Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: c99aba2 The changes in this PR will be included in the next version bump. This PR includes changesets to release 21 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds exported functions 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment Tip You can validate your CodeRabbit configuration file in your editor.If your editor has YAML language server, you can enable auto-completion and validation by adding |
…omains Add automatic FAPI proxying detection for Vercel preview deployments across all SDKs. When an app is deployed to a .vercel.app subdomain without explicit proxy/domain configuration, the SDK automatically routes FAPI requests through the app's own domain via /__clerk proxy path. - Add isVercelPreviewDeploy() helper in @clerk/shared/proxy - Auto-detect in clerk-js proxyUrl getter for client-side SDK initialization - Auto-detect in @clerk/backend authenticateContext for server-side auth - Enable proxy interception in Next.js middleware for /__clerk/* requests on .vercel.app - Add comprehensive tests for all three layers (shared, backend, clerk-js, nextjs) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
brkalow
force-pushed
the
brkalow/auto-proxy-vercel-subdomains
branch
from
f73bc85 to
dbc580e
Compare
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
brkalow
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.changeset/tiny-badgers-smile.md:
- Line 8: Update the changeset description sentence that currently reads "Add
auto-proxy detection for eligible hosts and generalize the internal helper
naming for future providers." to be specific about which hosts are considered
eligible (e.g., Vercel preview deployments) and to clarify the helper change;
for example, change the description to: "Add auto-proxy detection for Vercel
preview deployments (.vercel.app subdomains) and generalize the internal helper
for future hosting providers." Locate and edit the line containing that
description in the changeset (the sentence beginning "Add auto-proxy detection
for eligible hosts...") and replace it with the clearer, user-facing wording.
- Around line 1-6: The changeset incorrectly marks package bumps as 'patch' but
a new public API (shouldAutoProxy) was added; update the entries so any package
that exports the new function (at least '@clerk/shared', and any packages that
re-export it like '@clerk/backend', '@clerk/clerk-js', '@clerk/nextjs' if
applicable) use 'minor' instead of 'patch' in the
.changeset/tiny-badgers-smile.md file; ensure the header lines for those package
entries read 'minor' to reflect the new public API bump while keeping other
metadata unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0cecde51-9659-43c2-8677-37774a033a71
📒 Files selected for processing (1)
.changeset/tiny-badgers-smile.md
| --- | ||
| '@clerk/backend': patch | ||
| '@clerk/clerk-js': patch | ||
| '@clerk/nextjs': patch | ||
| '@clerk/shared': patch | ||
| --- |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check if shouldAutoProxy is a public export
# Search for shouldAutoProxy exports in the shared package
rg -n "export.*shouldAutoProxy" packages/shared/Repository: clerk/javascript
Length of output: 152
Update version bumps from patch to minor to reflect the new public API export.
The changeset marks all packages for patch bumps, but the PR introduces a new public API function shouldAutoProxy exported from @clerk/shared. Per semantic versioning standards, new public APIs require minor version bumps, not patch (which is reserved for bug fixes). Update the changeset accordingly.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.changeset/tiny-badgers-smile.md around lines 1 - 6, The changeset
incorrectly marks package bumps as 'patch' but a new public API
(shouldAutoProxy) was added; update the entries so any package that exports the
new function (at least '@clerk/shared', and any packages that re-export it like
'@clerk/backend', '@clerk/clerk-js', '@clerk/nextjs' if applicable) use 'minor'
instead of 'patch' in the .changeset/tiny-badgers-smile.md file; ensure the
header lines for those package entries read 'minor' to reflect the new public
API bump while keeping other metadata unchanged.
|
!snapshot |
This comment has been minimized.
