fix(clerk-expo): prevent android web browser tab closing in backgroun… #6050
Conversation
…d during SSO auth allow passing showInRecents option for WebBrowser.openAuthSessionAsync
🦋 Changeset detectedLatest commit: 180c0e5 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
@FabianUntermoser is attempting to deploy a commit to the Clerk Production Team on Vercel. A member of the Team first needs to authorize it. |
📝 WalkthroughWalkthroughA new changeset file was added to document a minor version update for the 📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 2
🔭 Outside diff range comments (1)
packages/expo/src/hooks/useSSO.ts (1)
35-105: Add tests to cover the new options parameter functionality.No tests were added to cover the new
optionsparameter. Consider adding tests to verify that:
- Options are properly passed to
WebBrowser.openAuthSessionAsync- The SSO flow works correctly with different option configurations
- Backward compatibility is maintained (if options become optional)
Would you like me to help generate test cases for this functionality?
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.changeset/plenty-plants-clap.md(1 hunks)packages/expo/src/hooks/useSSO.ts(3 hunks)
🧰 Additional context used
📓 Path-based instructions (6)
**/*.{js,jsx,ts,tsx}
Instructions used from:
Sources:
📄 CodeRabbit Inference Engine
- .cursor/rules/development.mdc
packages/**/*.ts
Instructions used from:
Sources:
📄 CodeRabbit Inference Engine
- .cursor/rules/development.mdc
packages/**/*.{ts,tsx,d.ts}
Instructions used from:
Sources:
📄 CodeRabbit Inference Engine
- .cursor/rules/development.mdc
**/*.{ts,tsx}
Instructions used from:
Sources:
📄 CodeRabbit Inference Engine
- .cursor/rules/development.mdc
- .cursor/rules/typescript.mdc
**/*.ts
Instructions used from:
Sources:
⚙️ CodeRabbit Configuration File
**/*
Instructions used from:
Sources:
⚙️ CodeRabbit Configuration File
🧠 Learnings (3)
📓 Common learnings
Learnt from: LauraBeatris
PR: clerk/javascript#6117
File: packages/clerk-js/src/ui/components/SessionTasks/index.tsx:64-83
Timestamp: 2025-06-18T16:33:36.764Z
Learning: In SessionTasks component at packages/clerk-js/src/ui/components/SessionTasks/index.tsx, the useEffect that checks for pending tasks should only run on mount (not react to currentTask/status changes) to handle browser back navigation edge cases without interfering with normal task completion flow managed by nextTask().
Learnt from: dstaley
PR: clerk/javascript#6116
File: .changeset/tangy-garlics-say.md:1-2
Timestamp: 2025-06-13T16:09:53.061Z
Learning: In the Clerk JavaScript repository, contributors create intentionally empty changeset files (containing only the YAML delimiters) when a PR touches only non-published parts of the codebase (e.g., sandbox assets). This signals that no package release is required, so such changesets should not be flagged as missing content.
Learnt from: dstaley
PR: clerk/javascript#6100
File: packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx:121-124
Timestamp: 2025-06-16T17:08:58.414Z
Learning: The @clerk/clerk-js package only supports browsers released in the last two years (since May 8, 2023), so modern CSS features like color-mix() are fully supported across all target browsers without requiring fallbacks.
Learnt from: CR
PR: clerk/javascript#0
File: .cursor/rules/development.mdc:0-0
Timestamp: 2025-06-30T10:29:42.997Z
Learning: Update documentation for API changes
Learnt from: panteliselef
PR: clerk/javascript#6285
File: packages/types/src/commerce.ts:1305-1305
Timestamp: 2025-07-11T18:08:14.618Z
Learning: In the Clerk JavaScript repository, when there's a conflict between naming consistency (camelCase) and avoiding breaking changes, the team prioritizes maintaining backward compatibility over enforcing naming conventions, even for experimental APIs.
.changeset/plenty-plants-clap.md (4)
Learnt from: dstaley
PR: clerk/javascript#6116
File: .changeset/tangy-garlics-say.md:1-2
Timestamp: 2025-06-13T16:09:53.061Z
Learning: In the Clerk JavaScript repository, contributors create intentionally empty changeset files (containing only the YAML delimiters) when a PR touches only non-published parts of the codebase (e.g., sandbox assets). This signals that no package release is required, so such changesets should not be flagged as missing content.
Learnt from: jacekradko
PR: clerk/javascript#5905
File: .changeset/six-ears-wash.md:1-3
Timestamp: 2025-06-26T03:27:05.535Z
Learning: In the Clerk JavaScript repository, changeset headers support single quotes syntax (e.g., '@clerk/backend': minor) and work fine with their current changesets integration, so there's no need to change them to double quotes.
Learnt from: panteliselef
PR: clerk/javascript#6285
File: packages/types/src/commerce.ts:1305-1305
Timestamp: 2025-07-11T18:08:14.618Z
Learning: In the Clerk JavaScript repository, when there's a conflict between naming consistency (camelCase) and avoiding breaking changes, the team prioritizes maintaining backward compatibility over enforcing naming conventions, even for experimental APIs.
