fix(backend): harden FAPI proxy resilience and spec compliance

[brkalow]

Summary

• Propagate client abort signal to upstream fetch() to prevent zombie requests when clients disconnect
• Strip dynamic hop-by-hop headers listed in the Connection header per RFC 7230 Section 6.1, for both request and response header copying
• Support request bodies on any HTTP method (e.g., DELETE-with-body) by checking request.body !== null instead of a method allowlist
• Add Cache-Control: no-store to all error responses to prevent CDN/browser caching of transient errors
• Only set duplex: 'half' when the request actually has a body, avoiding unnecessary option on bodyless requests
• Converted HOP_BY_HOP_HEADERS from array to Set for O(1) lookups

Test plan

• Existing proxy tests continue to pass (82 tests)
• New test: DELETE request with body is forwarded with duplex: 'half'
• New test: Abort signal from incoming request is propagated to fetch
• New test: Error responses (500 and 502) include Cache-Control: no-store
• New test: Dynamic hop-by-hop headers listed in Connection header are stripped from forwarded requests

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Corrected proxy handling to support DELETE requests with bodies, always propagate abort signals, enforce no-cache on error responses, and strip dynamic hop-by-hop headers per HTTP rules.

• Tests

  • Added comprehensive tests covering DELETE-with-body forwarding, signal propagation, cache-control on failures, and dynamic hop-by-hop header stripping.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2809448

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8163

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8163

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8163

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8163

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8163

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8163

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8163

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8163

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8163

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8163

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8163

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8163

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8163

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8163

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8163

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8163

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8163

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8163

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8163

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8163

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8163

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8163

commit: 2809448

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: ec897c93-d7cf-485d-bea7-cbf94275c614

📥 Commits

Reviewing files that changed from the base of the PR and between e7346d8 and 2809448.

📒 Files selected for processing (2)

• packages/backend/src/__tests__/proxy.test.ts
• packages/backend/src/proxy.ts

---

📝 Walkthrough

Walkthrough

The PR updates proxy behavior and tests: hop-by-hop header handling now uses a Set and parses dynamic header names from the Connection header; request body detection changed from method checks to request.body !== null and duplex: 'half' is set when a body is present; incoming Request.signal is forwarded to upstream fetch; JSON error responses include Cache-Control: no-store; tests added for DELETE with a body, signal propagation, cache-control on errors, and dynamic hop-by-hop header stripping.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objectives: hardening FAPI proxy resilience (abort signal propagation, resilience improvements) and spec compliance (dynamic hop-by-hop header stripping per RFC 7230, Cache-Control headers, proper request body handling).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 26, 2026 3:30pm