Skip to content

feat(clerk-js): Add debugLogger for session token swap detection#7943

Closed
jacekradko wants to merge 123 commits intomainfrom
release/core-2
Closed

feat(clerk-js): Add debugLogger for session token swap detection#7943
jacekradko wants to merge 123 commits intomainfrom
release/core-2

Conversation

@jacekradko
Copy link
Member

@jacekradko jacekradko commented Feb 26, 2026

Description

Add debug logging to detect server-side token swaps in multi-session scenarios (e.g., regular session + impersonation session with actor token). The server-side bug is that BAPI's refresh endpoint could return a token for a different session than the one requested — we need client-side visibility to detect this.

Changes:

  • Session.ts: Log when returned token's sid claim doesn't match requested session ID (detects token swaps)
  • AuthCookieService.ts: Log multi-session cookie updates and token fetch errors (4xx + degraded status)
  • clerk.ts: Log session state before unauthenticated flow to see all active sessions when sign-out cascade starts

Checklist

  • pnpm build passes
  • pnpm test runs as expected (debug logging only)
  • (If applicable) JSDoc comments have been added or updated
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 📖 Refactoring / dependency upgrade / documentation

Summary by CodeRabbit

  • New Features

    • Added Solana wallet support for Web3 sign-in and sign-up flows.
    • Introduced MFA setup as an interactive session task during authentication.
    • Added organization creation defaults feature for streamlined onboarding.
    • Enhanced billing interface to display prorated and account credits separately.
  • Bug Fixes

    • Fixed organization invitation flow to prevent "not belonging to organization" error.
    • Improved cookie handling with SameSite=None support for cross-origin scenarios.
  • Localization

    • Added comprehensive localization support for multiple languages including Solana and MFA flows.

nikosdouvlis and others added 30 commits December 9, 2025 12:58
Co-authored-by: Robert Soriano <sorianorobertc@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…ure support (#7293)

Signed-off-by: Kenton Duprey <kenton@clerk.dev>
Co-authored-by: Dylan Staley <88163+dstaley@users.noreply.github.com>
Co-authored-by: chris-kreidl <chris-kreidl@users.noreply.github.com>
…a Solana enabled wallet via `<UserProfile />` (#7435)

Signed-off-by: Kenton Duprey <kenton@clerk.dev>
Co-authored-by: Andy Graulund <andreas@graulund.com>
…n tests (#7471)

Signed-off-by: Kenton Duprey <kenton@clerk.dev>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: valentinogagliardi <valentinogagliardi@users.noreply.github.com>
…with verification status (#7489)

Signed-off-by: Kenton Duprey <kenton@clerk.dev>
wobsoriano and others added 2 commits February 26, 2026 19:18
…ection

Add debug logging to detect server-side token swaps in multi-session scenarios:
- Session.ts: Check if returned token's sid matches requested session (token swap detection)
- AuthCookieService.ts: Log multi-session cookie updates to track active session
- AuthCookieService.ts: Log token fetch errors (4xx and degraded status)
- clerk.ts: Log session state before unauthenticated flow to see active sessions
@changeset-bot
Copy link

changeset-bot bot commented Feb 26, 2026

🦋 Changeset detected

Latest commit: ff308af

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages
Name Type
@clerk/backend Minor
@clerk/agent-toolkit Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/remix Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Feb 26, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Building Building Preview, Comment Feb 26, 2026 7:37pm

Request Review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 26, 2026

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 64af60c and ff308af.

