Skip to content

feat(backend): Limit handshake to document requests#2352

Merged
SokratisVidros merged 6 commits into
mainfrom
brk.feat/handshake-fetch
Dec 15, 2023
Merged

feat(backend): Limit handshake to document requests#2352
SokratisVidros merged 6 commits into
mainfrom
brk.feat/handshake-fetch

Conversation

@brkalow

@brkalow brkalow commented Dec 14, 2023

Copy link
Copy Markdown
Member

Description

Limit the handshake flow to document requests. We identify this by checking for the presence of the Sec-Fetch-Dest header with the value document. For browsers that don't support this header, we check that the Accept header value starts with text/html, which is a reasonable enough indication that it's a document request.

Checklist

  • npm test runs as expected.
  • npm run build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Packages affected

  • @clerk/backend
  • @clerk/chrome-extension
  • @clerk/clerk-js
  • @clerk/clerk-expo
  • @clerk/fastify
  • gatsby-plugin-clerk
  • @clerk/localizations
  • @clerk/nextjs
  • @clerk/clerk-react
  • @clerk/remix
  • @clerk/clerk-sdk-node
  • @clerk/shared
  • @clerk/themes
  • @clerk/types
  • build/tooling/chore

@changeset-bot

changeset-bot Bot commented Dec 14, 2023

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: df9aba8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages
Name Type
@clerk/backend Patch
@clerk/fastify Patch
gatsby-plugin-clerk Patch
@clerk/nextjs Patch
@clerk/remix Patch
@clerk/clerk-sdk-node Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@brkalow brkalow changed the title feat(backend): Support dev handshake when the redirect ends up tainted feat(backend): Limit handshake to document requests Dec 14, 2023
@brkalow brkalow marked this pull request as ready for review December 14, 2023 22:14
});

test('cookieToken: returns undefined when crossOriginReferrer in development and is satellite [6n]', async assert => {
test('cookieToken: returns signedIn when satellite but valid token and clientUat', async assert => {

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test name was inaccurate 🧐

mockRequestWithCookies(
{
...defaultHeaders,
'sec-fetch-dest': 'empty',

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we're defaulting to sec-fetch-dest: document, we need to explicitly set it to empty for this test case

function isRequestEligibleForHandshake(authenticateContext: { secFetchDest?: string; accept?: string }) {
const { accept, secFetchDest } = authenticateContext;

// NOTE: we could also check sec-fetch-mode === navigate here, but according to the spec, sec-fetch-dest: document should indicate that the request is the result of a user navigation.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, you can't overwrite sec-fetch-mode, so testing became difficult.

Comment on lines +181 to +193
function handleMaybeHandshakeStatus(
context: typeof authenticateContext,
reason: AuthErrorReason,
message: string,
headers?: Headers,
) {
if (isRequestEligibleForHandshake(context)) {
// Right now the only usage of passing in different headers is for multi-domain sync, which redirects somewhere else.
// In the future if we want to decorate the handshake redirect with additional headers per call we need to tweak this logic.
return handshake(context, reason, message, headers ?? buildRedirectToHandshake());
}
return signedOut(context, reason, message, new Headers());
}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This felt like a reasonable abstraction, easy to tweak the handshake heuristic in one place going forward.

@SokratisVidros SokratisVidros merged commit 1e98187 into main Dec 15, 2023
@SokratisVidros SokratisVidros deleted the brk.feat/handshake-fetch branch December 15, 2023 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants