feat(backend): For production apps, let all errors end up in handshake

If a handshake loop occurs, it's going to be stopped by the infinite loop prevention mechanism and the request will terminate with a signed out state

Author: nikosdouvlis

packages/backend/src/constants.ts

@@ -19,7 +19,7 @@ const Cookies = {
   ClientUat: '__client_uat',
   Handshake: '__clerk_handshake',
   DevBrowser: '__clerk_db_jwt',
-  InfiniteRedirectionLoopCookie: '__clerk_redirection_loop',
+  RedirectCount: '__clerk_redirect_count',
 } as const;
 
 const QueryParameters = {

packages/backend/src/tokens/authenticateContext.ts

@@ -107,7 +107,7 @@ class AuthenticateContext {
     // Using getCookie since we don't suffix the handshake token cookie
     this.handshakeToken =
       this.getQueryParam(constants.QueryParameters.Handshake) || this.getCookie(constants.Cookies.Handshake);
-    this.handshakeRedirectLoopCounter = Number(this.getCookie(constants.Cookies.InfiniteRedirectionLoopCookie)) || 0;
+    this.handshakeRedirectLoopCounter = Number(this.getCookie(constants.Cookies.RedirectCount)) || 0;
   }
 
   private stripAuthorizationHeader(authValue: string | undefined | null): string | undefined {

packages/backend/src/tokens/request.ts

@@ -179,6 +179,8 @@ ${error.getFullMessage()}`,
       // proceed with triggering handshake.
       const isRedirectLoop = setHandshakeInfiniteRedirectionLoopHeaders(handshakeHeaders);
       if (isRedirectLoop) {
+        const msg = `Clerk: Refreshing the session token resulted in an infinite redirect loop. This usually means that your Clerk instance keys do not match - make sure to copy the correct publishable and secret keys from the Clerk dashboard.`;
+        console.log(msg);
         return signedOut(authenticateContext, reason, message);
       }
       return handshake(authenticateContext, reason, message, handshakeHeaders);
@@ -210,7 +212,7 @@ ${error.getFullMessage()}`,
     }
 
     const newCounterValue = authenticateContext.handshakeRedirectLoopCounter + 1;
-    const cookieName = constants.Cookies.InfiniteRedirectionLoopCookie;
+    const cookieName = constants.Cookies.RedirectCount;
     headers.append('Set-Cookie', `${cookieName}=${newCounterValue}; SameSite=Lax; HttpOnly; Max-Age=3`);
     return false;
   }
@@ -229,30 +231,6 @@ ${error.getFullMessage()}`,
     throw new Error(`Clerk: Handshake token verification failed: ${error.getFullMessage()}.`);
   }
 
-  function handleHandshakeTokenVerificationErrorInProduction(error: TokenVerificationError) {
-    // In production, the handshake token is being transferred as a cookie, so there is a possibility of collision
-    // with a handshake token of another app running on the same etld+1 domain.
-    // For example, if one app is running on sub1.clerk.com and another on sub2.clerk.com, the handshake token
-    // cookie for both apps will be set on etld+1 (clerk.com) so there's a possibility that one app will accidentally
-    // use the handshake token of a different app during the handshake flow.
-    // In this scenario, verification will fail with TokenInvalidSignature. In contrast to the development case,
-    // we need to allow the flow to continue so the app eventually retries another handshake with the correct token.
-    // We need to make sure, however, that we don't allow the flow to continue indefinitely, so we throw an error after X
-    // retries to avoid an infinite loop. An infinite loop can happen if the customer switched Clerk keys for their prod app.
-    if (
-      error.reason === TokenVerificationErrorReason.TokenInvalidSignature ||
-      error.reason === TokenVerificationErrorReason.InvalidSecretKey ||
-      error.reason === TokenVerificationErrorReason.JWKKidMismatch ||
-      error.reason === TokenVerificationErrorReason.JWKFailedToResolve
-    ) {
-      // Let the request go through and eventually retry another handshake,
-      // only if needed - a handshake will be thrown if another rule matches
-      return;
-    }
-    const msg = `Clerk: Handshake token verification failed with "${error.getFullMessage()}"`;
-    return signedOut(authenticateContext, AuthErrorReason.UnexpectedError, msg);
-  }
-
   async function authenticateRequestWithTokenInCookie() {
     const hasActiveClient = authenticateContext.clientUat;
     const hasSessionToken = !!authenticateContext.sessionTokenInCookie;
@@ -270,19 +248,22 @@ ${error.getFullMessage()}`,
       try {
         return await resolveHandshake();
       } catch (error) {
+        // In production, the handshake token is being transferred as a cookie, so there is a possibility of collision
+        // with a handshake token of another app running on the same etld+1 domain.
+        // For example, if one app is running on sub1.clerk.com and another on sub2.clerk.com, the handshake token
+        // cookie for both apps will be set on etld+1 (clerk.com) so there's a possibility that one app will accidentally
+        // use the handshake token of a different app during the handshake flow.
+        // In this scenario, verification will fail with TokenInvalidSignature. In contrast to the development case,
+        // we need to allow the flow to continue so the app eventually retries another handshake with the correct token.
+        // We need to make sure, however, that we don't allow the flow to continue indefinitely, so we throw an error after X
+        // retries to avoid an infinite loop. An infinite loop can happen if the customer switched Clerk keys for their prod app.
+
+        // Check the handleHandshakeTokenVerificationErrorInDevelopment function for the development case.
         if (error instanceof TokenVerificationError && authenticateContext.instanceType === 'development') {
           handleHandshakeTokenVerificationErrorInDevelopment(error);
         }
-
-        if (error instanceof TokenVerificationError && authenticateContext.instanceType === 'production') {
-          const terminateEarly = handleHandshakeTokenVerificationErrorInProduction(error);
-          if (terminateEarly) {
-            return terminateEarly;
-          }
-        }
       }
     }
-
     /**
      * Otherwise, check for "known unknown" auth states that we can resolve with a handshake.
      */

packages/fastify/src/__tests__/__snapshots__/constants.test.ts.snap

@@ -8,7 +8,7 @@ exports[`constants from environment variables 1`] = `
     "ClientUat": "__client_uat",
     "DevBrowser": "__clerk_db_jwt",
     "Handshake": "__clerk_handshake",
-    "InfiniteRedirectionLoopCookie": "__clerk_redirection_loop",
+    "RedirectCount": "__clerk_redirect_count",
     "Session": "__session",
   },
   "Headers": {