise, please confirm this difference is intentional.

If alignment is desired, here’s a minimal change:

-    const redirectUrlWithAuthToken = SignUp.clerk.buildUrlWithAuth(redirectUrl);
-
     const authenticateFn = () => {
       const authParams = {
         strategy,
-        redirectUrl: redirectUrlWithAuthToken,
+        redirectUrl,
         actionCompleteRedirectUrl: redirectUrlComplete,
         unsafeMetadata,
         emailAddress,
         legalAccepted,
         oidcPrompt,
       };
       return continueSignUp && this.id ? this.update(authParams) : this.create(authParams);
     };

Also, please add tests to ensure:

  • actionCompleteRedirectUrl is forwarded as redirectUrlComplete.
  • redirectUrl is not replaced with redirect_url_complete.
packages/clerk-js/src/core/resources/SignIn.ts (2)

587-595: Align SignInFuture.sso with the new semantics (optional)

This path still constructs redirectUrlWithAuthToken for the initial create. To avoid divergent behavior between SignIn.authenticateWithRedirectOrPopup and SignInFuture.sso, consider passing the raw redirectUrl and relying on FAPI + prepare flow to handle auth URL construction where needed.

-      const redirectUrlWithAuthToken = SignIn.clerk.buildUrlWithAuth(redirectUrl);
-
       if (!this.resource.id) {
         await this.create({
           strategy,
-          redirectUrl: redirectUrlWithAuthToken,
+          redirectUrl,
           actionCompleteRedirectUrl: redirectUrlComplete,
         });
       }

Please also add/update tests to cover:

  • create receives raw redirectUrl in this path.
  • end-to-end navigation remains correct for SSO via SignInFuture.sso.

282-294: Add tests to lock the new behavior

Please add unit/integration tests verifying:

  • create is invoked with raw redirectUrl and actionCompleteRedirectUrl = redirectUrlComplete.
  • For SSO strategies, prepare-first-factor uses the appropriate URL builder (if still required).
  • The SDK does not navigate to /sso-callback prematurely when the session is not pending.

I can draft the test scaffolding for these flows (mocks for FAPI client + navigation), if helpful.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf284ee and 5657b07.

📒 Files selected for processing (3)
  • .changeset/mighty-ducks-occur.md (1 hunks)
  • packages/clerk-js/src/core/resources/SignIn.ts (1 hunks)
  • packages/clerk-js/src/core/resources/SignUp.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
.changeset/**

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

  • .changeset/mighty-ducks-occur.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (22)
  • GitHub Check: Unit Tests (22, **)
  • GitHub Check: Integration Tests (quickstart, chrome)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (elements, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 14)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (expo-web, chrome)
  • GitHub Check: Integration Tests (tanstack-react-router, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
  • GitHub Check: Publish with pkg-pr-new
  • GitHub Check: Static analysis
  • GitHub Check: semgrep-cloud-platform/scan
🔇 Additional comments (4)
.changeset/mighty-ducks-occur.md (1)

2-5: Changeset entry is appropriate (patch) and message is clear

Patch bump for '@clerk/clerk-js' aligns with the described behavioral change. Looks good.

packages/clerk-js/src/core/resources/SignUp.ts (1)

294-299: Directly using redirectUrlComplete for actionCompleteRedirectUrl is correct

This aligns the responsibility with FAPI and removes the SDK-side conditional. Good step toward simplifying after-auth SSO.

packages/clerk-js/src/core/resources/SignIn.ts (2)

252-261: Good: SDK stops replacing redirect_url and delegates completion to FAPI

Using actionCompleteRedirectUrl = redirectUrlComplete and passing raw redirectUrl during create simplifies the flow and aligns with the stated direction.

264-271: SSO prepare flow: No changes needed to buildUrlWithAuth

We scanned every occurrence of buildUrlWithAuth—it’s applied uniformly across all redirect-based authentication flows (SignIn, SignUp, email-link verification, enterprise SSO/SAML, third-party redirects, popup flows, etc.) to ensure development-mode tokens are bound to those URLs. Removing it here would introduce an inconsistency and break token binding in non-production environments.

• Key usages in SSO prepare flow

  • packages/clerk-js/src/core/resources/SignIn.ts (lines 264–271 and 586–590)
  • packages/clerk-js/src/core/resources/SignUp.ts (lines 291–294)
  • packages/elements/src/internals/machines/third-party/third-party.actors.ts (lines 32–36)
  • packages/utils/authenticateWithPopup.ts (lines 33–39)

All other flows rely on the same augmentation, so we should keep calling buildUrlWithAuth(redirectUrl) here.

