Skip to content

Add decorateUrl to navigate callbacks for Safari ITP support #3037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nikosdouvlis merged 11 commits into from
Feb 10, 2026
Merged

Add decorateUrl to navigate callbacks for Safari ITP support #3037

nikosdouvlis merged 11 commits into from
Feb 10, 2026

Conversation

@nikosdouvlis
Copy link
Member

@nikosdouvlis nikosdouvlis commented Feb 4, 2026

Summary

Updates all custom flow documentation to include the new decorateUrl function in navigate callbacks, enabling Safari ITP cookie refresh support.

  • Updated 25 documentation files with the decorateUrl pattern
  • Covers all authentication custom flows (current and legacy)
  • Includes Expo partial files

Why

Safari's Intelligent Tracking Prevention (ITP) limits cookies set via API responses from CNAME-cloaked subdomains to 7 days. This causes unexpected session expiration for Safari users who don't visit frequently. The decorateUrl function wraps destination URLs and may return an absolute URL when cookie refresh is needed.

The Pattern

All navigate callbacks now use:

navigate: async ({ session, decorateUrl }) => {
  const url = decorateUrl('/')
  if (url.startsWith('http')) {
    window.location.href = url
  } else {
    router.push(url)
  }
}

Related

Test plan

🤖 Generated with Claude Code

@nikosdouvlis
feat(docs): add decorateUrl to navigate callbacks for Safari ITP support
c13bee6 
Why:
Safari's Intelligent Tracking Prevention (ITP) limits cookies set via API
responses from CNAME-cloaked subdomains to 7 days. This causes unexpected
session expiration for Safari users who don't visit frequently. The new
decorateUrl function in setActive/finalize navigate callbacks enables
automatic cookie refresh when needed.

What changed:
- Updated 25 doc files with decorateUrl pattern in navigate callbacks
- Pattern wraps destination URLs and checks if result is absolute (http)
  to determine whether to use window.location.href or router.push()
- Covers all custom flows: auth, legacy auth, Expo partials
- Skipped billing checkout finalize() - different API, not affected

Files: oauth-connections, sign-in-or-up, email-password, email-password-mfa,
email-sms-otp, passkeys, enterprise-connections, legal-acceptance,
embedded-email-links, multi-session-applications, session-tasks,
error-handling, forgot-password, application-invitations, expo partials
@nikosdouvlis nikosdouvlis requested a review from a team as a code owner February 4, 2026 11:27
@vercel
Copy link

vercel bot commented Feb 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-docs Ready Ready Preview Feb 10, 2026 3:48pm

Request Review

@nikosdouvlis nikosdouvlis changed the base branch from main to core-3 February 4, 2026 12:35
@SarahSoutoul SarahSoutoul mentioned this pull request Feb 4, 2026
Merged
@alexisintech alexisintech self-assigned this Feb 5, 2026
@alexisintech alexisintech force-pushed the nikos/user4475-udpate-docs-with-decorateurl branch from e3368ab to c7a70ee Compare February 6, 2026 21:05
@alexisintech
Copy link
Member

alexisintech commented Feb 6, 2026
edited
Loading

does this only apply to navigate() for setActive(), or does it apply to the navigate() callback for finalize() as well? (checkout.finalize({ navigate }))

Screenshot 2026-02-06 at 16 04 53

@nikosdouvlis
fix(docs): use object destructuring for decorateUrl in navigate callb…
99eb5e3 
…acks

The navigate callback receives an object { session, decorateUrl }, not
decorateUrl directly. Without destructuring, decorateUrl('/')  would
throw at runtime.
manovotny and others added 2 commits February 9, 2026 16:18
@manovotny
Next.js: Remove beforeYouStart from quickstart hero (#3058)
b122f5a
@nikosdouvlis
Merge remote-tracking branch 'origin/main' into nikos/user4475-udpate…
b09a061 
…-docs-with-decorateurl

# Conflicts:
#	docs/reference/components/authentication/task-choose-organization.mdx
#	docs/reference/components/authentication/task-reset-password.mdx
#	docs/reference/components/billing/subscription-details-button.mdx
#	docs/reference/hooks/use-subscription.mdx
#	docs/reference/nextjs/errors/auth-was-called.mdx
@nikosdouvlis nikosdouvlis force-pushed the nikos/user4475-udpate-docs-with-decorateurl branch from 242837d to b09a061 Compare February 10, 2026 10:53
@nikosdouvlis
fix(docs): fix decorateUrl bugs in navigate callback examples
93d3db5 
- Use `url` variable instead of hardcoded '/' in else branch (legacy/application-invitations)
- Replace `router.push` with `window.location.href` in vanilla JS examples (multi-session, clerk.mdx)
- Add missing `return` after currentTask check to prevent fall-through navigation
- Remove `window.location.href` from Expo examples where it doesn't exist in React Native
@nikosdouvlis
Merge remote-tracking branch 'origin/core-3' into nikos/user4475-udpa…
183ee86 
…te-docs-with-decorateurl

# Conflicts:
#	docs/guides/development/custom-flows/authentication/legacy/email-password.mdx
#	docs/guides/development/custom-flows/authentication/legacy/legal-acceptance.mdx
#	docs/guides/development/custom-flows/authentication/legacy/oauth-connections.mdx
#	docs/guides/development/custom-flows/authentication/legacy/sign-in-or-up.mdx
#	docs/reference/components/authentication/task-choose-organization.mdx
#	docs/reference/components/authentication/task-reset-password.mdx
#	docs/reference/components/billing/subscription-details-button.mdx
#	docs/reference/hooks/use-subscription.mdx
#	docs/reference/nextjs/errors/auth-was-called.mdx
alexisintech
alexisintech approved these changes Feb 10, 2026
View reviewed changes
Copy link
Member

@alexisintech alexisintech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks nikos 😸💖

@nikosdouvlis nikosdouvlis merged commit c839e4c into core-3 Feb 10, 2026
2 checks passed
@nikosdouvlis nikosdouvlis deleted the nikos/user4475-udpate-docs-with-decorateurl branch February 10, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexisintech alexisintech alexisintech approved these changes

Assignees

@alexisintech alexisintech

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nikosdouvlis @alexisintech @manovotny