Skip to content

feat(clerk-js): Use FAPI for OAuth popup callbacks#9174

Open
brkalow wants to merge 3 commits into
mainfrom
brk/clerk-js-fapi-popup-callback
Open

feat(clerk-js): Use FAPI for OAuth popup callbacks#9174
brkalow wants to merge 3 commits into
mainfrom
brk/clerk-js-fapi-popup-callback

Conversation

@brkalow

@brkalow brkalow commented Jul 16, 2026

Copy link
Copy Markdown
Member

OAuth popup flows currently depend on the Account Portal hostname even when an application sends all Frontend API traffic through its own proxy. That leaves a hostname dependency outside the proxy and prevents the popup flow from staying on the application's domain.

This changes Clerk.js to use the new FAPI popup callback route by default for both existing and future SignIn/SignUp flows. Clerk.js generates a random state value before starting the flow and accepts the callback message only when its origin matches the effective FAPI origin, its source is the opened popup, and its state matches. Direct FAPI and proxied FAPI URLs use the same path-building behavior.

Depends on https://github.com/clerk/clerk_go/pull/20467 being deployed before this Clerk.js version is released.

Summary by CodeRabbit

  • Bug Fixes
    • Improved OAuth and SSO popup authentication reliability.
    • Popup callbacks now use the Frontend API callback route instead of the Account Portal hostname.
    • Added secure state validation to prevent unrelated messages from completing authentication.
    • Preserved popup routing information across sign-in and sign-up verification flows.
  • Tests
    • Expanded coverage for popup redirects, callback URLs, state handling, origin validation, and successful navigation.

@changeset-bot

changeset-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: b369daf

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/electron Patch
@clerk/expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jul 17, 2026 4:25pm
swingset Ready Ready Preview, Comment Jul 17, 2026 4:25pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

OAuth popup callback handling now targets the Frontend API /popup_auth_callback route. Popup state is generated, propagated through sign-in and sign-up SSO flows, and validated on callback messages with expanded test coverage.

Changes

Popup authentication routing

Layer / File(s) Summary
FAPI callback URLs and state validation
packages/clerk-js/src/utils/authenticateWithPopup.ts
Popup callbacks use Frontend API URLs, include generated state, and validate callback origin, popup source, and state.
Sign-in and sign-up state propagation
packages/clerk-js/src/core/resources/SignIn.ts, packages/clerk-js/src/core/resources/SignUp.ts, packages/clerk-js/src/core/resources/__tests__/SignIn.test.ts, packages/clerk-js/src/core/resources/__tests__/SignUp.test.ts, .changeset/tidy-moose-travel.md
SSO flows retain wrapped popup state, pass it to popup authentication, update callback route assertions, and add a patch changeset.
Popup helper coverage
packages/clerk-js/src/utils/__tests__/authenticateWithPopup.test.ts
Tests cover default and proxied callback URLs, state propagation, message filtering, popup navigation, and listener cleanup.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant SSO
  participant PopupHelpers
  participant FrontendAPI
  participant Popup
  SSO->>PopupHelpers: Wrap redirect routes
  PopupHelpers->>FrontendAPI: Build state-bearing callback URLs
  FrontendAPI->>Popup: Send verification message
  PopupHelpers->>Popup: Validate origin, source, and state
  PopupHelpers->>SSO: Provide verification redirect
Loading

Suggested reviewers: jacekradko, dmoerner

Poem

A rabbit hops through routes anew,
With state in hex, precise and true.
FAPI callbacks guide the way,
While popup messages safely stay.
“Patch released!” the bunny sings,
And tests check all the little things.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: Clerk.js now uses FAPI for OAuth popup callbacks.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands.

@pkg-pr-new

pkg-pr-new Bot commented Jul 16, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9174

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9174

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9174

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9174

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9174

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9174

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9174

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9174

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9174

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9174

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9174

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9174

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9174

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9174

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9174

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9174

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9174

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9174

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9174

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9174

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9174

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9174

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9174

commit: b369daf

@brkalow brkalow changed the title Use FAPI for OAuth popup callbacks feat(clerk-js): Use FAPI for OAuth popup callbacks Jul 17, 2026
@brkalow
brkalow marked this pull request as ready for review July 17, 2026 16:22
@macroscopeapp

macroscopeapp Bot commented Jul 17, 2026

Copy link
Copy Markdown

Approvability

Verdict: Needs human review

This PR modifies OAuth popup authentication infrastructure, changing callback endpoints from Account Portal to FAPI and adding state-based validation. Authentication-related changes warrant human review regardless of author trust level.