Learnt from: dstaley
PR: clerk/javascript#6100
File: packages/clerk-js/src/ui/components/OAuthConsent/OAuthConsent.tsx:121-124
Timestamp: 2025-06-16T17:08:58.414Z
Learning: The @clerk/clerk-js package only supports browsers released in the last two years (since May 8, 2023), so modern CSS features like color-mix() are fully supported across all target browsers without requiring fallbacks.
packages/expo/src/hooks/useSSO.ts (2)
Learnt from: CR
PR: clerk/javascript#0
File: .cursor/rules/react.mdc:0-0
Timestamp: 2025-06-30T10:32:37.848Z
Learning: Applies to **/*.tsx : Use proper type definitions for props and state
Learnt from: wobsoriano
PR: clerk/javascript#6123
File: packages/nextjs/src/server/__tests__/getAuthDataFromRequest.test.ts:63-75
Timestamp: 2025-06-16T01:27:54.563Z
Learning: In packages/nextjs/src/server/data/getAuthDataFromRequest.ts, the tokenType behavior on mismatch is intentionally different between array and single acceptsToken values: when acceptsToken is an array and the token type doesn't match any in the array, tokenType returns null; when acceptsToken is a single value and the token type doesn't match, tokenType returns the requested single value. This design aligns with developer intent and provides a more ergonomic API for common use cases.
🧬 Code Graph Analysis (1)
packages/expo/src/hooks/useSSO.ts (1)
packages/types/src/strategies.ts (1)
EnterpriseSSOStrategy(16-16)
🔇 Additional comments (3)
packages/expo/src/hooks/useSSO.ts (2)
5-5: Import statement looks good.The import of
AuthSessionOpenOptionsfromexpo-web-browseris correctly typed and necessary for the new functionality.
46-46: Parameter extraction is implemented correctly.The destructuring of
optionsfromstartSSOFlowParamsis properly implemented..changeset/plenty-plants-clap.md (1)
1-6: Changeset properly documents the feature addition.The changeset correctly uses a minor version bump for the new functionality and provides a clear description of the change. The documentation accurately reflects the purpose of allowing options like
showInRecentsto prevent Android web browser tab closure during SSO login.
packages/expo/src/hooks/useSSO.ts
Outdated
| @@ -69,6 +71,7 @@ export function useSSO() { | |||
| const authSessionResult = await WebBrowser.openAuthSessionAsync( | |||
| externalVerificationRedirectURL.toString(), | |||
| redirectUrl, | |||
| options, | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify authentication flow security implications.
The change to pass custom options to WebBrowser.openAuthSessionAsync modifies authentication behavior and could have security implications. Please ensure the showInRecents option and other potential options don't introduce security vulnerabilities.
@clerk/security
🏁 Script executed:
#!/bin/bash
# Locate the hook file
file=$(fd useSSO.ts)
echo "Found file: $file"
echo "---- Lines 60-100 of useSSO.ts ----"
sed -n '60,100p' "$file"
echo
echo "---- openAuthSessionAsync usage ----"
rg "openAuthSessionAsync" -A3 -B3 "$file"
echo
echo "---- Any occurrences of showInRecents in repo ----"
rg "showInRecents" -A2 -B2Length of output: 2137
🏁 Script executed:
#!/bin/bash
# Display the hook signature and locate the `options` parameter definition
echo "---- Top of useSSO.ts (lines 1-80) ----"
sed -n '1,80p' packages/expo/src/hooks/useSSO.ts
echo
echo "---- All references to 'options' in useSSO.ts ----"
rg -n "options" packages/expo/src/hooks/useSSO.tsLength of output: 3050
Enforce secure use of openAuthSessionAsync options
The options object from startSSOFlowParams is passed straight into
WebBrowser.openAuthSessionAsync(...), allowing consumers to override critical flags (e.g. showInRecents, preferEphemeralSession) that impact session security. Please address the following before merging:
• packages/expo/src/hooks/useSSO.ts:74
– Merge user-provided options with a secure baseline, for example:
ts const secureDefaults: AuthSessionOpenOptions = { preferEphemeralSession: true, // …other secure defaults }; const authSessionResult = await WebBrowser.openAuthSessionAsync( externalVerificationRedirectURL.toString(), redirectUrl, { ...secureDefaults, ...options } );
• Validate or whitelist which AuthSessionOpenOptions keys are permitted to prevent unintended behavior (e.g. disallow hiding in recents for sensitive flows).
• Add JSDoc on StartSSOFlowParams.options detailing recommended and discouraged flags.
@clerk/security
🤖 Prompt for AI Agents
In packages/expo/src/hooks/useSSO.ts at line 74, the options object passed to
WebBrowser.openAuthSessionAsync is directly from startSSOFlowParams, which can
override critical security flags. To fix this, define a secureDefaults object
with safe default flags like preferEphemeralSession set to true, then merge user
options into it using spread syntax so secureDefaults take precedence.
Additionally, implement validation or a whitelist to allow only safe
AuthSessionOpenOptions keys, preventing overrides of sensitive flags like
showInRecents. Finally, add JSDoc comments on StartSSOFlowParams.options to
document recommended and discouraged flags for clarity and security guidance.
Description
Allows passing
showInRecentsoption toWebBrowser.openAuthSessionAsync, which prevents the web browser tab closing when navigating away during the SSO login on android.Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change
Summary by CodeRabbit