Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(nextjs,backend): Support handshake in iframes #3555

Merged
merged 11 commits into from
Jul 11, 2024
Merged

fix(nextjs,backend): Support handshake in iframes #3555

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1ec5424
fix(nextjs,backend): Support handshake in iframes
anagstef Jun 12, 2024
a46259f
Update poor-knives-laugh.md
anagstef Jun 13, 2024
e157ad8
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jun 13, 2024
ba8e13e
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jun 17, 2024
148bf15
Update .changeset/poor-knives-laugh.md
anagstef Jun 20, 2024
c96e9ea
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jun 20, 2024
e04603b
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jun 20, 2024
27f3f6b
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jul 10, 2024
88c02de
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jul 10, 2024
a73c9b9
Merge branch 'main' into stefanos/fix-iframe-handshake
anagstef Jul 11, 2024
203414f
Add comment for sec-fetch-dest iframe value
anagstef Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changeset/poor-knives-laugh.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
'@clerk/backend': minor
'@clerk/nextjs': minor
---

Support handshake in iframes
anagstef marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion packages/backend/src/tokens/request.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ function isRequestEligibleForHandshake(authenticateContext: { secFetchDest?: str
const { accept, secFetchDest } = authenticateContext;

// NOTE: we could also check sec-fetch-mode === navigate here, but according to the spec, sec-fetch-dest: document should indicate that the request is the data of a user navigation.
if (secFetchDest === 'document') {
if (secFetchDest === 'document' || secFetchDest === 'iframe') {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️ When document requests happend from inside an iframe the Sec-Fetch-Dest value is set to iframe. Fetch/XHR requests do not use this value.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose exporting a SAFE_SEC_FETCH_DESTS array from shared and then consuming it in backend and nextjs, and just checking SAFE_SEC_FETCH_DESTS.includes(secFetchDest)

return true;
}

Expand Down
1 change: 1 addition & 0 deletions packages/nextjs/src/server/protect.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ const isServerActionRequest = (req: Request) => {
const isPageRequest = (req: Request): boolean => {
return (
req.headers.get(constants.Headers.SecFetchDest) === 'document' ||
req.headers.get(constants.Headers.SecFetchDest) === 'iframe' ||
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓ why do we need this as part of this PR? Is this related to the handshake mechanism?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we need this in order for pages wrapped with protect work properly in the first load via an iframe

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a handshake particular thing, but as @panteliselef said, it will help with protect and iframes.

req.headers.get(constants.Headers.Accept)?.includes('text/html') ||
isAppRouterInternalNavigation(req) ||
isPagesRouterInternalNavigation(req)
Expand Down