fix(backend): Use domain only for satellite apps (#5919)

Author: jacekradko

.changeset/moody-clouds-smile.md

@@ -0,0 +1,6 @@
+---
+'@clerk/backend': patch
+'@clerk/shared': patch
+---
+
+Use domain in AuthenticateRequest only for satellite domains

integration/tests/handshake.test.ts

@@ -25,7 +25,6 @@ test.describe('Client handshake @generic', () => {
   });
   // Strip trailing slash
   const devBrowserCookie = '__clerk_db_jwt=needstobeset;';
-  const devBrowserQuery = '&__clerk_db_jwt=needstobeset';
 
   test.beforeAll('setup local Clerk API mock', async () => {
     const env = appConfigs.envs.withEmailCodes
@@ -367,7 +366,11 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     const locationUrl = new URL(res.headers.get('location'));
-    expect(locationUrl.origin + locationUrl.pathname).toBe('https://clerk.example.com/v1/client/handshake');
+
+    // The domain is ignored for non-satellite requests
+    expect(locationUrl.hostname).not.toBe('example.com');
+
+    expect(locationUrl.origin + locationUrl.pathname).toContain('/v1/client/handshake');
     expect(locationUrl.searchParams.get('redirect_url')).toBe(`${app.serverUrl}/`);
     expect(locationUrl.searchParams.get('__clerk_hs_reason')).toBe(
       'session-token-expired-refresh-non-eligible-no-refresh-cookie',
@@ -376,6 +379,30 @@ test.describe('Client handshake @generic', () => {
     expect(locationUrl.searchParams.get('suffixed_cookies')).toBe('false');
   });
 
+  test('domain - prod satellite - domain is used as the redirect url', async () => {
+    const config = generateConfig({
+      mode: 'live',
+    });
+    const { token, claims } = config.generateToken({ state: 'expired' });
+    const clientUat = claims.iat;
+    const res = await fetch(app.serverUrl + '/', {
+      headers: new Headers({
+        Cookie: `__client_uat=${clientUat}; __session=${token}`,
+        'X-Publishable-Key': config.pk,
+        'X-Secret-Key': config.sk,
+        'X-Satellite': 'true',
+        'X-Domain': 'example.com',
+        'Sec-Fetch-Dest': 'document',
+      }),
+      redirect: 'manual',
+    });
+    expect(res.status).toBe(307);
+    const locationUrl = new URL(res.headers.get('location'));
+
+    // The domain is used as the redirect url
+    expect(locationUrl.origin + locationUrl.pathname).toBe('https://clerk.example.com/v1/client/handshake');
+  });
+
   test('missing session token, positive uat - dev', async () => {
     const config = generateConfig({
       mode: 'test',

packages/backend/src/tokens/authenticateContext.ts

@@ -167,6 +167,7 @@ class AuthenticateContext implements AuthenticateContext {
       fatal: true,
       proxyUrl: options.proxyUrl,
       domain: options.domain,
+      isSatellite: options.isSatellite,
     });
     this.instanceType = pk.instanceType;
     this.frontendApi = pk.frontendApi;

packages/clerk-js/bundlewatch.config.json

@@ -1,7 +1,7 @@
 {
   "files": [
-    { "path": "./dist/clerk.js", "maxSize": "598KB" },
-    { "path": "./dist/clerk.browser.js", "maxSize": "68.5KB" },
+    { "path": "./dist/clerk.js", "maxSize": "598kB" },
+    { "path": "./dist/clerk.browser.js", "maxSize": "69KB" },
     { "path": "./dist/clerk.legacy.browser.js", "maxSize": "113KB" },
     { "path": "./dist/clerk.headless*.js", "maxSize": "52KB" },
     { "path": "./dist/ui-common*.js", "maxSize": "105.1KB" },

packages/shared/src/__tests__/keys.test.ts

@@ -71,12 +71,32 @@ describe('parsePublishableKey(key)', () => {
     });
   });
 
-  it('applies the domain if provided for production keys', () => {
-    expect(parsePublishableKey('pk_live_Y2xlcmsuY2xlcmsuZGV2JA==', { domain: 'example.com' })).toEqual({
+  it('applies the domain if provided for production keys and isSatellite is true', () => {
+    expect(
+      parsePublishableKey('pk_live_Y2xlcmsuY2xlcmsuZGV2JA==', { domain: 'example.com', isSatellite: true }),
+    ).toEqual({
       frontendApi: 'clerk.example.com',
       instanceType: 'production',
     });
   });
+
+  it('ignores domain for production keys when isSatellite is false', () => {
+    expect(
+      parsePublishableKey('pk_live_Y2xlcmsuY2xlcmsuZGV2JA==', { domain: 'example.com', isSatellite: false }),
+    ).toEqual({
+      frontendApi: 'clerk.clerk.dev',
+      instanceType: 'production',
+    });
+  });
+
+  it('ignores domain for development keys even when isSatellite is true', () => {
+    expect(
+      parsePublishableKey('pk_test_Y2xlcmsuY2xlcmsuZGV2JA==', { domain: 'example.com', isSatellite: true }),
+    ).toEqual({
+      frontendApi: 'clerk.clerk.dev',
+      instanceType: 'development',
+    });
+  });
 });
 
 describe('isPublishableKey(key)', () => {

packages/shared/src/keys.ts

@@ -8,6 +8,7 @@ type ParsePublishableKeyOptions = {
   fatal?: boolean;
   domain?: string;
   proxyUrl?: string;
+  isSatellite?: boolean;
 };
 
 const PUBLISHABLE_KEY_LIVE_PREFIX = 'pk_live_';
@@ -34,7 +35,7 @@ export function parsePublishableKey(
 ): PublishableKey | null;
 export function parsePublishableKey(
   key: string | undefined,
-  options: { fatal?: boolean; domain?: string; proxyUrl?: string } = {},
+  options: { fatal?: boolean; domain?: string; proxyUrl?: string; isSatellite?: boolean } = {},
 ): PublishableKey | null {
   key = key || '';
 
@@ -59,7 +60,7 @@ export function parsePublishableKey(
 
   if (options.proxyUrl) {
     frontendApi = options.proxyUrl;
-  } else if (instanceType !== 'development' && options.domain) {
+  } else if (instanceType !== 'development' && options.domain && options.isSatellite) {
     frontendApi = `clerk.${options.domain}`;
   }