Skip to content

fix(express): forward all auth options to authenticateRequest#8370

Open
jacekradko wants to merge 7 commits intomainfrom
jacek/express-forward-auth-options
Open

fix(express): forward all auth options to authenticateRequest#8370
jacekradko wants to merge 7 commits intomainfrom
jacek/express-forward-auth-options

Conversation

@jacekradko
Copy link
Copy Markdown
Member

@jacekradko jacekradko commented Apr 21, 2026
edited
Loading

Follow-up to #8287. The middleware was forwarding only a hand-picked subset of options to authenticateRequest, so things like organizationSyncOptions, headerType, and skipJwksCache were typed but silently dropped. Now everything spreads through, minus the middleware-only keys.

apiUrl and apiVersion needed separate handling because @clerk/backend pins them at client construction time and the default Express client is built from env only. When they're set on the middleware and no custom clerkClient is supplied, we now build a per-middleware ClerkClient with those values.

@jacekradko
fix(express): forward all auth options to authenticateRequest
ab71710 
Spread the full options object through to clerkClient.authenticateRequest()
instead of re-destructuring a hand-picked subset. This closes the class of
bug where fields accepted by the ClerkMiddlewareOptions type (e.g.
organizationSyncOptions, skipJwksCache, headerType) were silently ignored
at runtime — same shape as the clockSkewInMs issue fixed in #8287.

Middleware-only keys (clerkClient, debug, frontendApiProxy) are peeled off
so they don't leak into the backend call.
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
clerk-js-sandbox Skipped Skipped May 7, 2026 2:41am

Request Review

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 21, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 14375e0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@clerk/express Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@jacekradko
fix(express): build per-middleware ClerkClient when apiUrl/apiVersion…
ce620bb 
… are set

The backend's createAuthenticateRequest factory pins apiUrl/apiVersion at
client construction time and overrides any runtime values. The Express
default ClerkClient singleton is built from env only, so passing apiUrl
or apiVersion to clerkMiddleware() was silently ignored on the default
path even after option-forwarding was generalized.

When the caller hasn't supplied a custom clerkClient but did pass apiUrl
or apiVersion, build a per-middleware ClerkClient with those values
instead of using the singleton.
@jacekradko jacekradko marked this pull request as ready for review May 7, 2026 02:17
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 7, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 70907f42-92bd-490b-940e-108b920f5911

📥 Commits

Reviewing files that changed from the base of the PR and between e64d92f and 14375e0.

📒 Files selected for processing (1)
  • packages/express/src/__tests__/clerkMiddleware.test.ts
📝 Walkthrough

Walkthrough

The PR updates @clerk/express middleware to forward the full set of AuthenticateRequestOptions and VerifyTokenOptions into clerkClient.authenticateRequest rather than a limited subset. It refactors authenticateRequest to strip middleware-only keys, normalize resolved auth/proxy values, and spread remaining options into the backend call. It adds resolveDefaultClerkClient to construct a per-middleware ClerkClient when apiUrl or apiVersion are supplied and no custom clerkClient is provided. Tests were expanded to assert broader option forwarding and per-middleware client construction and routing.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The pull request title clearly and specifically describes the main change: forwarding all authentication options to authenticateRequest, which is the core fix addressed by this PR.
Description check ✅ Passed The description is directly related to the changeset, explaining both the main fix (forwarding all auth options) and the secondary improvement (per-middleware ClerkClient construction for apiUrl/apiVersion).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 7, 2026
edited
Loading

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8370

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8370

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8370

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8370

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8370

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8370

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8370

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8370

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8370

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8370

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8370

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8370

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8370

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8370

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8370

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8370

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8370

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8370

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8370

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8370

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8370

commit: 14375e0

@jacekradko
test(express): add end-to-end and callback-form coverage for apiUrl o…
e64d92f 
…verride

Adds two regression tests:

- The per-middleware ClerkClient actually routes outbound API traffic to
  the apiUrl override, not just that createClerkClient was called with it.
  Spies on global fetch and asserts the URL hits the override host.

- The clerkMiddleware callback form (options as a function) also builds
  a per-middleware ClerkClient when the callback returns apiUrl.
github-advanced-security[bot]
github-advanced-security AI found potential problems May 7, 2026
View reviewed changes
Comment thread packages/express/src/__tests__/clerkMiddleware.test.ts Fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

express

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacekradko @github-advanced-security