feat(clerk-js): Link to external App page in OAuth Consent

[jfoshee]

Description

Add support for a Link URL to <Avatar> which will wrap the image in an anchor tag.
If the given link is absolute, it will open the link in a new window.
Attribute rel="noopener noreferrer" is applied to the external link to avoid (in legacy browsers) passing an opener object to the target page, and to avoid sharing sensitive query string parameters.

Wire the Avatar.linkUrl up to OAuth Application URL so that users can click the Logo of the OAuth App to navigate to the App's homepage.

Test in sandbox http://localhost:4000/oauth-consent?app-url=https%3A%2F%2Fclerk.com&logo-url=http%3A%2F%2Flocalhost%3A3000%2Flogo

Part of USER-2011

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features
  • Avatars can include an optional external link.
  • OAuth consent screen can show an application logo that links to the app’s homepage when provided.
• Bug Fixes
  • External links now include “noreferrer” alongside “noopener” for improved security and privacy.

[changeset-bot]

🦋 Changeset detected

Latest commit: ecaab41

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/types	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/localizations	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/clerk-react	Patch
@clerk/remix	Patch
@clerk/shared	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/themes	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready	Preview	Comment	Aug 12, 2025 8:48pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds optional linking support for OAuth application data and avatars: an optional oAuthApplicationUrl prop is added to __internal_OAuthConsentProps; sandbox app parses oAuthApplicationUrl and oAuthApplicationLogoUrl from URL params; OAuthConsentInternal consumes oAuthApplicationUrl and passes it to ApplicationLogo to render an external link; ApplicationLogo gains isExternal support and Link primitive now uses rel="noopener noreferrer". A VSCode task for running dev:sandbox was also added. No server-side acceptance, validation, or storage of logo_uri/client_uri is included.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Accept and validate logo_uri on client creation with host/scheme checks; cache on CDN; restrict size/format to JPG/PNG and dimensions (USER-2011)	❌	No server-side creation or validation logic present in these changes.
Accept client_uri on client creation with origin checks vs redirect_uris (USER-2011)	❌	No server-side client_uri acceptance or origin validation implemented.
Display logo on consent screen (USER-2011)	✅	OAuthConsent already displays an application logo; this PR links that logo to oAuthApplicationUrl.
Expose client_uri only in dashboard and not as clickable link on consent (USER-2011)	❌	This PR surfaces oAuthApplicationUrl as a clickable external link from the consent UI.

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Added VSCode task "Dev: Sandbox" (.vscode/tasks.json)	Editor task config is unrelated to USER-2011 objectives about accepting/validating client/logo URIs.
Link primitive rel change to "noopener noreferrer" (packages/clerk-js/src/ui/primitives/Link.tsx)	A general security/privacy tweak to link behavior; not part of server-side client/logo handling requirements.
ApplicationLogo: render external Link when isExternal true (packages/clerk-js/src/ui/elements/ApplicationLogo.tsx)	Introducing a clickable external logo on the consent screen conflicts with USER-2011 guidance to not display client_uri as a clickable consent element initially.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (1)

46-51: Confirm Avatar adds rel="noopener noreferrer" when target="_blank"

Clickable logos point to arbitrary third-party domains. To avoid tab-napping, ensure the underlying <a> inside Avatar sets rel="noopener noreferrer" alongside target="_blank".
If the current Avatar implementation does not, please patch it and involve the clerk security team.

🧹 Nitpick comments (3)

packages/clerk-js/sandbox/app.ts (1)

335-337: Guard against empty query-string values before passing to mount

If logo-url or app-url are present but empty (?logo-url=&app-url=), we still forward empty strings. __internal_mountOAuthConsent will interpret these as “value provided”, which may cause broken <img> sources or empty <a href> attributes.