⛔ Files ignored due to path filters (1)
  • packages/react-router/src/__tests__/__snapshots__/exports.test.ts.snap is excluded by !**/*.snap
📒 Files selected for processing (299)
  • .changeset/config.json
  • .changeset/shiny-apples-travel.md
  • .github/workflows/ci.yml
  • .github/workflows/nightly-checks.yml
  • .github/workflows/preview.retheme.yml
  • .github/workflows/release-canary.yml
  • .github/workflows/release.yml
  • .typedoc/custom-plugin.mjs
  • integration/README.md
  • integration/presets/envs.ts
  • integration/presets/longRunningApps.ts
  • integration/templates/astro-node/src/pages/billing/billing-store.astro
  • integration/templates/astro-node/src/pages/index.astro
  • integration/templates/astro-node/src/pages/prerendered.astro
  • integration/templates/react-vite/src/buttons/index.tsx
  • integration/templates/react-vite/src/main.tsx
  • integration/templates/react-vite/src/sign-in-popup/index.tsx
  • integration/templates/tanstack-react-start/package.json
  • integration/templates/tanstack-react-start/src/routeTree.gen.ts
  • integration/templates/tanstack-react-start/src/routes/sign-in.$.tsx
  • integration/templates/tanstack-react-start/vite.config.ts
  • integration/testUtils/usersService.ts
  • integration/tests/astro/billingStore.test.ts
  • integration/tests/astro/components.test.ts
  • integration/tests/elements/otp.test.ts
  • integration/tests/machine-auth/api-keys.test.ts
  • integration/tests/machine-auth/oauth.test.ts
  • integration/tests/middleware-placement.test.ts
  • integration/tests/next-quickstart-keyless.test.ts
  • integration/tests/oauth-flows.test.ts
  • integration/tests/session-tasks-setup-mfa.test.ts
  • integration/tests/session-tasks-sign-in-reset-password.test.ts
  • packages/agent-toolkit/CHANGELOG.md
  • packages/agent-toolkit/package.json
  • packages/astro/CHANGELOG.md
  • packages/astro/package.json
  • packages/astro/src/astro-components/control/Protect.astro
  • packages/astro/src/astro-components/control/ProtectCSR.astro
  • packages/astro/src/astro-components/control/SignedIn.astro
  • packages/astro/src/astro-components/control/SignedOut.astro
  • packages/astro/src/integration/create-integration.ts
  • packages/astro/src/integration/snippets.ts
  • packages/astro/src/stores/external.ts
  • packages/backend/CHANGELOG.md
  • packages/backend/package.json
  • packages/backend/src/__tests__/exports.test.ts
  • packages/backend/src/api/__tests__/APIKeysApi.test.ts
  • packages/backend/src/api/__tests__/AgentTaskApi.test.ts
  • packages/backend/src/api/__tests__/M2MTokenApi.test.ts
  • packages/backend/src/api/__tests__/factory.test.ts
  • packages/backend/src/api/endpoints/APIKeysApi.ts
  • packages/backend/src/api/endpoints/AgentTaskApi.ts
  • packages/backend/src/api/endpoints/InvitationApi.ts
  • packages/backend/src/api/endpoints/JwtTemplatesApi.ts
  • packages/backend/src/api/endpoints/M2MTokenApi.ts
  • packages/backend/src/api/endpoints/UserApi.ts
  • packages/backend/src/api/endpoints/WaitlistEntryApi.ts
  • packages/backend/src/api/endpoints/index.ts
  • packages/backend/src/api/factory.ts
  • packages/backend/src/api/resources/APIKey.ts
  • packages/backend/src/api/resources/AgentTask.ts
  • packages/backend/src/api/resources/Deserializer.ts
  • packages/backend/src/api/resources/Enums.ts
  • packages/backend/src/api/resources/ExternalAccount.ts
  • packages/backend/src/api/resources/JSON.ts
  • packages/backend/src/api/resources/OauthAccessToken.ts
  • packages/backend/src/api/resources/WaitlistEntry.ts
  • packages/backend/src/api/resources/index.ts
  • packages/backend/src/constants.ts
  • packages/backend/src/index.ts
  • packages/backend/src/internal.ts
  • packages/backend/src/tokens/__tests__/clerkRequest.test.ts
  • packages/backend/src/tokens/__tests__/handshake.test.ts
  • packages/backend/src/tokens/__tests__/request.test.ts
  • packages/backend/src/tokens/clerkRequest.ts
  • packages/backend/src/tokens/handshake.ts
  • packages/backend/src/tokens/request.ts