@LauraBeatris LauraBeatris mentioned this pull request Aug 9, 2025
Open
9 tasks
coderabbitai[bot]
coderabbitai bot reviewed Aug 10, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
integration/tests/session-tasks-sign-up.test.ts (1)

26-27: Clarifying comment and provider cleanup — LGTM

Good call documenting and keeping the provider-side cleanup explicit. If there’s no ordering dependency with app-side deletion, consider running both deletions concurrently after org cleanup to reduce test duration.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5657b07 and 4dfd13b.

📒 Files selected for processing (1)
  • integration/tests/session-tasks-sign-up.test.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**

📄 CodeRabbit Inference Engine (.cursor/rules/global.mdc)

Framework integration templates and E2E tests should be placed under the integration/ directory

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

End-to-end tests and integration templates must be located in the 'integration/' directory.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*.{test,spec}.{js,ts}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Integration tests should use Playwright.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (tanstack-react-router, chrome)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Integration Tests (expo-web, chrome)
  • GitHub Check: Integration Tests (quickstart, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 14)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (elements, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Unit Tests (22, **)
  • GitHub Check: Publish with pkg-pr-new
  • GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
  • GitHub Check: Static analysis
  • GitHub Check: Formatting | Dedupe | Changeset
  • GitHub Check: semgrep/ci
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: semgrep-cloud-platform/scan

@LauraBeatris LauraBeatris marked this pull request as draft August 10, 2025 14:41
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 4dfd13b to 569356b Compare August 10, 2025 15:10
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 569356b to d336777 Compare August 10, 2025 15:12
@LauraBeatris LauraBeatris marked this pull request as ready for review August 10, 2025 17:13
coderabbitai[bot]
coderabbitai bot reviewed Aug 10, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
integration/tests/session-tasks-sign-up.test.ts (1)

32-48: Make teardown unconditional and avoid suite failure on cleanup errors; move user deletions out of afterAll

  • Risk: If any deletion throws, app.teardown() won’t run.
  • Also, combined with beforeEach, this deletes only the last-created users, leaking users from prior tests.

Wrap teardown in finally and remove user deletions from afterAll. We'll handle deletions per test in afterEach (see separate comment).

-    test.afterAll(async () => {
-      const u = createTestUtils({ app });
-      await u.services.organizations.deleteAll();
-      await regularFakeUser.deleteIfExists();
-
-      // Delete user from OAuth provider instance
-      const client = createClerkClient({
-        secretKey: instanceKeys.get('oauth-provider').sk,
-        publishableKey: instanceKeys.get('oauth-provider').pk,
-      });
-      const users = createUserService(client);
-      await users.deleteIfExists({ email: fakeUserForOAuth.email });
-      // Delete OAuth user from `with-session-tasks` instance
-      await u.services.users.deleteIfExists({ email: fakeUserForOAuth.email });
-
-      await app.teardown();
-    });
+    test.afterAll(async () => {
+      const u = createTestUtils({ app });
+      try {
+        await u.services.organizations.deleteAll();
+      } finally {
+        await app.teardown();
+      }
+    });
🧹 Nitpick comments (1)
integration/tests/session-tasks-sign-up.test.ts (1)

71-73: Avoid double createFakeOrganization calls; mutate the slug once

Simplifies intent and avoids extra object allocations.

-      const fakeOrganization = Object.assign(u.services.organizations.createFakeOrganization(), {
-        slug: u.services.organizations.createFakeOrganization().slug + '-with-sign-up',
-      });
+      const org = u.services.organizations.createFakeOrganization();
+      org.slug = `${org.slug}-with-sign-up`;
+      const fakeOrganization = org;
-      const fakeOrganization = Object.assign(u.services.organizations.createFakeOrganization(), {
-        slug: u.services.organizations.createFakeOrganization().slug + '-with-sign-in-sso',
-      });
+      const org = u.services.organizations.createFakeOrganization();
+      org.slug = `${org.slug}-with-sign-in-sso`;
+      const fakeOrganization = org;

Also applies to: 102-104

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dfd13b and d336777.