-          oAuthApplicationLogoUrl: searchParams.get('logo-url'),
-          oAuthApplicationUrl: searchParams.get('app-url'),
+          oAuthApplicationLogoUrl: searchParams.get('logo-url') || undefined,
+          oAuthApplicationUrl: searchParams.get('app-url') || undefined,

packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (1)

20-21: Discrepancy with new prop: make URL optional in hook typings

oAuthApplicationUrl is optional but you destructure it without a default.
If undefined, Avatar will still receive the prop (value undefined) which forces a re-render in some scenarios and complicates prop-type checks.

Consider eliding when falsy:

- externalLinkUrl={oAuthApplicationUrl}
+ externalLinkUrl={oAuthApplicationUrl ?? undefined}

(or omit the prop entirely via spread).

.changeset/sad-turkeys-rhyme.md (1)

6-9: Reflect security guidance in the changeset

Because hyperlinks to third-party sites are now rendered, mention that Avatar sanitises the URL / adds rel="noopener noreferrer". This signals consumers that the patch is safe and intentional.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b637177 and b455d85.

📒 Files selected for processing (6)

• .changeset/sad-turkeys-rhyme.md (1 hunks)
• .vscode/tasks.json (1 hunks)
• packages/clerk-js/sandbox/app.ts (1 hunks)
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (3 hunks)
• packages/clerk-js/src/ui/elements/Avatar.tsx (3 hunks)
• packages/types/src/clerk.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (11)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

**/*

⚙️ CodeRabbit Configuration File

**/*: If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Whenever reviewing a pull request, if there are any changes that could impact security, always tag @clerk/security in the PR.

Security-impacting changes include, but are not limited to:

• Changes to authentication logic or mechanisms (e.g. login, session handling, token issuance)
• Any modification to access control, authorization checks, or role-based permissions
• Introduction or modification of hashing algorithms, signature verification, or cryptographic primitives
• Handling of sensitive data (e.g. passwords, tokens, secrets, PII)
• Integration with external identity providers (e.g. SSO, OAuth, OpenID Connect)
• Modifications to security headers, cookie flags, CORS policies, or CSRF protections
• Bypass mechanisms (e.g. feature flags, testing overrides) that could weaken protections
• Changes to rate limiting, abuse prevention, or input validation

If you're unsure whether a change is security-relevant, err on the side of caution and tag @clerk/security.

Any time that you tag @clerk/security, please do so explicitly in a code comment, rather than within a collapsed section in a coderabbit comment, such as the "recent review details" section. If you do use the team name in any thinking or non-direct-code-comment content, it can be referred to as "clerk security team" to avoid accidentally printing the tag which sends a notification to the team.

Files:

• packages/clerk-js/sandbox/app.ts
• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/types/src/clerk.ts

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{jsx,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.tsx

📄 CodeRabbit Inference Engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/elements/Avatar.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

.changeset/**

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/sad-turkeys-rhyme.md

🔇 Additional comments (4)

.vscode/tasks.json (1)

1-13: VSCode task looks fine

Task follows VSCode 2.0 schema and scopes execution correctly to packages/clerk-js.
No action required.

packages/clerk-js/src/ui/elements/Avatar.tsx (3)

18-22: LGTM! Clear and comprehensive JSDoc documentation.

The JSDoc comment clearly describes the prop's purpose and behavior, including the important detail about opening in a new tab.

---

36-36: LGTM! Proper prop destructuring.

The destructuring follows the established pattern and is properly typed.

---

74-84: Good security practices, but consider additional validation and accessibility improvements.

The implementation correctly uses rel="noopener noreferrer" for security, which prevents the new page from accessing window.opener and blocks referrer information. The trim check is also a good practice.

However, consider these improvements:

Security considerations:

• Add URL validation to ensure only valid, safe URLs are accepted
• Consider sanitizing the URL before using it in href to prevent XSS
• Since this handles external URLs (OAuth app URLs), validate that URLs use safe protocols (https://)

Accessibility improvements:

• Add aria-label or title to indicate this is an external link
• Consider adding visual indication for external links

      {externalLinkUrl && externalLinkUrl.trim() ? (
        <a
          href={externalLinkUrl}
          target='_blank'
          rel='noopener noreferrer'
+         aria-label={`${title}'s external page (opens in new tab)`}
        >
          {ImgOrFallback}
        </a>
      ) : (
        ImgOrFallback
      )}

@clerk/security - This change introduces external URL handling in the Avatar component, which will be used for OAuth application URLs. Please review the security implications of accepting external URLs without validation.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6447

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6447

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6447

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6447

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6447

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6447

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6447

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6447

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6447

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6447

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6447

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6447

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6447

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6447

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6447

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6447

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6447

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6447

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6447

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6447

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6447

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6447

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6447

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6447

commit: ecaab41

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

packages/clerk-js/src/ui/primitives/Link.tsx (1)

61-67: Add protocol sanitization to Link’s href for external links

The Link primitive currently renders href unfiltered, so malicious javascript:, data: or other unsafe schemes could slip through when isExternal is true. We should leverage the existing utilities in packages/clerk-js/src/utils/url.ts to block non-http(s) protocols:

• Import and use hasBannedProtocol and isDataUri (or isProblematicUrl) from utils/url.ts.
• Compute a “safe” href before rendering and fall back to undefined or '#' if the URL is unsafe.
• Only apply target="_blank"/rel="noopener noreferrer" when the sanitized URL passes the checks.

Example diff inside packages/clerk-js/src/ui/primitives/Link.tsx:

 import React from 'react';
+import { hasBannedProtocol, isDataUri } from '../../utils/url';

 export const Link = (props: LinkProps): JSX.Element => {
   const { isExternal, children, href, onClick, ...rest } = props;

+  // Block unsafe external URL schemes
+  const safeHref =
+    href && isExternal && (hasBannedProtocol(href) || isDataUri(href))
+      ? undefined
+      : href;

   const onClickHandler = onClick
     ? (e: React.MouseEvent<HTMLAnchorElement, MouseEvent>) => {

And update the JSX:

-      <a
-        href={href || ''}
+      <a
+        href={safeHref || ''}
         target={href && isExternal ? '_blank' : undefined}
         rel={href && isExternal ? 'noopener noreferrer' : undefined}

This ensures that any javascript: or data: URLs are never set on external links.

🧹 Nitpick comments (1)

packages/clerk-js/src/ui/primitives/Link.tsx (1)

61-67: Optional hardening: add referrerPolicy for explicit no‑referrer behavior

While rel="noreferrer" is widely supported, explicitly setting referrerPolicy improves clarity and coverage.

Apply this minimal addition:

       target={href && isExternal ? '_blank' : undefined}
-      rel={href && isExternal ? 'noopener noreferrer' : undefined}
+      rel={href && isExternal ? 'noopener noreferrer' : undefined}
+      referrerPolicy={href && isExternal ? 'no-referrer' : undefined}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 49283ea and dcfde0e.

📒 Files selected for processing (3)

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (3 hunks)
• packages/clerk-js/src/ui/elements/Avatar.tsx (4 hunks)
• packages/clerk-js/src/ui/primitives/Link.tsx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx
• packages/clerk-js/src/ui/elements/Avatar.tsx

🧰 Additional context used

📓 Path-based instructions (10)

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*.{jsx,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*.tsx

📄 CodeRabbit Inference Engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

• packages/clerk-js/src/ui/primitives/Link.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

packages/clerk-js/src/ui/primitives/Link.tsx (1)

66-66: Add rel="noopener noreferrer" for external links — correct and secure

Prevents reverse‑tabnabbing and suppresses Referer. Matches best practices for target=_blank external links.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92ede1e and 76c8af4.

📒 Files selected for processing (3)

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (3 hunks)
• packages/clerk-js/src/ui/primitives/Link.tsx (1 hunks)
• packages/types/src/clerk.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/types/src/clerk.ts
• packages/clerk-js/src/ui/primitives/Link.tsx

🧰 Additional context used

📓 Path-based instructions (10)

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{jsx,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.tsx

📄 CodeRabbit Inference Engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (1)

49-51: No change needed for ApplicationLogo’s href prop

The ApplicationLogo component is designed to accept an href prop and wrap the logo image in your internal RouterLink implementation—not the Avatar component—so there is no linkUrl API to forward. You can safely ignore the earlier suggestion to rename or map this prop.