  • packages/backend/tsup.config.ts
  • packages/chrome-extension/CHANGELOG.md
  • packages/chrome-extension/package.json
  • packages/clerk-js/CHANGELOG.md
  • packages/clerk-js/bundle-check.mjs
  • packages/clerk-js/bundlewatch.config.json
  • packages/clerk-js/package.json
  • packages/clerk-js/rspack.config.js
  • packages/clerk-js/sandbox/app.ts
  • packages/clerk-js/src/core/__tests__/clerk.test.ts
  • packages/clerk-js/src/core/auth/AuthCookieService.ts
  • packages/clerk-js/src/core/auth/__tests__/getCookieDomain.test.ts
  • packages/clerk-js/src/core/auth/cookies/__tests__/clientUat.test.ts
  • packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
  • packages/clerk-js/src/core/auth/cookies/clientUat.ts
  • packages/clerk-js/src/core/auth/cookies/devBrowser.ts
  • packages/clerk-js/src/core/auth/cookies/requireSameSiteNone.ts
  • packages/clerk-js/src/core/auth/cookies/session.ts
  • packages/clerk-js/src/core/auth/getCookieDomain.ts
  • packages/clerk-js/src/core/auth/safeLock.ts
  • packages/clerk-js/src/core/clerk.ts
  • packages/clerk-js/src/core/constants.ts
  • packages/clerk-js/src/core/modules/debug/transports/console.ts
  • packages/clerk-js/src/core/resources/BillingSubscription.ts
  • packages/clerk-js/src/core/resources/Organization.ts
  • packages/clerk-js/src/core/resources/OrganizationCreationDefaults.ts
  • packages/clerk-js/src/core/resources/OrganizationSettings.ts
  • packages/clerk-js/src/core/resources/PublicUserData.ts
  • packages/clerk-js/src/core/resources/Session.ts
  • packages/clerk-js/src/core/resources/SignIn.ts
  • packages/clerk-js/src/core/resources/SignUp.ts
  • packages/clerk-js/src/core/resources/Token.ts
  • packages/clerk-js/src/core/resources/User.ts
  • packages/clerk-js/src/core/resources/UserSettings.ts
  • packages/clerk-js/src/core/resources/__tests__/ExternalAccount.test.ts
  • packages/clerk-js/src/core/resources/__tests__/PublicUserData.test.ts
  • packages/clerk-js/src/core/resources/__tests__/Session.test.ts
  • packages/clerk-js/src/core/resources/__tests__/Token.test.ts
  • packages/clerk-js/src/core/resources/__tests__/UserSettings.test.ts
  • packages/clerk-js/src/core/sessionTasks.ts
  • packages/clerk-js/src/test/create-fixtures.tsx
  • packages/clerk-js/src/test/fixture-helpers.ts
  • packages/clerk-js/src/test/fixtures.ts
  • packages/clerk-js/src/ui/common/WalletInitialIcon.tsx
  • packages/clerk-js/src/ui/common/Wizard.tsx
  • packages/clerk-js/src/ui/components/Checkout/CheckoutForm.tsx
  • packages/clerk-js/src/ui/components/Checkout/__tests__/Checkout.test.tsx
  • packages/clerk-js/src/ui/components/ImpersonationFab/__tests__/ImpersonationFab.test.tsx
  • packages/clerk-js/src/ui/components/ImpersonationFab/index.tsx
  • packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/ActiveMembersList.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/InviteMembersForm.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/MemberListTable.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/OrganizationMembers.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/OrganizationProfileAvatarUploader.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/__tests__/InviteMembersPage.test.tsx
  • packages/clerk-js/src/ui/components/OrganizationProfile/__tests__/OrganizationMembers.test.tsx
  • packages/clerk-js/src/ui/components/PaymentAttempts/PaymentAttemptPage.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/index.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/ChooseOrganizationScreen.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/CreateOrganizationScreen.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/OrganizationCreationDefaultsAlert.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/__tests__/TaskChooseOrganization.test.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/index.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/SetupMfaStartScreen.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/SmsCodeFlowScreen.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/TOTPCodeFlowScreen.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/__tests__/TaskSetupMfa.test.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/constants.ts
