fix(backend): Fix issue with FAPI suffixed cookies disabled (#3789)

dimkl · nikosdouvlis · anagstef · web-flow · commit 045fb93cbf57 · 2024-07-23T19:31:00.000Z
Co-authored-by: Nikos Douvlis &lt;nikosdouvlis@gmail.com&gt;
Co-authored-by: Stefanos Anagnostou &lt;anagstef@users.noreply.github.com&gt;
diff --git a/.changeset/eleven-suits-flow.md b/.changeset/eleven-suits-flow.md
@@ -0,0 +1,5 @@
+---
+"@clerk/backend": patch
+---
+
+Handle the scenario where FAPI returns unsuffixed cookies without throwing a handshake
diff --git a/packages/backend/src/tokens/authenticateContext.ts b/packages/backend/src/tokens/authenticateContext.ts
@@ -213,6 +213,14 @@ class AuthenticateContext {
       }
     }
 
+    // If a suffixed session cookie exists but the corresponding client_uat cookie is missing, fallback to using
+    // unsuffixed cookies.
+    // This handles the scenario where an app has been deployed using an SDK version that supports suffixed
+    // cookies, but FAPI for its Clerk instance has the feature disabled (eg: if we need to temporarily disable the feature).
+    if (!suffixedClientUat && suffixedSession) {
+      return false;
+    }
+
     return true;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,14 @@ class AuthenticateContext {`
`213`	`213`	`}`
`214`	`214`	`}`
`215`	`215`
	`216`	`+ // If a suffixed session cookie exists but the corresponding client_uat cookie is missing, fallback to using`
	`217`	`+ // unsuffixed cookies.`
	`218`	`+ // This handles the scenario where an app has been deployed using an SDK version that supports suffixed`
	`219`	`+ // cookies, but FAPI for its Clerk instance has the feature disabled (eg: if we need to temporarily disable the feature).`
	`220`	`+ if (!suffixedClientUat && suffixedSession) {`
	`221`	`+ return false;`
	`222`	`+ }`
	`223`	`+`
`216`	`224`	`return true;`
`217`	`225`	`}`
`218`	`226`