Likely an incorrect or invalid review comment.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Plumbed oAuthApplicationUrl: confirm typing, sanitization, and policy gating (USER-2011).

Looks good functionally. Please verify:

• Types: __internal_OAuthConsentProps and useOAuthConsentContext include oAuthApplicationUrl?: string.
• Security: Only http(s) URLs allowed; no javascript:/data: protocols.
• Policy: UI should only receive/show client_uri after server-side origin validation against redirect_uris (per USER-2011). If not guaranteed upstream, gate display in UI.

Also add tests: with/without URL, absolute vs relative URL, external link opens in new tab with rel="noopener noreferrer".

I can add tests and/or a UI guard that hides the link unless http(s) and policy-validated. Want me to push a patch?

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Confirm types expose oAuthApplicationUrl
rg -n --hidden --glob '!node_modules' 'oAuthApplicationUrl\??:\s*string' packages

# 2) Inspect OAuth consent context to ensure it provides the field
rg -n --hidden --glob '!node_modules' 'useOAuthConsentContext|OAuthConsentContext' packages -A 10

# 3) Check Link/Avatar to ensure only http(s) are allowed and external links use noopener+noreferrer
fd -a 'Link.tsx' packages | xargs -I{} sh -c 'echo "== {};"; rg -n "target|rel|noreferrer|noopener|http|https|javascript:" "{}" -n -A 5 -B 3'
fd -a 'Avatar.tsx' packages | xargs -I{} sh -c 'echo "== {};"; rg -n "linkUrl|Link" "{}" -n -A 10 -B 5'

# 4) Search server/registration code for client_uri origin validation against redirect_uris
rg -n --hidden --glob '!node_modules' 'client_uri|clientUri|oAuthApplicationUrl|redirect_uris|origin|validate' -S

Length of output: 7147

---

We need to inspect how oAuthApplicationUrl is consumed in OAuthConsent.tsx. Let’s pull its usage context:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n 'oAuthApplicationUrl' -A5 -B5 packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

Length of output: 1593

---

Enforce URL Protocol Sanitization and Confirm Server-Side Validation

Even though the new oAuthApplicationUrl?: string prop is correctly typed and the Link primitive handles target/rel for external URLs, we still need to:

• Prevent malicious schemes (e.g. javascript:/data:) in the UI
• Ensure the authorization server has validated client_uri against the registered redirect_uris

Please update packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx around the two <ApplicationLogo … href={oAuthApplicationUrl} /> usages (lines 49–50 and 66–69):

1. Add a local guard that only allows http:// or https:// URLs:

     const { oAuthApplicationLogoUrl, oAuthApplicationName, oAuthApplicationUrl, ... } =
       useOAuthConsentContext();

•  const isValidOAuthUrl =
  

•    oAuthApplicationUrl?.startsWith('http://') ||
  

•    oAuthApplicationUrl?.startsWith('https://');
  
   // …inside JSX…
   <ApplicationLogo
     src={oAuthApplicationLogoUrl}
     alt={oAuthApplicationName}
  

•    href={oAuthApplicationUrl}
  

•    href={isValidOAuthUrl ? oAuthApplicationUrl : undefined}
   />
  

  2. Confirm and document that the backend enforces origin validation of `client_uri` against the registered `redirect_uris`. If this isn’t already guaranteed, gate the UI link behind that same policy flag.
  
