fix(clerk-js,astro,nuxt,tanstack-react-start,remix,react-router): Introduce helper function to prevent infinite handshake in Netlify (#5656)

Co-authored-by: Lennart <[email protected]>

Author: wobsoriano

.changeset/plenty-hounds-sort.md

@@ -0,0 +1,11 @@
+---
+"@clerk/astro": patch
+"@clerk/clerk-js": patch
+"@clerk/nuxt": patch
+"@clerk/react-router": patch
+"@clerk/remix": patch
+"@clerk/shared": patch
+"@clerk/tanstack-react-start": patch
+---
+
+Fix handshake redirect loop in applications deployed to Netlify with a Clerk development instance.

packages/astro/src/integration/create-integration.ts

@@ -125,10 +125,7 @@ function createIntegration<Params extends HotloadAstroClerkIntegrationParams>()
             'page',
             `
             ${command === 'dev' ? `console.log("${packageName}","Initialize Clerk: page")` : ''}
-            import { removeNetlifyCacheBustParam, runInjectionScript, swapDocument } from "${buildImportPath}";
-
-            // Fix an issue with infinite redirect in Netlify and Clerk dev instance
-            removeNetlifyCacheBustParam();
+            import { runInjectionScript, swapDocument } from "${buildImportPath}";
 
             // Taken from https://github.com/withastro/astro/blob/e10b03e88c22592fbb42d7245b65c4f486ab736d/packages/astro/src/transitions/router.ts#L39.
             // Importing it directly from astro:transitions/client breaks custom client-side routing

packages/astro/src/internal/index.ts

@@ -14,4 +14,3 @@ export { runInjectionScript };
 
 export { generateSafeId } from './utils/generateSafeId';
 export { swapDocument } from './swap-document';
-export { NETLIFY_CACHE_BUST_PARAM, removeNetlifyCacheBustParam } from './remove-query-param';

packages/astro/src/internal/remove-query-param.ts

@@ -1,14 +1,14 @@
 import type { AuthObject, ClerkClient } from '@clerk/backend';
 import type { AuthenticateRequestOptions, ClerkRequest, RedirectFun, RequestState } from '@clerk/backend/internal';
 import { AuthStatus, constants, createClerkRequest, createRedirect } from '@clerk/backend/internal';
-import { isDevelopmentFromPublishableKey, isDevelopmentFromSecretKey } from '@clerk/shared/keys';
+import { isDevelopmentFromSecretKey } from '@clerk/shared/keys';
+import { handleNetlifyCacheInDevInstance } from '@clerk/shared/netlifyCacheHandler';
 import { isHttpOrHttps } from '@clerk/shared/proxy';
 import { handleValueOrFn } from '@clerk/shared/utils';
 import type { APIContext } from 'astro';
 
 import { authAsyncStorage } from '#async-local-storage';
 
-import { NETLIFY_CACHE_BUST_PARAM } from '../internal';
 import { buildClerkHotloadScript } from './build-clerk-hotload-script';
 import { clerkClient } from './clerk-client';
 import { createCurrentUser } from './current-user';
@@ -74,7 +74,11 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]): any => {
 
     const locationHeader = requestState.headers.get(constants.Headers.Location);
     if (locationHeader) {
-      handleNetlifyCacheInDevInstance(locationHeader, requestState);
+      handleNetlifyCacheInDevInstance({
+        locationHeader,
+        requestStateHeaders: requestState.headers,
+        publishableKey: requestState.publishableKey,
+      });
 
       const res = new Response(null, { status: 307, headers: requestState.headers });
       return decorateResponseWithObservabilityHeaders(res, requestState);
@@ -234,25 +238,6 @@ Check if signInUrl is missing from your configuration or if it is not an absolut
    PUBLIC_CLERK_SIGN_IN_URL='SOME_URL'
    PUBLIC_CLERK_IS_SATELLITE='true'`;
 
-/**
- * Prevents infinite redirects in Netlify's functions
- * by adding a cache bust parameter to the original redirect URL. This ensures Netlify
- * doesn't serve a cached response during the authentication flow.
- */
-function handleNetlifyCacheInDevInstance(locationHeader: string, requestState: RequestState) {
-  // Only run on Netlify environment and Clerk development instance
-  // eslint-disable-next-line turbo/no-undeclared-env-vars
-  if (import.meta.env.NETLIFY && isDevelopmentFromPublishableKey(requestState.publishableKey)) {
-    const hasHandshakeQueryParam = locationHeader.includes('__clerk_handshake');
-    // If location header is the original URL before the handshake redirects, add cache bust param
-    if (!hasHandshakeQueryParam) {
-      const url = new URL(locationHeader);
-      url.searchParams.append(NETLIFY_CACHE_BUST_PARAM, Date.now().toString());
-      requestState.headers.set('Location', url.toString());
-    }
-  }
-}
-
 function decorateAstroLocal(clerkRequest: ClerkRequest, context: APIContext, requestState: RequestState) {
   const { reason, message, status, token } = requestState;
   context.locals.authToken = token;