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/index.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/shared.tsx
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/shared/index.ts
  • packages/clerk-js/src/ui/components/SessionTasks/tasks/shared/withTaskGuardOnlyOnMount.tsx
  • packages/clerk-js/src/ui/components/SignIn/SignInFactorOnePasswordCard.tsx
  • packages/clerk-js/src/ui/components/SignIn/SignInFactorOneSolanaWalletsCard.tsx
  • packages/clerk-js/src/ui/components/SignIn/SignInFactorTwo.tsx
  • packages/clerk-js/src/ui/components/SignIn/SignInSocialButtons.tsx
  • packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx
  • packages/clerk-js/src/ui/components/SignIn/__tests__/handleCombinedFlowTransfer.test.ts
  • packages/clerk-js/src/ui/components/SignIn/handleCombinedFlowTransfer.ts
  • packages/clerk-js/src/ui/components/SignIn/index.tsx
  • packages/clerk-js/src/ui/components/SignUp/SignUpSocialButtons.tsx
  • packages/clerk-js/src/ui/components/SignUp/SignUpStart.tsx
  • packages/clerk-js/src/ui/components/SignUp/SignUpStartSolanaWalletsCard.tsx
  • packages/clerk-js/src/ui/components/SignUp/__tests__/SignUpStart.test.tsx
  • packages/clerk-js/src/ui/components/SignUp/index.tsx
  • packages/clerk-js/src/ui/components/Statements/StatementPage.tsx
  • packages/clerk-js/src/ui/components/UserProfile/MfaSection.tsx
  • packages/clerk-js/src/ui/components/UserProfile/Web3Form.tsx
  • packages/clerk-js/src/ui/components/UserProfile/Web3Section.tsx
  • packages/clerk-js/src/ui/components/UserProfile/Web3SelectSolanaWalletScreen.tsx
  • packages/clerk-js/src/ui/components/UserProfile/__tests__/MfaPage.test.tsx
  • packages/clerk-js/src/ui/components/UserProfile/__tests__/PasswordSection.test.tsx
  • packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
  • packages/clerk-js/src/ui/components/UserProfile/utils.ts
  • packages/clerk-js/src/ui/components/devPrompts/EnableOrganizationsPrompt/index.tsx
  • packages/clerk-js/src/ui/components/devPrompts/KeylessPrompt/__tests__/KeylessPrompt.test.tsx
  • packages/clerk-js/src/ui/components/devPrompts/KeylessPrompt/index.tsx
  • packages/clerk-js/src/ui/contexts/ClerkUIComponentsContext.tsx
  • packages/clerk-js/src/ui/contexts/components/SessionTasks.ts
  • packages/clerk-js/src/ui/customizables/elementDescriptors.ts
  • packages/clerk-js/src/ui/elements/Alert.tsx
  • packages/clerk-js/src/ui/elements/Avatar.tsx
  • packages/clerk-js/src/ui/elements/AvatarUploader.tsx
  • packages/clerk-js/src/ui/elements/FormContainer.tsx
  • packages/clerk-js/src/ui/elements/Header.tsx
  • packages/clerk-js/src/ui/elements/OrganizationAvatar.tsx
  • packages/clerk-js/src/ui/elements/Select.tsx
  • packages/clerk-js/src/ui/elements/SuccessPage.tsx
  • packages/clerk-js/src/ui/elements/VerificationCodeCard.tsx
  • packages/clerk-js/src/ui/elements/Web3SolanaWalletButtons.tsx
  • packages/clerk-js/src/ui/elements/contexts/index.tsx
  • packages/clerk-js/src/ui/hooks/index.ts
  • packages/clerk-js/src/ui/hooks/useFetchRoles.ts
  • packages/clerk-js/src/ui/hooks/useWindowEventListener.ts
  • packages/clerk-js/src/ui/lazyModules/components.ts
  • packages/clerk-js/src/ui/localization/__tests__/parseLocalization.test.tsx
  • packages/clerk-js/src/ui/primitives/Text.tsx
  • packages/clerk-js/src/ui/router/BaseRouter.tsx
  • packages/clerk-js/src/ui/router/PathRouter.tsx
  • packages/clerk-js/src/ui/types.ts
  • packages/clerk-js/src/ui/utils/__tests__/originPrefersPopup.test.ts
  • packages/clerk-js/src/ui/utils/mfa.ts
  • packages/clerk-js/src/ui/utils/originPrefersPopup.ts
  • packages/clerk-js/src/ui/utils/web3CallbackErrorHandler.ts
  • packages/clerk-js/src/utils/billing.ts
  • packages/clerk-js/src/utils/captcha/turnstile.ts
  • packages/clerk-js/src/utils/injectedWeb3EthProviders.ts
  • packages/clerk-js/src/utils/injectedWeb3SolanaProviders.ts
  • packages/clerk-js/src/utils/thirdPartyDomains.ts
  • packages/clerk-js/src/utils/web3.ts
  • packages/elements/CHANGELOG.md
  • packages/elements/package.json
  • packages/elements/src/react/hooks/use-third-party-provider.hook.ts
  • packages/expo-passkeys/CHANGELOG.md
  • packages/expo-passkeys/package.json
  • packages/expo/CHANGELOG.md
  • packages/expo/package.json
  • packages/express/CHANGELOG.md
  • packages/express/package.json
  • packages/fastify/CHANGELOG.md
  • packages/fastify/package.json
  • packages/localizations/CHANGELOG.md
  • packages/localizations/package.json
  • packages/localizations/src/ar-SA.ts
  • packages/localizations/src/be-BY.ts
  • packages/localizations/src/bg-BG.ts
  • packages/localizations/src/bn-IN.ts
  • packages/localizations/src/ca-ES.ts
  • packages/localizations/src/cs-CZ.ts
  • packages/localizations/src/da-DK.ts
  • packages/localizations/src/de-DE.ts
  • packages/localizations/src/el-GR.ts
  • packages/localizations/src/en-GB.ts
  • packages/localizations/src/en-US.ts
  • packages/localizations/src/es-CR.ts
  • packages/localizations/src/es-ES.ts
  • packages/localizations/src/es-MX.ts
  • packages/localizations/src/es-UY.ts
  • packages/localizations/src/fa-IR.ts
  • packages/localizations/src/fi-FI.ts
  • packages/localizations/src/fr-FR.ts
  • packages/localizations/src/he-IL.ts
  • packages/localizations/src/hi-IN.ts
  • packages/localizations/src/hr-HR.ts
  • packages/localizations/src/hu-HU.ts
  • packages/localizations/src/id-ID.ts
  • packages/localizations/src/is-IS.ts
  • packages/localizations/src/it-IT.ts
  • packages/localizations/src/ja-JP.ts
  • packages/localizations/src/kk-KZ.ts
  • packages/localizations/src/ko-KR.ts
  • packages/localizations/src/mn-MN.ts
  • packages/localizations/src/ms-MY.ts
  • packages/localizations/src/nb-NO.ts
  • packages/localizations/src/nl-BE.ts
  • packages/localizations/src/nl-NL.ts
  • packages/localizations/src/pl-PL.ts
  • packages/localizations/src/pt-BR.ts
  • packages/localizations/src/pt-PT.ts
  • packages/localizations/src/ro-RO.ts
  • packages/localizations/src/ru-RU.ts
  • packages/localizations/src/sk-SK.ts
  • packages/localizations/src/sr-RS.ts
  • packages/localizations/src/sv-SE.ts
  • packages/localizations/src/ta-IN.ts
  • packages/localizations/src/te-IN.ts
  • packages/localizations/src/th-TH.ts
  • packages/localizations/src/tr-TR.ts
  • packages/localizations/src/uk-UA.ts
  • packages/localizations/src/vi-VN.ts
  • packages/localizations/src/zh-CN.ts
  • packages/localizations/src/zh-TW.ts
  • packages/nextjs/CHANGELOG.md
  • packages/nextjs/package.json
  • packages/nextjs/src/__tests__/keyless-custom-headers.test.ts
  • packages/nextjs/src/app-router/server/auth.ts
  • packages/nextjs/src/client-boundary/hooks.ts
  • packages/nextjs/src/client-boundary/uiComponents.tsx
  • packages/nextjs/src/index.ts
  • packages/nextjs/src/server/__tests__/content-security-policy.test.ts
  • packages/nextjs/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/content-security-policy.ts
  • packages/nextjs/src/server/data/getAuthDataFromRequest.ts
  • packages/nextjs/src/server/fs/middleware-location.ts
  • packages/nextjs/src/server/keyless-custom-headers.ts
  • packages/nextjs/src/utils/__tests__/sdk-versions.test.ts
  • packages/nextjs/src/utils/sdk-versions.ts
  • packages/nuxt/CHANGELOG.md
  • packages/nuxt/package.json
  • packages/react-router/CHANGELOG.md
  • packages/react-router/package.json
  • packages/react/CHANGELOG.md
  • packages/react/package.json
  • packages/react/src/components/SignInButton.tsx
  • packages/react/src/components/SignUpButton.tsx
  • packages/react/src/components/__tests__/SignInButton.test.tsx
  • packages/react/src/components/__tests__/SignUpButton.test.tsx
  • packages/react/src/components/index.ts
  • packages/react/src/components/uiComponents.tsx
  • packages/react/src/hooks/index.ts
  • packages/react/src/hooks/useSignIn.ts

📝 Walkthrough

Walkthrough

This PR introduces a major update targeting the release/core-2 branch, adding Solana Web3 wallet authentication support, MFA setup task flows, organization creation defaults configuration, expanded API key management, and enhanced session/cookie handling. It includes backend API extensions, frontend UI components, comprehensive localization updates across 50+ languages, integration tests, and configuration adjustments for the new branch target.

Changes

Cohort / File(s) Summary
Branch & CI Configuration
.changeset/config.json, .github/workflows/ci.yml, .github/workflows/release.yml, packages/backend/tsup.config.ts
Updated target branch from main to release/core-2 in changeset and CI workflows. Modified release workflow concurrency, setup parameters, and referenced typedoc workflow. Updated module bundling configuration.
Workflow Removals
.github/workflows/nightly-checks.yml, .github/workflows/preview.retheme.yml, .github/workflows/release-canary.yml
Removed deprecated GitHub Actions workflows for nightly integration tests, preview deployments, and canary releases.
Backend API Endpoints & Resources
packages/backend/src/api/endpoints/APIKeysApi.ts, packages/backend/src/api/endpoints/AgentTaskApi.ts, packages/backend/src/api/endpoints/M2MTokenApi.ts, packages/backend/src/api/endpoints/UserApi.ts, packages/backend/src/api/endpoints/WaitlistEntryApi.ts, packages/backend/src/api/resources/APIKey.ts, packages/backend/src/api/resources/AgentTask.ts, packages/backend/src/api/resources/ExternalAccount.ts, packages/backend/src/api/resources/OauthAccessToken.ts
Expanded API surface with new methods: APIKeysApi.get/update/delete with revocation reason support, M2MTokenApi.list with filtering, UserApi.setPasswordCompromised/unsetPasswordCompromised, WaitlistEntryApi.createBulk. Added new AgentTaskAPI class. Enhanced resource models with additional fields (APIKey metadata, OauthAccessToken.idToken, ExternalAccount.providerUserId).
Backend Deserialization & Types
packages/backend/src/api/resources/Deserializer.ts, packages/backend/src/api/resources/Enums.ts, packages/backend/src/api/resources/JSON.ts, packages/backend/src/api/resources/index.ts, packages/backend/src/api/factory.ts, packages/backend/src/internal.ts, packages/backend/src/constants.ts, packages/backend/src/index.ts
Added AgentTask deserialization support, M2M token list response handling. Updated OrganizationInvitationStatus enum to include 'expired'. Exported new AgentTask types and isMachineToken utility. Added Session query parameter constant.
Backend Testing
packages/backend/src/api/__tests__/APIKeysApi.test.ts, packages/backend/src/api/__tests__/AgentTaskApi.test.ts, packages/backend/src/api/__tests__/M2MTokenApi.test.ts, packages/backend/src/api/__tests__/factory.test.ts
Comprehensive test coverage for new API endpoints including API key CRUD operations, agent task creation/revocation, M2M token listing with filters, and waitlist bulk operations.
Backend Token & Auth Handling
packages/backend/src/tokens/clerkRequest.ts, packages/backend/src/tokens/handshake.ts, packages/backend/src/tokens/request.ts
Implemented duck-typing for ClerkRequest detection, session token inclusion in handshake URLs, OAuth JWT rejection in header token flows, and session_token acceptance logic.
Astro Integration
packages/astro/src/integration/create-integration.ts, packages/astro/src/integration/snippets.ts, packages/astro/src/stores/external.ts, packages/astro/src/astro-components/control/Protect.astro, packages/astro/src/astro-components/control/ProtectCSR.astro, packages/astro/src/astro-components/control/SignedIn.astro, packages/astro/src/astro-components/control/SignedOut.astro
Added buildBeforeHydrationSnippet and buildPageLoadSnippet utilities for script injection. Introduced $billingStore for billing state access. Enhanced Protect/SignedIn/SignedOut components with runtime CSR/SSR detection logic and slot handling.
Clerk.js Core Resources & Types
packages/clerk-js/src/core/resources/BillingSubscription.ts, packages/clerk-js/src/core/resources/Organization.ts, packages/clerk-js/src/core/resources/OrganizationCreationDefaults.ts, packages/clerk-js/src/core/resources/OrganizationSettings.ts, packages/clerk-js/src/core/resources/PublicUserData.ts, packages/clerk-js/src/core/resources/Session.ts, packages/clerk-js/src/core/resources/User.ts
Added OrganizationCreationDefaults resource for retrieving org setup defaults. Extended Session with agent support. Added organization creation defaults to settings. Enhanced User with getOrganizationCreationDefaults method. Added billing credits support and username field.
Clerk.js Sign-In/Sign-Up & Web3
packages/clerk-js/src/core/resources/SignIn.ts, packages/clerk-js/src/core/resources/SignUp.ts, packages/clerk-js/src/ui/components/SignIn/SignInFactorOneSolanaWalletsCard.tsx, packages/clerk-js/src/ui/components/SignUp/SignUpStartSolanaWalletsCard.tsx, packages/clerk-js/src/utils/web3.ts, packages/clerk-js/src/utils/injectedWeb3SolanaProviders.ts
Comprehensive Solana Web3 support added across sign-in/sign-up flows with walletName handling. New UI cards for Solana wallet selection. Solana provider detection and signature generation utilities.
Clerk.js MFA Setup Task
packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/index.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/SetupMfaStartScreen.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/SmsCodeFlowScreen.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/TOTPCodeFlowScreen.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/shared.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskSetupMfa/constants.ts
New MFA setup task implementation with phone SMS and TOTP authenticator flows, backup code display, and shared footer sign-out action.
Clerk.js Session Tasks & Organization
