Skip to content

fix(backend): preserve Set-Cookie headers through proxy#8162

Merged
brkalow merged 6 commits intomainfrom
brkalow/fix-set-cookie-proxy
Mar 25, 2026
Merged

fix(backend): preserve Set-Cookie headers through proxy#8162
brkalow merged 6 commits intomainfrom
brkalow/fix-set-cookie-proxy

Conversation

@brkalow
Copy link
Member

@brkalow brkalow commented Mar 25, 2026
edited by coderabbitai bot
Loading

Summary

  • Use headers.append() instead of headers.set() for set-cookie response headers in clerkFrontendApiProxy, fixing OAuth callback failures caused by dropped __client / __client_uat cookies
  • Add host validation guard to harden proxy

Test plan

  • Added test verifying multiple Set-Cookie headers are preserved through the proxy (using response.headers.getSetCookie())
  • Added test verifying protocol-relative SSRF paths are rejected with 400 before any fetch is made
  • All 38 existing proxy tests continue to pass

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

    • Proxy now preserves and forwards multiple Set-Cookie headers from upstream to clients.

  • Security

    • Requests that resolve to a host different from the expected frontend API host are rejected with a 400 error.

  • Tests

    • Added tests covering Set-Cookie preservation and rejection of ambiguous/malicious proxy target resolutions.

@changeset-bot
Copy link

changeset-bot bot commented Mar 25, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 21a5805

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages
Name Type
@clerk/backend Patch
@clerk/agent-toolkit Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 25, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8162

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8162

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8162

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8162

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8162

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8162

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8162

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8162

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8162

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8162

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8162

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8162

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8162

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8162

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8162

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8162

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8162

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8162

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8162

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8162

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8162

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8162

commit: 21a5805

@jacekradko
Copy link
Member

jacekradko commented Mar 25, 2026

Classic headers issue!

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 25, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3588d8fb-ac85-4b06-ad15-e87add47b135

📥 Commits

Reviewing files that changed from the base of the PR and between 1883b8f and 21a5805.

📒 Files selected for processing (2)
  • packages/backend/src/__tests__/proxy.test.ts
  • packages/backend/src/proxy.ts
📝 Walkthrough

Walkthrough

Adds a changeset for a patch release to `@clerk/backend`. Implements an SSRF guard by deriving the expected frontend API host from `fapiBaseUrl` and rejecting proxied requests whose resolved `targetUrl.host` differs with a 400 `proxy_request_failed` JSON error. Adjusts proxy response handling to append upstream `Set-Cookie` headers (preserving multiple cookies) while setting other headers normally. Adds tests for ambiguous/protocol-relative target URLs and preservation of multiple `Set-Cookie` headers.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and directly describes the main change: preserving Set-Cookie headers through the proxy, which is the core fix addressing the OAuth callback failures mentioned in the PR objectives.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@brkalow @claude
fix(backend): preserve Set-Cookie headers and block SSRF in proxy
f390667 
Use `headers.append()` instead of `headers.set()` for `set-cookie`
headers when copying FAPI response headers, preventing multiple
Set-Cookie values from being silently dropped (which caused OAuth
callback failures due to missing `__client` cookies).

Also add a host validation guard to prevent SSRF via protocol-relative
paths (e.g., `//evil.com/steal`) that would cause the URL constructor
to resolve to an attacker-controlled host, leaking the secret key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@brkalow brkalow changed the title fix(backend): Append set-cookie headers in frontend proxy fix(backend): preserve Set-Cookie headers and block SSRF in proxy Mar 25, 2026
@vercel
Copy link

vercel bot commented Mar 25, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Mar 25, 2026 6:26pm

Request Review

brkalow
brkalow commented Mar 25, 2026
View reviewed changes
jacekradko
jacekradko approved these changes Mar 25, 2026
View reviewed changes
Copy link
Member

@jacekradko jacekradko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Good catch

@brkalow @claude
fix(backend): use string concatenation for FAPI URL to prevent SSRF b…
1883b8f 
…y construction

Replace `new URL(path, base)` with string concatenation so that
protocol-relative paths like `//evil.com` can never change the host.
The defense-in-depth host check is kept as a belt-and-suspenders guard.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jacekradko
jacekradko reviewed Mar 25, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/backend/src/proxy.ts`:
- Around line 295-302: The bridge currently forwards response headers using
response.setHeader in the authenticateRequest flow which overwrites repeated
Set-Cookie values; update the header-forwarding loop in authenticateRequest (the
code that iterates response.headers and calls response.setHeader(key, value)) to
use response.appendHeader(key, value) for headers that may repeat (particularly
'set-cookie'), matching the approach used elsewhere (responseHeaders.append in
proxy.ts and the response.appendHeader call at line ~69), so multiple cookies
are preserved when sent to the client.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 79a73bb2-ec07-4aa9-8ca1-0967c86d9033

📥 Commits

Reviewing files that changed from the base of the PR and between 148923a and 1883b8f.

📒 Files selected for processing (2)
  • packages/backend/src/__tests__/proxy.test.ts
  • packages/backend/src/proxy.ts

brkalow
brkalow commented Mar 25, 2026
View reviewed changes
@brkalow brkalow changed the title fix(backend): preserve Set-Cookie headers and block SSRF in proxy fix(backend): preserve Set-Cookie headers through proxy Mar 25, 2026
brkalow
brkalow commented Mar 25, 2026
View reviewed changes
@brkalow brkalow merged commit 486545c into main Mar 25, 2026
44 checks passed
@brkalow brkalow deleted the brkalow/fix-set-cookie-proxy branch March 25, 2026 18:35
@clerk-cookie clerk-cookie mentioned this pull request Mar 25, 2026
Merged
wobsoriano pushed a commit that referenced this pull request Mar 26, 2026
@brkalow @claude @wobsoriano
fix(backend): preserve Set-Cookie headers through proxy (#8162)
419da0f 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@jacekradko jacekradko mentioned this pull request Mar 26, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacekradko jacekradko jacekradko approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

backend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brkalow @jacekradko