packages/astro/src/server/clerk-middleware.ts

@@ -5,6 +5,7 @@ import { ClerkRuntimeError, EmailLinkErrorCodeStatus, is4xxError, isClerkAPIResp
 import { parsePublishableKey } from '@clerk/shared/keys';
 import { LocalStorageBroadcastChannel } from '@clerk/shared/localStorageBroadcastChannel';
 import { logger } from '@clerk/shared/logger';
+import { CLERK_NETLIFY_CACHE_BUST_PARAM } from '@clerk/shared/netlifyCacheHandler';
 import { isHttpOrHttps, isValidProxyUrl, proxyUrlToAbsoluteURL } from '@clerk/shared/proxy';
 import {
   eventPrebuiltComponentMounted,
@@ -2622,6 +2623,7 @@ export class Clerk implements ClerkInterface {
   #clearClerkQueryParams = () => {
     try {
       removeClerkQueryParam(CLERK_SYNCED);
+      removeClerkQueryParam(CLERK_NETLIFY_CACHE_BUST_PARAM);
       // @nikos: we're looking into dropping this param completely
       // in the meantime, we're removing it here to keep the URL clean
       removeClerkQueryParam(CLERK_SUFFIXED_COOKIES);

packages/clerk-js/src/core/clerk.ts

@@ -1,4 +1,5 @@
 import type { EmailLinkErrorCodeStatus } from '@clerk/shared/error';
+import { CLERK_NETLIFY_CACHE_BUST_PARAM } from '@clerk/shared/netlifyCacheHandler';
 
 import { CLERK_SATELLITE_URL, CLERK_SUFFIXED_COOKIES, CLERK_SYNCED } from '../core/constants';
 
@@ -10,6 +11,7 @@ const _ClerkQueryParams = [
   '__clerk_modal_state',
   '__clerk_handshake',
   '__clerk_help',
+  CLERK_NETLIFY_CACHE_BUST_PARAM,
   CLERK_SYNCED,
   CLERK_SATELLITE_URL,
   CLERK_SUFFIXED_COOKIES,

packages/clerk-js/src/utils/getClerkQueryParam.ts

@@ -1,6 +1,7 @@
 import type { AuthenticateRequestOptions } from '@clerk/backend/internal';
 import { AuthStatus, constants } from '@clerk/backend/internal';
 import { deprecated } from '@clerk/shared/deprecated';
+import { handleNetlifyCacheInDevInstance } from '@clerk/shared/netlifyCacheHandler';
 import type { EventHandler } from 'h3';
 import { createError, eventHandler, setResponseHeader } from 'h3';
 
@@ -84,6 +85,11 @@ export const clerkMiddleware: ClerkMiddleware = (...args: unknown[]) => {
 
     const locationHeader = requestState.headers.get(constants.Headers.Location);
     if (locationHeader) {
+      handleNetlifyCacheInDevInstance({
+        locationHeader,
+        requestStateHeaders: requestState.headers,
+        publishableKey: requestState.publishableKey,
+      });
       // Trigger a handshake redirect
       return new Response(null, { status: 307, headers: requestState.headers });
     }

packages/nuxt/src/runtime/server/clerkMiddleware.ts

@@ -1,6 +1,7 @@
 import { createClerkClient } from '@clerk/backend';
 import type { AuthenticateRequestOptions, SignedInState, SignedOutState } from '@clerk/backend/internal';
-import { AuthStatus } from '@clerk/backend/internal';
+import { AuthStatus, constants } from '@clerk/backend/internal';
+import { handleNetlifyCacheInDevInstance } from '@clerk/shared/netlifyCacheHandler';
 
 import type { LoaderFunctionArgs } from './types';
 import { patchRequest } from './utils';
@@ -33,8 +34,13 @@ export async function authenticateRequest(
     afterSignUpUrl,
   });
 
-  const hasLocationHeader = requestState.headers.get('location');
-  if (hasLocationHeader) {
+  const locationHeader = requestState.headers.get(constants.Headers.Location);
+  if (locationHeader) {
+    handleNetlifyCacheInDevInstance({
+      locationHeader,
+      requestStateHeaders: requestState.headers,
+      publishableKey: requestState.publishableKey,
+    });
     // triggering a handshake redirect
     // eslint-disable-next-line @typescript-eslint/only-throw-error
     throw new Response(null, { status: 307, headers: requestState.headers });

packages/react-router/src/ssr/authenticateRequest.ts

@@ -1,6 +1,7 @@
 import { createClerkClient } from '@clerk/backend';
 import type { AuthenticateRequestOptions, SignedInState, SignedOutState } from '@clerk/backend/internal';
-import { AuthStatus } from '@clerk/backend/internal';
+import { AuthStatus, constants } from '@clerk/backend/internal';
+import { handleNetlifyCacheInDevInstance } from '@clerk/shared/netlifyCacheHandler';
 
 import type { LoaderFunctionArgs } from './types';
 import { patchRequest } from './utils';
@@ -33,8 +34,13 @@ export async function authenticateRequest(
     afterSignUpUrl,
   });
 
-  const hasLocationHeader = requestState.headers.get('location');
-  if (hasLocationHeader) {
+  const locationHeader = requestState.headers.get(constants.Headers.Location);
+  if (locationHeader) {
+    handleNetlifyCacheInDevInstance({
+      locationHeader,
+      requestStateHeaders: requestState.headers,
+      publishableKey: requestState.publishableKey,
+    });
     // triggering a handshake redirect
     // eslint-disable-next-line @typescript-eslint/only-throw-error
     throw new Response(null, { status: 307, headers: requestState.headers });