fix(nextjs): Pass keyless credentials to request data only missing explicit keys (#5085)

panteliselef · web-flow · commit d1a8d8d01a71 · 2025-02-06T08:53:31.000Z
diff --git a/.changeset/chilled-starfishes-jam.md b/.changeset/chilled-starfishes-jam.md
@@ -0,0 +1,5 @@
+---
+'@clerk/nextjs': patch
+---
+
+Fixes the "Unable to verify request ..." error occured when switching keys from an application running on keyless and a regular claimed application and there is a user signed-in.
diff --git a/packages/nextjs/src/server/clerkMiddleware.ts b/packages/nextjs/src/server/clerkMiddleware.ts
@@ -201,10 +201,16 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]) => {
         setRequestHeadersOnNextResponse(handlerResult, clerkRequest, { [constants.Headers.EnableDebug]: 'true' });
       }
 
-      decorateRequest(clerkRequest, handlerResult, requestState, resolvedParams, {
-        publishableKey: keyless?.publishableKey,
-        secretKey: keyless?.secretKey,
-      });
+      const keylessKeysForRequestData =
+        // Only pass keyless credentials when there are no explicit keys
+        secretKey === keyless?.secretKey
+          ? {
+              publishableKey: keyless?.publishableKey,
+              secretKey: keyless?.secretKey,
+            }
+          : {};
+
+      decorateRequest(clerkRequest, handlerResult, requestState, resolvedParams, keylessKeysForRequestData);
 
       return handlerResult;
     });
diff --git a/packages/nextjs/src/server/utils.ts b/packages/nextjs/src/server/utils.ts
@@ -185,7 +185,7 @@ const KEYLESS_ENCRYPTION_KEY = 'clerk_keyless_dummy_key';
  **/
 export function encryptClerkRequestData(
   requestData: Partial<AuthenticateRequestOptions>,
-  keylessMode: Pick<AuthenticateRequestOptions, 'publishableKey' | 'secretKey'>,
+  keylessModeKeys: Pick<AuthenticateRequestOptions, 'publishableKey' | 'secretKey'>,
 ) {
   const isEmpty = (obj: Record<string, any> | undefined) => {
     if (!obj) {
@@ -194,7 +194,7 @@ export function encryptClerkRequestData(
     return !Object.values(obj).some(v => v !== undefined);
   };
 
-  if (isEmpty(requestData) && isEmpty(keylessMode)) {
+  if (isEmpty(requestData) && isEmpty(keylessModeKeys)) {
     return;
   }
 
@@ -211,7 +211,7 @@ export function encryptClerkRequestData(
     ? ENCRYPTION_KEY || assertKey(SECRET_KEY, () => errorThrower.throwMissingSecretKeyError())
     : ENCRYPTION_KEY || SECRET_KEY || KEYLESS_ENCRYPTION_KEY;
 
-  return AES.encrypt(JSON.stringify({ ...keylessMode, ...requestData }), maybeKeylessEncryptionKey).toString();
+  return AES.encrypt(JSON.stringify({ ...keylessModeKeys, ...requestData }), maybeKeylessEncryptionKey).toString();
 }
 
 /**

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/nextjs': patch
 +---
++
 +Fixes the "Unable to verify request ..." error occured when switching keys from an application running on keyless and a regular claimed application and there is a user signed-in.