This comment has been minimized.
|
!snapshot |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/shared/src/proxy.ts`:
- Around line 45-47: The normalizeHostname function can throw when called with a
malformed URL (e.g., VERCEL_PROJECT_PRODUCTION_URL); wrap the URL parsing in a
try-catch inside normalizeHostname (the function shown using new
URL(...).hostname) and return an empty string on error so config resolution
doesn't crash; ensure callers that rely on normalizeHostname (where
VERCEL_PROJECT_PRODUCTION_URL is passed) can handle an empty string result
gracefully.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2ad9a329-ea13-4ffe-86f9-f7dec3b163e7
📒 Files selected for processing (5)
.changeset/tiny-badgers-smile.mdpackages/nextjs/src/utils/__tests__/mergeNextClerkPropsWithEnv.test.tspackages/nextjs/src/utils/mergeNextClerkPropsWithEnv.tspackages/shared/src/__tests__/proxy.spec.tspackages/shared/src/proxy.ts
| function normalizeHostname(hostnameOrUrl: string): string { | ||
| if (hostnameOrUrl.startsWith('http://') || hostnameOrUrl.startsWith('https://')) { | ||
| return new URL(hostnameOrUrl).hostname; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify call path and URL constructor throw behavior
rg -n "normalizeHostname|getAutoProxyUrlFromEnvironment|VERCEL_PROJECT_PRODUCTION_URL" \
packages/shared/src/proxy.ts packages/nextjs/src/utils/mergeNextClerkPropsWithEnv.ts
node - <<'NODE'
const samples = ['https://', 'https://?x=1', 'https:///foo', 'https://myapp.vercel.app'];
for (const s of samples) {
try {
console.log(`${s} => hostname="${new URL(s).hostname}"`);
} catch (e) {
console.log(`${s} => THROWS (${e.name})`);
}
}
NODERepository: clerk/javascript
Length of output: 853
🏁 Script executed:
#!/bin/bash
# Get full function context at line 45-47 and surrounding lines
echo "=== normalizeHostname function context (lines 41-55) ==="
sed -n '41,55p' packages/shared/src/proxy.ts | cat -n
echo -e "\n=== getAutoProxyUrlFromEnvironment call context (lines 70-80) ==="
sed -n '70,80p' packages/shared/src/proxy.ts | cat -n
# Search for tests related to proxy.ts or normalizeHostname
echo -e "\n=== Tests for proxy functions ==="
find . -name "*.test.ts" -o -name "*.spec.ts" | xargs grep -l "normalizeHostname\|getAutoProxyUrlFromEnvironment\|proxy" 2>/dev/null | head -10Repository: clerk/javascript
Length of output: 1707
🏁 Script executed:
#!/bin/bash
# Check if there are tests covering error cases for these functions
echo "=== Searching for test files related to proxy ==="
fd -e "test.ts" -e "spec.ts" | xargs grep -l "normalizeHostname\|getAutoProxyUrlFromEnvironment" 2>/dev/null
# Also check the test directory structure
echo -e "\n=== Checking __tests__ and test directory structure ==="
find packages/shared -type d \( -name "__tests__" -o -name "tests" -o -name "test" \) | head -5Repository: clerk/javascript
Length of output: 410
🏁 Script executed:
#!/bin/bash
# Read the existing proxy test file to see current coverage
echo "=== Existing proxy tests ==="
cat packages/shared/src/__tests__/proxy.spec.tsRepository: clerk/javascript
Length of output: 5211
Handle malformed VERCEL_PROJECT_PRODUCTION_URL in hostname normalization to prevent runtime crashes.
At line 76, normalizeHostname() is called with an environment variable without error handling. If VERCEL_PROJECT_PRODUCTION_URL is malformed (e.g., https:// or https://?x=1), new URL() throws a TypeError, crashing config resolution instead of gracefully returning an empty string. Add try-catch to safely handle this:
Proposed fix
function normalizeHostname(hostnameOrUrl: string): string {
if (hostnameOrUrl.startsWith('http://') || hostnameOrUrl.startsWith('https://')) {
- return new URL(hostnameOrUrl).hostname;
+ try {
+ return new URL(hostnameOrUrl).hostname;
+ } catch {
+ return '';
+ }
}
return hostnameOrUrl.split('/')[0] || '';
}Also applies to: 76-77
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/shared/src/proxy.ts` around lines 45 - 47, The normalizeHostname
function can throw when called with a malformed URL (e.g.,
VERCEL_PROJECT_PRODUCTION_URL); wrap the URL parsing in a try-catch inside
normalizeHostname (the function shown using new URL(...).hostname) and return an
empty string on error so config resolution doesn't crash; ensure callers that
rely on normalizeHostname (where VERCEL_PROJECT_PRODUCTION_URL is passed) can
handle an empty string result gracefully.
|
!snapshot |
This comment has been minimized.
