fix(backend): Sanitize slashes in URL paths (#3982)

Co-authored-by: Robert Soriano <sorianorobertc@gmail.com>

Author: mlafeldt

.changeset/dull-goats-tie.md

@@ -0,0 +1,5 @@
+---
+"@clerk/backend": patch
+---
+
+Fix error from duplicate leading slashes in URL path on Cloudflare Pages

packages/backend/src/tokens/__tests__/clerkRequest.test.ts

@@ -151,6 +151,14 @@ export default (QUnit: QUnit) => {
         });
         assert.equal(createClerkRequest(req).clerkUrl.toString(), 'https://example.com/path?foo=bar');
       });
+
+      it('with duplicate leading slashes in URL path', assert => {
+        const req1 = new Request('http://localhost:3000//path');
+        assert.equal(createClerkRequest(req1).clerkUrl.toString(), 'http://localhost:3000//path');
+
+        const req2 = new Request('http://localhost:3000////path');
+        assert.equal(createClerkRequest(req2).clerkUrl.toString(), 'http://localhost:3000////path');
+      });
     });
 
     module('toJSON', () => {

packages/backend/src/tokens/clerkRequest.ts

@@ -51,6 +51,9 @@ class ClerkRequest extends Request {
     const resolvedProtocol = this.getFirstValueFromHeader(forwardedProto) ?? protocol?.replace(/[:/]/, '');
     const origin = resolvedHost && resolvedProtocol ? `${resolvedProtocol}://${resolvedHost}` : initialUrl.origin;
 
+    if (origin === initialUrl.origin) {
+      return createClerkUrl(initialUrl);
+    }
     return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);
   }