📒 Files selected for processing (1)
  • integration/tests/session-tasks-sign-up.test.ts (4 hunks)
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**

📄 CodeRabbit Inference Engine (.cursor/rules/global.mdc)

Framework integration templates and E2E tests should be placed under the integration/ directory

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

End-to-end tests and integration templates must be located in the 'integration/' directory.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
integration/**/*.{test,spec}.{js,ts}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Integration tests should use Playwright.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • integration/tests/session-tasks-sign-up.test.ts
🔇 Additional comments (4)
integration/tests/session-tasks-sign-up.test.ts (4)

1-1: Imports look good for test-only backend ops

Adding createClerkClient, instanceKeys, and createUserService is appropriate for cross-instance cleanup in integration tests.

Also applies to: 5-5, 8-8

15-16: Good separation of users for email/password vs OAuth flows

Using distinct regularFakeUser and fakeUserForOAuth avoids cross-contamination between test paths.

61-63: Usage of per-flow fake users is correct

Correctly wires the regular and OAuth users into their respective flows.

Also applies to: 91-91

50-54: Move user deletions into afterEach to avoid orphaned test accounts

The current afterAll cleanup only deletes the last-allocated users and leaves all earlier fake users undeleted when running multiple tests. Shifting the deletions into afterEach ensures each test cleans up its own users immediately, and using Promise.allSettled prevents non-critical cleanup failures from failing the suite.

Please update integration/tests/session-tasks-sign-up.test.ts as follows:

-  test.afterEach(async ({ page, context }) => {
-    const u = createTestUtils({ app, page, context });
-    await u.page.signOut();
-    await u.page.context().clearCookies();
-  });
+  test.afterEach(async ({ page, context }) => {
+    const u = createTestUtils({ app, page, context });
+    // Tear down session to avoid bleed
+    await u.page.signOut();
+    await u.page.context().clearCookies();
+
+    // Best-effort per-test user cleanup
+    const deletions: Promise<unknown>[] = [];
+
+    if (regularFakeUser) {
+      deletions.push(regularFakeUser.deleteIfExists());
+    }
+
+    const oauth = instanceKeys.get('oauth-provider');
+    if (oauth && fakeUserForOAuth?.email) {
+      // Delete from both the OAuth provider and our app
+      const client = createClerkClient({
+        secretKey: oauth.sk,
+        publishableKey: oauth.pk,
+      });
+      const usersService = createUserService(client);
+      deletions.push(usersService.deleteIfExists({ email: fakeUserForOAuth.email }));
+      deletions.push(u.services.users.deleteIfExists({ email: fakeUserForOAuth.email }));
+    }
+
+    const results = await Promise.allSettled(deletions);
+    for (const r of results) {
+      if (r.status === 'rejected') {
+        console.warn('[cleanup] user deletion failed:', r.reason);
+      }
+    }
+  });

• Confirm that your CI always provides an oauth-provider entry via instanceKeys.get('oauth-provider'); if not, the guard prevents failures, but you may want to test.skip the OAuth flow when keys are missing.
• Remove the existing test.afterAll deletions for these users (they’re now in afterEach).

@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from d336777 to 9d0331f Compare August 11, 2025 13:52
@LauraBeatris LauraBeatris enabled auto-merge (squash) August 11, 2025 13:52
@LauraBeatris
Copy link
Member Author

Waiting for FAPI to be released to prod so I can re-run the tests here

@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from dc6ee6a to 80743ae Compare August 11, 2025 14:48
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 80743ae to 28eb889 Compare August 11, 2025 16:50
@LauraBeatris LauraBeatris disabled auto-merge August 11, 2025 16:51
@LauraBeatris LauraBeatris changed the base branch from main to laura/remove-experimental-navigate-to-tasks August 11, 2025 16:55
coderabbitai[bot]
coderabbitai bot reviewed Aug 11, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.changeset/mighty-ducks-occur.md (1)

5-5: Enrich the release note with context and migration guidance.

Add a short rationale and link to the FAPI change so integrators understand the behavior shift and recommended SPA protections.

 Remove sending `redirect_url_complete` as `redirect_url` for SSO with after-auth flows
+
+Context:
+- Previously, the SDK sometimes replaced `redirect_url` with `redirect_url_complete` to avoid app-route redirects when a session became `pending`. This caused all SSO flows to land on `/sso-callback`, even when the task was already satisfied.
+- The SDK now always sends `redirect_url`, and sets `action_complete_redirect_url` to `redirect_url_complete`. Backend (FAPI) will handle pending-session cases.
+
+Notes for SPAs:
+- Ensure private routes are protected (e.g., via `<SignedIn>/<SignedOut>` or server-side `auth.protect`) to handle early redirects to `redirect_url_complete`.
+
+See also:
+- Backend change: clerk/clerk_go#13037
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80743ae and 28eb889.