You can customize Macroscope's approvability policy. Learn more.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
packages/clerk-js/src/core/resources/__tests__/SignUp.test.ts (1)

1043-1045: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove the redundant test comment.

Line 1044 merely restates line 1045.

As per coding guidelines, “Keep code comments minimal” and “never restate the code.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/clerk-js/src/core/resources/__tests__/SignUp.test.ts` around lines
1043 - 1045, Remove the redundant inline comment inside the
_futureAuthenticateWithPopup mockImplementation callback, leaving the
popup.location.href assignment unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/clerk-js/src/utils/__tests__/authenticateWithPopup.test.ts`:
- Around line 73-89: Extend the test around _authenticateWithPopup to dispatch
valid-FAPI-origin message events with an incorrect state and an incorrect source
before the matching event. Assert navigate is not called after each rejected
event, then retain the existing matching event and assert navigation occurs with
returnUrl.

---

Nitpick comments:
In `@packages/clerk-js/src/core/resources/__tests__/SignUp.test.ts`:
- Around line 1043-1045: Remove the redundant inline comment inside the
_futureAuthenticateWithPopup mockImplementation callback, leaving the
popup.location.href assignment unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 0342ae97-0285-418e-a8b1-85d1c971497e

📥 Commits

Reviewing files that changed from the base of the PR and between 004cab7 and b369daf.

📒 Files selected for processing (7)
  • .changeset/tidy-moose-travel.md
  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
  • packages/clerk-js/src/core/resources/__tests__/SignIn.test.ts
  • packages/clerk-js/src/core/resources/__tests__/SignUp.test.ts
  • packages/clerk-js/src/utils/__tests__/authenticateWithPopup.test.ts
  • packages/clerk-js/src/utils/authenticateWithPopup.ts

Comment on lines +73 to +89
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://accounts.example.com',
source: popup,
}),
);
expect(navigate).not.toHaveBeenCalled();

window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://clerk.example.com',
source: popup,
}),
);
expect(navigate).toHaveBeenCalledWith(returnUrl);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Cover direct popup state and source rejection.

This test only rejects an incorrect origin. Add valid-FAPI-origin events with an incorrect state and incorrect source before the matching event, so regressions in the new _authenticateWithPopup checks cannot permit unintended navigation.

Suggested coverage
+    const otherPopup = { location: { href: '' } } as unknown as Window;
+
+    window.dispatchEvent(
+      new MessageEvent('message', {
+        data: { return_url: returnUrl, state: 'wrong_state' },
+        origin: 'https://clerk.example.com',
+        source: popup,
+      }),
+    );
+    window.dispatchEvent(
+      new MessageEvent('message', {
+        data: { return_url: returnUrl, state },
+        origin: 'https://clerk.example.com',
+        source: otherPopup,
+      }),
+    );
+    expect(navigate).not.toHaveBeenCalled();

As per coding guidelines, “Unit tests are required for all new functionality” and “Verify proper error handling and edge cases.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://accounts.example.com',
source: popup,
}),
);
expect(navigate).not.toHaveBeenCalled();
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://clerk.example.com',
source: popup,
}),
);
expect(navigate).toHaveBeenCalledWith(returnUrl);
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://accounts.example.com',
source: popup,
}),
);
expect(navigate).not.toHaveBeenCalled();
const otherPopup = { location: { href: '' } } as unknown as Window;
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state: 'wrong_state' },
origin: 'https://clerk.example.com',
source: popup,
}),
);
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://clerk.example.com',
source: otherPopup,
}),
);
expect(navigate).not.toHaveBeenCalled();
window.dispatchEvent(
new MessageEvent('message', {
data: { return_url: returnUrl, state },
origin: 'https://clerk.example.com',
source: popup,
}),
);
expect(navigate).toHaveBeenCalledWith(returnUrl);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/clerk-js/src/utils/__tests__/authenticateWithPopup.test.ts` around
lines 73 - 89, Extend the test around _authenticateWithPopup to dispatch
valid-FAPI-origin message events with an incorrect state and an incorrect source
before the matching event. Assert navigate is not called after each rejected
event, then retain the existing matching event and assert navigation occurs with
returnUrl.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant