fix(backend): Derive origin from request URL (#6393)

brkalow · web-flow · commit af615b89838e · 2025-07-28T12:02:48.000-05:00
diff --git a/.changeset/tidy-windows-travel.md b/.changeset/tidy-windows-travel.md
@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Fixes an issue where the Clerk SDK was improperly detecting the request's origin.
diff --git a/packages/backend/src/tokens/__tests__/request.test.ts b/packages/backend/src/tokens/__tests__/request.test.ts
@@ -1411,7 +1411,6 @@ describe('tokens.authenticateRequest(options)', () => {
         {
           referer: 'https://satellite.com/signin',
           'sec-fetch-dest': 'document',
-          origin: 'https://primary.com',
         },
         {
           __session: mockJwt,
@@ -1441,7 +1440,6 @@ describe('tokens.authenticateRequest(options)', () => {
           referer: 'https://satellite.com/signin',
           'sec-fetch-dest': 'document',
           'sec-fetch-site': 'cross-site',
-          origin: 'https://primary.com',
         },
         {
           __session: mockJwt,
@@ -1468,9 +1466,9 @@ describe('tokens.authenticateRequest(options)', () => {
     test('does not trigger handshake when referer is same origin', async () => {
       const request = mockRequestWithCookies(
         {
+          host: 'primary.com',
           referer: 'https://primary.com/signin',
           'sec-fetch-dest': 'document',
-          origin: 'https://primary.com',
         },
         {
           __session: mockJwt,
diff --git a/packages/backend/src/tokens/authenticateContext.ts b/packages/backend/src/tokens/authenticateContext.ts
@@ -174,7 +174,7 @@ class AuthenticateContext implements AuthenticateContext {
    * @returns {boolean} True if referrer exists and is from a different origin, false otherwise.
    */
   public isCrossOriginReferrer(): boolean {
-    if (!this.referrer || !this.origin) {
+    if (!this.referrer || !this.clerkUrl.origin) {
       return false;
     }
 
@@ -184,7 +184,7 @@ class AuthenticateContext implements AuthenticateContext {
       }
 
       const referrerOrigin = new URL(this.referrer).origin;
-      return referrerOrigin !== this.origin;
+      return referrerOrigin !== this.clerkUrl.origin;
     } catch {
       // Invalid referrer URL format
       return false;

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/backend': patch
 +---
++
 +Fixes an issue where the Clerk SDK was improperly detecting the request's origin.
Original file line number	Diff line number	Diff line change
`@@ -1411,7 +1411,6 @@ describe('tokens.authenticateRequest(options)', () => {`
`1411`	`1411`	`{`
`1412`	`1412`	`referer: 'https://satellite.com/signin',`
`1413`	`1413`	`'sec-fetch-dest': 'document',`
`1414`		`- origin: 'https://primary.com',`
`1415`	`1414`	`},`
`1416`	`1415`	`{`
`1417`	`1416`	`__session: mockJwt,`
`@@ -1441,7 +1440,6 @@ describe('tokens.authenticateRequest(options)', () => {`
`1441`	`1440`	`referer: 'https://satellite.com/signin',`
`1442`	`1441`	`'sec-fetch-dest': 'document',`
`1443`	`1442`	`'sec-fetch-site': 'cross-site',`
`1444`		`- origin: 'https://primary.com',`
`1445`	`1443`	`},`
`1446`	`1444`	`{`
`1447`	`1445`	`__session: mockJwt,`
`@@ -1468,9 +1466,9 @@ describe('tokens.authenticateRequest(options)', () => {`
`1468`	`1466`	`test('does not trigger handshake when referer is same origin', async () => {`
`1469`	`1467`	`const request = mockRequestWithCookies(`
`1470`	`1468`	`{`
	`1469`	`+ host: 'primary.com',`
`1471`	`1470`	`referer: 'https://primary.com/signin',`
`1472`	`1471`	`'sec-fetch-dest': 'document',`
`1473`		`- origin: 'https://primary.com',`
`1474`	`1472`	`},`
`1475`	`1473`	`{`
`1476`	`1474`	`__session: mockJwt,`