Skip to content

fix(shared): Handle missing sessionClaims and orgRole in resolveAuthState#8118

Draft
jacekradko wants to merge 1 commit intomainfrom
jacek/harden-resolve-auth-state
Draft

fix(shared): Handle missing sessionClaims and orgRole in resolveAuthState#8118
jacekradko wants to merge 1 commit intomainfrom
jacek/harden-resolve-auth-state

Conversation

@jacekradko
Copy link
Member

@jacekradko jacekradko commented Mar 19, 2026

Summary

  • Hardens resolveAuthState to handle two edge cases that previously returned undefined, causing "Invalid state" errors
  • When sessionId/userId exist but sessionClaims is missing (e.g. during client hydration before a token is fetched), returns a loading state (isLoaded: false) instead of throwing
  • When orgId exists but orgRole is missing (e.g. membership not yet resolved), falls through to signed-in-without-org state instead of throwing
  • Adds test coverage for both scenarios

Context

This was exposed by #8101 when touch responses came back without last_active_token, causing sessionClaims to be undefined. While #8101 has been reverted, the underlying gap in resolveAuthState remains — any scenario where lastActiveToken is null (network errors, race conditions, backend changes) can trigger the same crash.

Test plan

  • npx vitest run packages/react/src/hooks/__tests__/useAuth.test.tsx — 30/30 passing
  • npx vitest run packages/shared/src/__tests__/authorization.spec.ts — 4/4 passing
  • npx turbo run build --filter=@clerk/shared --filter=@clerk/react --filter=@clerk/nextjs — builds clean

@jacekradko
fix(shared): Handle missing sessionClaims and orgRole in resolveAuthS…
b79eb99 
…tate

resolveAuthState had gaps in its condition branches that caused it to
return undefined, triggering "Invalid state" errors. This was exposed
by #8101 when touch responses came back without last_active_token.

Two fixes:
- When sessionId/userId exist but sessionClaims is missing (e.g. during
  client hydration before token fetch), return loading state instead of
  throwing
- When orgId exists but orgRole is missing, fall through to signed-in
  without org state instead of throwing
@vercel
Copy link

vercel bot commented Mar 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Mar 19, 2026 1:40am

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Mar 19, 2026

⚠️ No Changeset found

Latest commit: b79eb99

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions github-actions bot added the react label Mar 19, 2026
@brkalow
Copy link
Member

brkalow commented Mar 19, 2026

@jacekradko I don't think this is a change we want to make, the error we encountered was good and revealed the underlying issue. WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

react

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacekradko @brkalow