packages/clerk-js/src/ui/components/SessionTasks/index.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/CreateOrganizationScreen.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/TaskChooseOrganization/OrganizationCreationDefaultsAlert.tsx, packages/clerk-js/src/ui/components/SessionTasks/tasks/shared/withTaskGuardOnlyOnMount.tsx
Integrated TaskSetupMFA into session task flow with context providers. Enhanced organization creation with defaults support, alert messaging, and logo handling. Added task guard HOC for mount-based redirects.
Clerk.js Billing & Checkout UI
packages/clerk-js/src/ui/components/Checkout/CheckoutForm.tsx, packages/clerk-js/src/ui/components/PaymentAttempts/PaymentAttemptPage.tsx, packages/clerk-js/src/ui/components/Statements/StatementPage.tsx
Updated credit display to show proration and payer-applied account credits separately with distinct line items.
Clerk.js Organization Profile
packages/clerk-js/src/ui/components/OrganizationProfile/ActiveMembersList.tsx, packages/clerk-js/src/ui/components/OrganizationProfile/InviteMembersForm.tsx, packages/clerk-js/src/ui/components/OrganizationProfile/OrganizationMembers.tsx
Added role set migration detection and UI blocking. Integrated hasRoleSetMigration flag throughout member management and role assignment UI.
Clerk.js User Profile & Web3
packages/clerk-js/src/ui/components/UserProfile/Web3Form.tsx, packages/clerk-js/src/ui/components/UserProfile/Web3Section.tsx, packages/clerk-js/src/ui/components/UserProfile/Web3SelectSolanaWalletScreen.tsx, packages/clerk-js/src/ui/components/UserProfile/MfaSection.tsx
Added Solana wallet selection screen. Refactored Web3Form with action context integration and wallet-name awareness. Enhanced MFA section with conditional delete actions based on MFA requirements.
Clerk.js UI Elements & Routing
packages/clerk-js/src/ui/elements/Avatar.tsx, packages/clerk-js/src/ui/elements/Header.tsx, packages/clerk-js/src/ui/elements/SuccessPage.tsx, packages/clerk-js/src/ui/elements/VerificationCodeCard.tsx, packages/clerk-js/src/ui/elements/Web3SolanaWalletButtons.tsx, packages/clerk-js/src/ui/elements/WalletInitialIcon.tsx, packages/clerk-js/src/ui/router/BaseRouter.tsx, packages/clerk-js/src/ui/router/PathRouter.tsx
Added loading spinner support to Avatar. Introduced badge text support in Header and SuccessPage. Implemented Web3SolanaWalletButtons component with wallet adapter integration. Added WalletInitialIcon for wallet initials display. Enhanced router with history change observation and pushState/replaceState patching.
Clerk.js Utilities & Helpers
packages/clerk-js/src/ui/utils/web3.ts, packages/clerk-js/src/ui/utils/thirdPartyDomains.ts, packages/clerk-js/src/ui/utils/originPrefersPopup.ts, packages/clerk-js/src/ui/utils/mfa.ts, packages/clerk-js/src/utils/billing.ts, packages/clerk-js/src/utils/captcha/turnstile.ts, packages/clerk-js/src/utils/injectedWeb3EthProviders.ts
Added third-party domain list for cookie and popup handling. Created MFA utility helpers (getSecondFactors, getSecondFactorsAvailableToAdd). Enhanced Solana identifier/signature generation. Added billing credits deserialization. Improved Turnstile captcha diagnostics.
Clerk.js Type Definitions & Contexts
packages/clerk-js/src/ui/types.ts, packages/clerk-js/src/ui/contexts/ClerkUIComponentsContext.tsx, packages/clerk-js/src/ui/contexts/components/SessionTasks.ts, packages/clerk-js/src/ui/customizables/elementDescriptors.ts
Added TaskSetupMFACtx and TaskSetupMFAProps types. Extended component context with TaskSetupMFA support. Added new appearance customization keys for MFA and Solana wallet UI elements.
Clerk.js KeylessPrompt & Dev Tools
packages/clerk-js/src/ui/components/devPrompts/KeylessPrompt/index.tsx, packages/clerk-js/src/ui/components/devPrompts/EnableOrganizationsPrompt/index.tsx
Major refactor of KeylessPrompt with state machine pattern and self-contained expanded UI. Enhanced EnableOrganizationsPrompt with RadioGroup for membership requirements and organization name fetching.
Clerk.js Testing & Fixtures
packages/clerk-js/src/test/fixture-helpers.ts, packages/clerk-js/src/test/fixtures.ts, packages/clerk-js/src/core/resources/__tests__/*.test.ts, packages/clerk-js/src/ui/components/**/__tests__/*.test.ts
Extended test fixtures with actor/session support, organization creation defaults, and MFA configuration. Added comprehensive tests for MFA setup flows, org creation restrictions, role migrations, and Web3/Solana functionality.
Integration Tests & Setup
integration/tests/astro/billingStore.test.ts, integration/tests/astro/components.test.ts, integration/tests/session-tasks-setup-mfa.test.ts, integration/tests/oauth-flows.test.ts, integration/presets/envs.ts, integration/presets/longRunningApps.ts, integration/templates/*
Added MFA setup session task environment and tests. Added React Vite OAuth popup flow tests. Updated integration templates with Solana wallet and billing store examples. Added new app configurations for testing.
Localization Updates
packages/localizations/src/*.ts (50+ language files), packages/clerk-js/src/ui/localization/__tests__/parseLocalization.test.tsx
Comprehensive localization additions across all supported languages for Solana Web3 flows, MFA setup UI, organization creation restrictions/defaults, role migration alerts, billing credits terminology, and error messages.
Package Versions & Changelogs
packages/*/package.json, packages/*/CHANGELOG.md
Version bumps across multiple packages (clerk-js 5.114.0→5.125.2, backend 2.26.0→2.32.2, astro 2.16.6→2.17.7, etc.) with corresponding changelog entries documenting dependency updates and new features.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Clerk as Clerk.js Client
    participant SignIn
    participant Web3 as Web3/Solana
    participant Backend
    participant Session