This comment has been minimized.
|
!snapshot |
This comment has been minimized.
This comment has been minimized.
|
!snapshot |
This comment has been minimized.
This comment has been minimized.
fetch() auto-decompresses response bodies but may leave Content-Encoding and Content-Length headers intact, causing ERR_CONTENT_DECODING_FAILED in the browser. Fix with two layers: 1. Request `Accept-Encoding: identity` upstream to avoid a double compression pass (FAPI → fetch decompresses → edge re-compresses) 2. Defensively strip Content-Encoding and Content-Length from responses since servers may ignore the identity hint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
!snapshot |
|
Hey @brkalow - the snapshot version command generated the following package versions:
Tip: Use the snippet copy button below to quickly install the required packages. npm i @clerk/agent-toolkit@0.3.5-snapshot.v20260320211535 --save-exact
npm i @clerk/astro@3.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/backend@3.2.1-snapshot.v20260320211535 --save-exact
npm i @clerk/chrome-extension@3.1.3-snapshot.v20260320211535 --save-exact
npm i @clerk/clerk-js@6.3.1-snapshot.v20260320211535 --save-exact
npm i @clerk/dev-cli@0.1.1-snapshot.v20260320211535 --save-exact
npm i @clerk/expo@3.1.3-snapshot.v20260320211535 --save-exact
npm i @clerk/expo-passkeys@1.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/express@2.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/fastify@3.1.3-snapshot.v20260320211535 --save-exact
npm i @clerk/hono@0.1.3-snapshot.v20260320211535 --save-exact
npm i @clerk/localizations@4.2.2-snapshot.v20260320211535 --save-exact
npm i @clerk/msw@0.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/nextjs@7.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/nuxt@2.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/react@6.1.1-snapshot.v20260320211535 --save-exact
npm i @clerk/react-router@3.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/shared@4.3.1-snapshot.v20260320211535 --save-exact
npm i @clerk/tanstack-react-start@1.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/testing@2.0.5-snapshot.v20260320211535 --save-exact
npm i @clerk/ui@1.2.2-snapshot.v20260320211535 --save-exact
npm i @clerk/upgrade@2.0.3-snapshot.v20260320211535 --save-exact
npm i @clerk/vue@2.0.5-snapshot.v20260320211535 --save-exact |
1 participant
Description
This PR implements automatic FAPI proxying for Vercel preview deployments. When an app is deployed to a
.vercel.appsubdomain without explicit proxy or domain configuration, the SDK automatically routes FAPI requests through the app's own domain via the/__clerkproxy path.The auto-detection is centralized across all SDKs:
@clerk/shared/proxy): NewisVercelPreviewDeploy()helper detects.vercel.apphostnames@clerk/clerk-js): Auto-detect inproxyUrlgetter whenwindow.location.hostnameis.vercel.app@clerk/backend): Auto-detect inauthenticateContextconstructor when request hostname is.vercel.app@clerk/nextjs): Auto-enable proxy interception for/__clerk/*requests on.vercel.apphostnamesGuard conditions prevent auto-detection when explicit configuration is provided:
proxyUrl,domain, or environment variablesNEXT_PUBLIC_CLERK_PROXY_URL/NEXT_PUBLIC_CLERK_DOMAIN.Test Results
@clerk/shared: 981/981 tests passed@clerk/backend: 1114/1114 tests passed@clerk/clerk-js: 624/624 tests passed@clerk/nextjs: 362 tests passed (49 pre-existing failures unrelated to this change)Build verification: All packages build cleanly with no type errors.
Checklist
pnpm testruns as expectedpnpm buildruns as expectedType of change
Summary by CodeRabbit
New Features
Bug Fixes
Tests