  

3. Add unit/visual tests for:
   • No URL vs. valid HTTP vs. malformed/relative URLs
   • External links opening in a new tab with rel="noopener noreferrer"

🤖 Prompt for AI Agents

In packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx around the
two ApplicationLogo href usages (lines 49–50 and 66–69), the UI must guard
against malicious URL schemes and document backend validation; add a local
sanitizer that only allows href values that start with "http://" or "https://"
(otherwise pass undefined so the logo is not a link), ensure external links use
target="_blank" and rel="noopener noreferrer", and add a comment noting that the
authorization server must validate client_uri against registered redirect_uris
(if the server does not already enforce this, gate the UI link behind the same
server-side policy flag). Also add unit/visual tests covering: no URL, valid
http(s) URL, malformed/relative URL, and that external links open in a new tab
with rel="noopener noreferrer".

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (4)

packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (3)

102-105: Add JSDoc for the new localization strings

The component uses hardcoded strings in the Header.Subtitle that should be properly localized. According to the coding guidelines, all user-facing strings must use localization methods.

Update the localization approach:

<Header.Subtitle
- localizationKey={`wants to access ${applicationName} on behalf of ${primaryEmailAddress}`}
+ localizationKey='oauthConsent.subtitle'
+ localizationOptions={{ applicationName, userEmail: primaryEmailAddress }}
/>

---

128-129: Replace template literals with proper localization keys

These strings use template literals instead of proper localization keys, violating the guideline that all user-facing strings must be localized using provided localization methods.

Replace with proper localization keys:

<Text
  variant='subtitle'
- localizationKey={`This will allow ${oAuthApplicationName} access to:`}
+ localizationKey='oauthConsent.scopesIntro'
+ localizationOptions={{ appName: oAuthApplicationName }}
/>

<Header.Subtitle
- localizationKey={`Make sure you trust ${oAuthApplicationName} and that this URL belongs to ${oAuthApplicationName}.`}
+ localizationKey='oauthConsent.redirectUrlWarning'
+ localizationOptions={{ appName: oAuthApplicationName }}
/>

Also applies to: 287-289

---

19-262: Add comprehensive tests for OAuthConsentInternal

There are currently no existing specs covering the OAuth consent component. Please add unit tests to cover:

• Rendering consent flow with valid http/https redirect URLs
• Handling invalid or malicious redirectUrl (no external link rendered)
• Behavior when no URL is provided (static logo only)
• External application links opening with target="_blank" and rel="noopener noreferrer"
• All avatar scenarios:
  • Both OAuth app & Clerk app logos present
  • Only OAuth app logo
  • Only Clerk app logo
  • Neither logo present

packages/clerk-js/src/ui/elements/ApplicationLogo.tsx (1)

25-44: Add tests for ApplicationLogo’s external/internal link logic

No existing tests reference ApplicationLogo under packages/clerk-js/src. Please create a new test file alongside the component, for example:

• packages/clerk-js/src/ui/elements/ApplicationLogo.test.tsx

Include the following scenarios:

• isExternal=true renders <Link> with target="_blank" and rel="noopener noreferrer"
• isExternal=false (or undefined) renders <RouterLink>
• Both cases properly pass through href, src, and alt props

♻️ Duplicate comments (1)

packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (1)

20-21: Add URL sanitization to prevent malicious schemes

The oAuthApplicationUrl is directly passed to ApplicationLogo without validation. This could allow malicious schemes like javascript: or data: URLs to be executed when users click the logo.

As noted in the previous review, add URL protocol validation:

export function OAuthConsentInternal() {
  const { scopes, oAuthApplicationName, oAuthApplicationLogoUrl, oAuthApplicationUrl, redirectUrl, onDeny, onAllow } =
    useOAuthConsentContext();
+  const isValidOAuthUrl =
+    oAuthApplicationUrl?.startsWith('http://') ||
+    oAuthApplicationUrl?.startsWith('https://');

Then update the href prop usage in lines 49-50 and 70-71:

-  href={oAuthApplicationUrl}
+  href={isValidOAuthUrl ? oAuthApplicationUrl : undefined}

🧹 Nitpick comments (2)

packages/clerk-js/src/ui/elements/ApplicationLogo.tsx (2)

38-43: Improve JSDoc documentation for the new isExternal prop

The JSDoc is clear but could be more specific about the security implications and relationship to the href prop.