    User->>SignIn: Navigate to sign-in
    SignIn->>Clerk: Check sign-in status
    Clerk-->>SignIn: Show Web3 options
    User->>SignIn: Click Solana wallet
    SignIn->>Web3: Initialize Solana flow
    Web3->>Web3: Detect installed wallets
    User->>Web3: Select wallet
    Web3->>Web3: Get wallet account
    Web3->>Clerk: Generate signature
    Clerk->>Backend: Authenticate with signature
    Backend->>Session: Create session
    Backend-->>Clerk: Session established
    Clerk-->>User: Redirect to app
Loading
sequenceDiagram
    participant User
    participant Clerk as Clerk.js Client
    participant MFATask as MFA Setup Task
    participant Phone
    participant TOTP
    participant Backend
    participant Session

    User->>Clerk: Complete sign-in/sign-up
    Clerk->>Session: Check if MFA required
    Session-->>Clerk: MFA pending
    Clerk->>MFATask: Mount MFA setup flow
    MFATask->>User: Show method selection (SMS/TOTP)
    User->>MFATask: Choose method
    
    alt SMS Code Path
        MFATask->>Phone: Add/select phone
        Phone->>Backend: Create phone verification
        Backend-->>Phone: Send verification code
        User->>Phone: Enter code
        Phone->>Backend: Verify code
        Backend->>Session: Enable second factor
        Session-->>Backend: MFA enabled
    else TOTP Path
        MFATask->>TOTP: Generate TOTP secret
        TOTP->>User: Display QR code
        User->>TOTP: Scan & verify
        TOTP->>Backend: Verify TOTP code
        Backend->>Session: Enable second factor
        Session-->>Backend: MFA enabled
    end
    
    MFATask->>User: Show backup codes
    User->>Clerk: Acknowledge
    Clerk-->>User: Redirect to app
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ 90+ minutes

Possibly related PRs

Suggested labels

clerk-js, core-2, backend, web3, mfa, localization

Poem

🐰 Hops through Core Two with gleeful bounds,
Solana wallets spring without sound,
MFA tasks now bloom and grow,
Organization defaults steal the show,
From Astro to JS, changes abound,
A migration grand on solid ground! 🌟

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch release/core-2

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.