fix(backend): Prevent excessive handshakes (#6635)

brkalow · web-flow · commit 903642793ae2 · 2025-08-25T20:49:24.000-05:00
diff --git a/.changeset/grumpy-groups-run.md b/.changeset/grumpy-groups-run.md
@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Fixes an issue where a handshake would trigger more than intended in development.
diff --git a/integration/tests/handshake.test.ts b/integration/tests/handshake.test.ts
@@ -1437,7 +1437,7 @@ test.describe('Client handshake with an organization activation avoids infinite
     // Critical cookie: __clerk_redirect_count
     headers.set(
       'Cookie',
-      `${devBrowserCookie} __client_uat=${claims.iat}; __session=${token}; __clerk_redirect_count=1`,
+      `${devBrowserCookie} __client_uat=${claims.iat}; __session=${token}; __clerk_redirect_count=3`,
     );
 
     const res = await fetch(thisApp.serverUrl + '/organizations-by-id/org_a', {
diff --git a/packages/backend/src/tokens/handshake.ts b/packages/backend/src/tokens/handshake.ts
@@ -222,6 +222,7 @@ export class HandshakeService {
       const newUrl = new URL(this.authenticateContext.clerkUrl);
       newUrl.searchParams.delete(constants.QueryParameters.Handshake);
       newUrl.searchParams.delete(constants.QueryParameters.HandshakeHelp);
+      newUrl.searchParams.delete(constants.QueryParameters.DevBrowser);
       headers.append(constants.Headers.Location, newUrl.toString());
       headers.set(constants.Headers.CacheControl, 'no-store');
     }
@@ -323,7 +324,7 @@ ${developmentError.getFullMessage()}`,
 
     const newCounterValue = this.authenticateContext.handshakeRedirectLoopCounter + 1;
     const cookieName = constants.Cookies.RedirectCount;
-    headers.append('Set-Cookie', `${cookieName}=${newCounterValue}; SameSite=Lax; HttpOnly; Max-Age=3`);
+    headers.append('Set-Cookie', `${cookieName}=${newCounterValue}; SameSite=Lax; HttpOnly; Max-Age=2`);
     return false;
   }
 
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -386,7 +386,7 @@ export const authenticateRequest: AuthenticateRequest = (async (
     if (!mustActivate) {
       return null;
     }
-    if (authenticateContext.handshakeRedirectLoopCounter > 0) {
+    if (authenticateContext.handshakeRedirectLoopCounter >= 3) {
       // We have an organization that needs to be activated, but this isn't our first time redirecting.
       // This is because we attempted to activate the organization previously, but the organization
       // must not have been valid (either not found, or not valid for this user), and gave us back

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/backend': patch
 +---
++
 +Fixes an issue where a handshake would trigger more than intended in development.
Original file line number	Diff line number	Diff line change
`@@ -222,6 +222,7 @@ export class HandshakeService {`
`222`	`222`	`const newUrl = new URL(this.authenticateContext.clerkUrl);`
`223`	`223`	`newUrl.searchParams.delete(constants.QueryParameters.Handshake);`
`224`	`224`	`newUrl.searchParams.delete(constants.QueryParameters.HandshakeHelp);`
	`225`	`+ newUrl.searchParams.delete(constants.QueryParameters.DevBrowser);`
`225`	`226`	`headers.append(constants.Headers.Location, newUrl.toString());`
`226`	`227`	`headers.set(constants.Headers.CacheControl, 'no-store');`
`227`	`228`	`}`
@@ -323,7 +324,7 @@ ${developmentError.getFullMessage()}`,
`323`	`324`
`324`	`325`	`const newCounterValue = this.authenticateContext.handshakeRedirectLoopCounter + 1;`
`325`	`326`	`const cookieName = constants.Cookies.RedirectCount;`
`326`		- headers.append('Set-Cookie', `${cookieName}=${newCounterValue}; SameSite=Lax; HttpOnly; Max-Age=3`);
	`327`	+ headers.append('Set-Cookie', `${cookieName}=${newCounterValue}; SameSite=Lax; HttpOnly; Max-Age=2`);
`327`	`328`	`return false;`
`328`	`329`	`}`
`329`	`330`
Original file line number	Diff line number	Diff line change
`@@ -386,7 +386,7 @@ export const authenticateRequest: AuthenticateRequest = (async (`
`386`	`386`	`if (!mustActivate) {`
`387`	`387`	`return null;`
`388`	`388`	`}`
`389`		`- if (authenticateContext.handshakeRedirectLoopCounter > 0) {`
	`389`	`+ if (authenticateContext.handshakeRedirectLoopCounter >= 3) {`
`390`	`390`	`// We have an organization that needs to be activated, but this isn't our first time redirecting.`
`391`	`391`	`// This is because we attempted to activate the organization previously, but the organization`
`392`	`392`	`// must not have been valid (either not found, or not valid for this user), and gave us back`