Enhance the documentation:

/**
+ * Whether the href should be treated as an external link.
- * When true, uses a Link component with target="_blank" and proper security attributes.
+ * When true, uses a Link component with target="_blank" and rel="noopener noreferrer" for security.
- * When false or undefined, uses RouterLink for internal navigation.
+ * When false or undefined, uses RouterLink for internal navigation within the application.
+ * Only takes effect when href is provided.
*/
isExternal?: boolean;

---

90-105: Consider extracting logo link logic into a helper component

The conditional rendering logic for external vs internal links could be extracted into a reusable component to improve readability and maintainability.

Consider creating a helper component:

+const LogoLink: React.FC<{ 
+  logoUrl: string; 
+  isExternal?: boolean; 
+  children: React.ReactNode 
+}> = ({ logoUrl, isExternal, children }) => {
+  return isExternal ? (
+    <Link focusRing href={logoUrl} isExternal>
+      {children}
+    </Link>
+  ) : (
+    <RouterLink focusRing to={logoUrl}>
+      {children}
+    </RouterLink>
+  );
+};

  return (
    <Flex
      elementDescriptor={descriptors.logoBox}
      {...rest}
      sx={[...]}
    >
      {logoUrl ? (
-        isExternal ? (
-          <Link focusRing href={logoUrl} isExternal>
-            {image}
-          </Link>
-        ) : (
-          <RouterLink focusRing to={logoUrl}>
-            {image}
-          </RouterLink>
-        )
+        <LogoLink logoUrl={logoUrl} isExternal={isExternal}>
+          {image}
+        </LogoLink>
      ) : (
        image
      )}
    </Flex>
  );

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57bff23 and ecaab41.

📒 Files selected for processing (2)

• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx (3 hunks)
• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx (3 hunks)

🧰 Additional context used

📓 Path-based instructions (10)

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

packages/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{jsx,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*.tsx

📄 CodeRabbit Inference Engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

**/*

⚙️ CodeRabbit Configuration File

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

• packages/clerk-js/src/ui/elements/ApplicationLogo.tsx
• packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx

🧬 Code Graph Analysis (1)

packages/clerk-js/src/ui/elements/ApplicationLogo.tsx (1)

packages/clerk-js/src/ui/primitives/Link.tsx (1)

• Link (57-81)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

packages/clerk-js/src/ui/elements/ApplicationLogo.tsx (1)

47-47: LGTM! Well-implemented external link support

The implementation correctly:

• Adds the isExternal prop to control link behavior
• Uses conditional rendering to choose between Link (external) and RouterLink (internal)
• Passes focusRing to both link types for accessibility
• Maintains backward compatibility when isExternal is not provided

The external links will benefit from the security attributes (rel="noopener noreferrer") implemented in the Link primitive.

Also applies to: 90-105

[coderabbitai]

⚠️ Potential issue

Security concern: Unsanitized external URL usage

The oAuthApplicationUrl is passed directly as href without validation. According to the PR objectives and USER-2011 requirements, the client_uri should be validated server-side against redirect_uris origins, and the UI should implement additional safety measures.

Apply this security fix:

export function OAuthConsentInternal() {
  const { scopes, oAuthApplicationName, oAuthApplicationLogoUrl, oAuthApplicationUrl, redirectUrl, onDeny, onAllow } =
    useOAuthConsentContext();
+  // Sanitize OAuth application URL to prevent malicious schemes
+  // Note: Server must validate client_uri origin against registered redirect_uris per USER-2011
+  const isValidOAuthUrl = 
+    oAuthApplicationUrl?.startsWith('http://') || 
+    oAuthApplicationUrl?.startsWith('https://');
+  const sanitizedOAuthUrl = isValidOAuthUrl ? oAuthApplicationUrl : undefined;

  // Update both ApplicationLogo instances (lines 49-50 and 70-71)
-  href={oAuthApplicationUrl}
+  href={sanitizedOAuthUrl}

Also applies to: 70-71