refactor(clerk-js): Ensure last used badge does not show with a single strategy

[alexcarpenter]

Description

BEFORE	AFTER

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes
  • "Last used" badge and "Continue with" labels now correctly reflect available sign-in methods: the badge appears only when multiple authentication methods are enabled, preventing incorrect "Last used" indications (including cases involving SAML-to-OAuth conversions) and improving clarity during sign-in.

[changeset-bot]

🦋 Changeset detected

Latest commit: 7387aa2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 18, 2025 0:22am

[coderabbitai]

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: preventing the 'last used' badge from displaying when only a single authentication strategy is available. This directly aligns with the changeset description and the core logic changes across modified files.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alexcarpenter/user-3976-last-used-strategy-should-not-render-if-there-is-only-1

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6d302cb and 7387aa2.

📒 Files selected for processing (1)

• .changeset/cold-dancers-watch.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (33)

• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 15, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 14)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (expo-web, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (elements, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Static analysis
• GitHub Check: Unit Tests (22, **)
• GitHub Check: Unit Tests (22, shared, clerk-js, RQ)
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

.changeset/cold-dancers-watch.md (1)

1-5: Changeset metadata looks good.

The changeset is properly formatted with correct package scope, appropriate patch bump type, and a clear, concise description that aligns with the PR objective.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dstaley]

if you return this value as totalEnabledAuthMethods, you won't have to rename it every time we use the hook.

const { totalEnabledAuthMethods } = useTotalEnabledAuthMethods();

also since you're only returning one value you don't really need to wrap it in an object. However, if you prefer the object notation, I think this might be a little cleaner:

const totalEnabledAuthMethods = useTotalEnabledAuthMethods();

// ...

if (totalEnabledAuthMethods.count > 1) {
  // ...
}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7224

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7224

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7224

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7224

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7224

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7224

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7224

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7224

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7224

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7224

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7224

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7224

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7224

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7224

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7224

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7224

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7224

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7224

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7224

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7224

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7224

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7224

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7224

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7224

commit: 7387aa2

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/clerk-js/src/ui/elements/__tests__/SocialButtons.test.tsx (2)

159-210: Clarify intent and reduce overlap between the two “email enabled” tests

Lines 159‑186 and 188‑210 both cover “single social provider + email enabled” and assert the badge is shown. This is good behavior coverage but a bit redundant, and the second test’s name (email/username is also enabled) no longer matches the setup (only withEmailAddress is called).

Consider either:

• Differentiating the second test by actually enabling username (and/or another identifier) so it exercises a distinct configuration, or
• Collapsing to a single test if you don’t need two variants of “google + email”.

This will keep the suite focused and avoid confusion from a misleading test description.

---

310-331: SAML scenarios are well covered; consider mirroring the hook assertion from the OAuth test

The updated SAML test (lines 310‑331) now runs with email enabled, and the new test (lines 333‑358) covers the “single total auth method + SAML” case where the badge should be suppressed. That combination matches the new rules and the PR objective.

Two small improvements you might consider:

• In the SAML single‑auth test, optionally assert useTotalEnabledAuthMethods() returns 1, mirroring the earlier OAuth single‑auth test for extra safety.
• In the multi‑auth SAML test, you could also assert the presence of the “Last used” badge (not just “Continue with Google”) to confirm that SAML→OAuth conversion participates fully in the last‑auth logic.

Both are non‑blocking but would tighten the regression net around SAML behavior.

Also applies to: 333-358

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a4ee67b and 6d302cb.

📒 Files selected for processing (4)

• packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (3 hunks)
• packages/clerk-js/src/ui/elements/SocialButtons.tsx (3 hunks)
• packages/clerk-js/src/ui/elements/__tests__/SocialButtons.test.tsx (4 hunks)
• packages/clerk-js/src/ui/hooks/useTotalEnabledAuthMethods.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/clerk-js/src/ui/hooks/useTotalEnabledAuthMethods.ts
• packages/clerk-js/src/ui/elements/SocialButtons.tsx

🧰 Additional context used

🧬 Code graph analysis (2)

packages/clerk-js/src/ui/elements/__tests__/SocialButtons.test.tsx (3)

packages/clerk-js/src/test/utils.ts (2)

• renderHook (77-77)
• screen (72-72)

packages/clerk-js/src/ui/hooks/useTotalEnabledAuthMethods.ts (1)

• useTotalEnabledAuthMethods (6-22)

packages/clerk-js/src/ui/elements/SocialButtons.tsx (1)

• SocialButtons (56-228)

packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (1)

packages/clerk-js/src/ui/hooks/useTotalEnabledAuthMethods.ts (1)

• useTotalEnabledAuthMethods (6-22)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (6)

packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (3)

40-40: LGTM!

The import is correctly added to support the new functionality for conditionally displaying the "last used" badge.

---

91-91: LGTM!

The hook is correctly invoked following React conventions, and the variable name clearly conveys its purpose.

---

529-532: Logic correctly implements the PR objective.

The useTotalEnabledAuthMethods hook accurately counts authentication methods available to users. The hook filters strategies to include only known/supported methods through useEnabledThirdPartyProviders, which returns the exact same filtered OAuth, Web3, and alternative phone code values rendered by SocialButtons. First-factor identifiers (displayed as form fields) are counted without filtering and remain fully displayable. The condition correctly ensures the "last used" badge displays only when multiple authentication methods are available, eliminating redundant UI indicators in single-method scenarios.

packages/clerk-js/src/ui/elements/__tests__/SocialButtons.test.tsx (3)

2-7: Imports for renderHook and useTotalEnabledAuthMethods look appropriate

Bringing in renderHook and useTotalEnabledAuthMethods directly in this test file makes sense given the new hook‑level assertions; no issues here.

---

121-157: Nice coverage of the single total‑auth‑method case

This test thoroughly validates the “only one enabled auth method” scenario by:

• Explicitly disabling email/username,
• Inspecting userSettings for identifiers/social strategies, and
• Verifying useTotalEnabledAuthMethods returns 1 before asserting that the badge is hidden.

This gives strong confidence that the new totalEnabledAuthMethods > 1 condition behaves as intended.

---

212-216: Explicitly enabling email here aligns the test with the “multiple auth methods” description

Adding withEmailAddress({ enabled: true, used_for_first_factor: true }) ensures that this scenario genuinely has more than one auth method, matching both the test name and the totalEnabledAuthMethods‑based logic. The expectations that both “Continue with Google” and “Last used” appear are consistent with the updated behavior.