Skip to content

Commit 33efaad

Browse files
brkalowbrkalow
authored
fix(clerk-js): Proper secure attribute for clerk_active_context cookie (#6851)
1 parent cf2f284 commit 33efaad

File tree

3 files changed

+28
-6
lines changed

3 files changed

+28
-6
lines changed

.changeset/lucky-showers-guess.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'@clerk/clerk-js': patch
3+
---
4+
5+
Update active context cookie to properly set `Secure` attribute.

packages/clerk-js/src/core/auth/AuthCookieService.ts

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import type { createClerkEventBus } from '@clerk/shared/clerkEventBus';
22
import { clerkEvents } from '@clerk/shared/clerkEventBus';
3-
import { createCookieHandler } from '@clerk/shared/cookie';
3+
import type { createCookieHandler } from '@clerk/shared/cookie';
44
import { setDevBrowserJWTInURL } from '@clerk/shared/devBrowser';
55
import { is4xxError, isClerkAPIResponseError, isClerkRuntimeError, isNetworkError } from '@clerk/shared/error';
66
import { noop } from '@clerk/shared/utils';
@@ -9,6 +9,7 @@ import type { Clerk, InstanceType } from '@clerk/types';
99
import { clerkMissingDevBrowserJwt } from '../errors';
1010
import { eventBus, events } from '../events';
1111
import type { FapiClient } from '../fapiClient';
12+
import { createActiveContextCookie } from './cookies/activeContext';
1213
import type { ClientUatCookieHandler } from './cookies/clientUat';
1314
import { createClientUatCookie } from './cookies/clientUat';
1415
import type { SessionCookieHandler } from './cookies/session';
@@ -75,7 +76,7 @@ export class AuthCookieService {
7576

7677
this.clientUat = createClientUatCookie(cookieSuffix);
7778
this.sessionCookie = createSessionCookie(cookieSuffix);
78-
this.activeCookie = createCookieHandler('clerk_active_context');
79+
this.activeCookie = createActiveContextCookie();
7980
this.devBrowser = createDevBrowser({
8081
frontendApi: clerk.frontendApi,
8182
fapiClient,
@@ -84,10 +85,6 @@ export class AuthCookieService {
8485
}
8586

8687
public async setup() {
87-
// Cleanup old cookie
88-
// TODO: This should be removed after 2025-08-01
89-
createCookieHandler('clerk_active_org').remove();
90-
9188
if (this.instanceType === 'production') {
9289
return this.setupProduction();
9390
} else {

packages/clerk-js/src/core/auth/cookies/activeContext.ts

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
import { createCookieHandler } from '@clerk/shared/cookie';
2+
3+
import { getSecureAttribute } from '../getSecureAttribute';
4+
5+
export const createActiveContextCookie = () => {
6+
const handler = createCookieHandler('clerk_active_context');
7+
const attributes = { secure: getSecureAttribute('None') };
8+
9+
return {
10+
set: (value: string) => {
11+
handler.set(value, attributes);
12+
},
13+
get: () => {
14+
return handler.get();
15+
},
16+
remove: () => {
17+
return handler.remove(attributes);
18+
},
19+
};
20+
};

0 commit comments

Comments
 (0)