feat(backend): Add Frontend API proxy helpers#7602
Draft
Conversation
…s, and @clerk/express Implement clerkProxy helper that abstracts away the complexity of proxying Clerk's Frontend API (FAPI) requests. This enables scenarios where direct communication with Clerk's API is blocked or needs to go through the application server. - Core proxy implementation in @clerk/backend/src/proxy.ts with environment-aware URL derivation - Next.js integration via clerkMiddleware frontendApiProxy option and route handlers - Express middleware for handling proxy requests with body streaming support - FAPI URL constants added to @clerk/shared for environment detection Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
- Add comprehensive tests for @clerk/backend/proxy including FAPI URL derivation, path matching, and request forwarding - Add tests for @clerk/nextjs/proxy route handlers and exports - Add tests for @clerk/express/proxy middleware and request conversion Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Next.js proxy tests mocked the underlying @clerk/backend/proxy, making them essentially test that wrapper A calls function B - no real behavior was verified. The backend proxy tests provide actual coverage. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
brkalow
changed the title
Allow the `enabled` option in `frontendApiProxy` to accept a function `(url: URL) => boolean` for conditional proxy based on the request URL. This enables scenarios where an application has multiple domains and only some require proxying (e.g., `foo.replit.app` proxied while `foo.com` uses direct FAPI access). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add X-Forwarded-Host and X-Forwarded-Proto headers for proxy awareness - Preserve existing X-Forwarded-* headers from upstream proxies - Rewrite Location headers for FAPI redirects to go through the proxy - Add tests for new header handling and redirect rewriting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…t.js - Remove separate @clerk/express/proxy entry point and middleware - Embed proxy handling directly in Express clerkMiddleware - Auto-derive proxyUrl from frontendApiProxy config for handshake redirects - Add FrontendApiProxyOptions type with enabled and path options - Align API structure between Express and Next.js SDKs - Remove low-value constant tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change from defaulting enabled to true, to requiring explicit enabled: true - Update tests to use enabled: true - Update JSDoc to remove default annotation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
packages/backend/src/proxy.ts
Outdated
| export function matchProxyPath(request: Request, options?: Pick<FrontendApiProxyOptions, 'proxyPath'>): boolean { | ||
| const proxyPath = options?.proxyPath || DEFAULT_PROXY_PATH; | ||
| const url = new URL(request.url); | ||
| return url.pathname.startsWith(proxyPath); |
Member
There was a problem hiding this comment.
Should we check for an exact match or a / boundary here? startsWith alone means something like /__clerk-admin would incorrectly match the default /__clerk prefix.
return url.pathname === proxyPath || url.pathname.startsWith(proxyPath + '/');Fixes issue where paths like /__clerk-admin would incorrectly match the /__clerk proxy path. Now requires either an exact match or a trailing slash boundary. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ensures that proxy paths like /__clerk/ work correctly by stripping trailing slashes before matching. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Express types these headers as string | string[] | undefined. Take the first element when they're arrays to avoid malformed URLs. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…bpath - Remove @clerk/nextjs/proxy subpath export - Re-export proxy functions from @clerk/nextjs/server - Update JSDoc examples to use new import path Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replaces /\/+$/ regex with a simple while loop to avoid ReDoS concerns flagged by GitHub Advanced Security code scanning. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds Frontend API proxy support to
clerkMiddlewarefor both Next.js and Express. This enables scenarios where direct communication with Clerk's API is blocked or needs to go through the application server.API
Next.js
Express
Key Features
clerkMiddlewareproxyUrlfor handshake redirects is automatically derived from thefrontendApiProxyconfigenabledto conditionally enable proxy based on request URLType of change
Testing