📒 Files selected for processing (4)
  • .changeset/mighty-ducks-occur.md (1 hunks)
  • integration/tests/session-tasks-sign-up.test.ts (4 hunks)
  • packages/clerk-js/src/core/resources/SignIn.ts (1 hunks)
  • packages/clerk-js/src/core/resources/SignUp.ts (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
  • integration/tests/session-tasks-sign-up.test.ts
  • packages/clerk-js/src/core/resources/SignIn.ts
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

  • packages/clerk-js/src/core/resources/SignUp.ts
.changeset/**

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

  • .changeset/mighty-ducks-occur.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (24)
  • GitHub Check: Integration Tests (nextjs, chrome, 14)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (expo-web, chrome)
  • GitHub Check: Integration Tests (billing, chrome)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (tanstack-react-router, chrome)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (sessions, chrome)
  • GitHub Check: Integration Tests (elements, chrome)
  • GitHub Check: Integration Tests (vue, chrome)
  • GitHub Check: Integration Tests (localhost, chrome)
  • GitHub Check: Integration Tests (ap-flows, chrome)
  • GitHub Check: Integration Tests (express, chrome)
  • GitHub Check: Integration Tests (quickstart, chrome)
  • GitHub Check: Unit Tests (22, **)
  • GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
  • GitHub Check: Publish with pkg-pr-new
  • GitHub Check: Static analysis
  • GitHub Check: semgrep/ci
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: semgrep-cloud-platform/scan
🔇 Additional comments (3)
.changeset/mighty-ducks-occur.md (1)

1-5: Changeset entry looks correct for a patch release.

Package scope and intent are clear. Good to proceed.

packages/clerk-js/src/core/resources/SignUp.ts (2)

297-297: LGTM: Always setting actionCompleteRedirectUrl to redirectUrlComplete.

This matches the desired behavior for after-auth SSO flows.

291-299: No change needed: redirectUrl augmentation is consistent across SignIn and SignUp.

Our search shows both resources still call buildUrlWithAuth(redirectUrl) in equivalent flows:

• packages/clerk-js/src/core/resources/SignIn.ts –
– buildUrlWithAuth: lines 267, 587
– plain redirectUrl only for initial create (first factor)
• packages/clerk-js/src/core/resources/SignUp.ts –
– buildUrlWithAuth: line 291

Since both SignIn and SignUp augment the redirect URL for the final authentication step, the current asymmetry is intentional and no refactor is required.

@LauraBeatris LauraBeatris changed the base branch from laura/remove-experimental-navigate-to-tasks to main August 11, 2025 16:56
@LauraBeatris LauraBeatris changed the base branch from main to laura/introduce-on-pending-session August 11, 2025 16:58
@LauraBeatris LauraBeatris force-pushed the laura/remove-sso-hacky-moved-to-fapi branch from 28eb889 to 44c7726 Compare August 11, 2025 17:08
@LauraBeatris LauraBeatris merged commit d53c245 into laura/introduce-on-pending-session Aug 11, 2025
6 checks passed
@LauraBeatris LauraBeatris deleted the laura/remove-sso-hacky-moved-to-fapi branch August 11, 2025 17:11
LauraBeatris added a commit that referenced this pull request Aug 11, 2025
@LauraBeatris
Remove condition to always send redirect_url for SSO with after-auth (
559cd5b 
#6498)
LauraBeatris added a commit that referenced this pull request Aug 11, 2025
@LauraBeatris
Remove condition to always send redirect_url for SSO with after-auth (
77b9da7 
#6498)
LauraBeatris added a commit that referenced this pull request Aug 12, 2025
@LauraBeatris
Remove condition to always send redirect_url for SSO with after-auth (
597d86a 
#6498)
LauraBeatris added a commit that referenced this pull request Aug 12, 2025
@LauraBeatris
Remove condition to always send redirect_url for SSO with after-auth (
e855d5b 
#6498)
LauraBeatris added a commit that referenced this pull request Aug 12, 2025
@LauraBeatris
Remove condition to always send redirect_url for SSO with after-auth (
bbe73ad 
#6498)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@nikosdouvlis nikosdouvlis nikosdouvlis approved these changes

@iagodahlem iagodahlem iagodahlem approved these changes

Assignees

@LauraBeatris LauraBeatris

Labels
clerk-js integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LauraBeatris @nikosdouvlis @iagodahlem @clerk-cookie