fix(clerk-js): Re-throw network errors in FraudProtection

[chriscanin]

Description

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes

  • Improved network error handling in fraud protection so transient network failures now fall back to cached responses instead of triggering unnecessary captcha challenges.

• Chores

  • Applied a small patch release to ensure the fix is delivered consistently to users.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: c1acc32

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 20, 2025 0:05am

[coderabbitai]

Walkthrough

Introduces an early-throw path in FraudProtection.execute to immediately surface runtime network errors (code === 'network_error') so cache fallback can run; keeps existing captcha handling for other errors and adds isClerkRuntimeError import.

Changes

Cohort / File(s)	Change Summary
Fraud protection logic packages/clerk-js/src/core/fraudProtection.ts	Added isClerkRuntimeError import and introduced an early-throw branch in FraudProtection.execute for runtime network errors (code === 'network_error') to bypass captcha flow and allow cache fallback; retained existing captcha/inflight handling for other errors.
Release metadata .changeset/fix-network-error-cache-fallback.md	Added a patch changeset documenting the fix that network errors were previously masked by fraud protection and now allow cache fallback.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant FraudProtection as FraudProtection.execute
    participant API
    participant Cache as Cache Fallback

    Client->>FraudProtection: invoke with callback
    FraudProtection->>API: perform API request

    alt API returns network runtime error (code='network_error')
        API-->>FraudProtection: error (network_error)
        rect rgb(255, 244, 230)
            Note over FraudProtection: NEW early-throw path — bypass captcha
            FraudProtection->>Cache: throw to trigger cache fallback
        end
        Cache-->>Client: fallback response
    else API returns other error
        API-->>FraudProtection: error (non-network)
        rect rgb(230, 245, 255)
            Note over FraudProtection: Existing captcha flow
            FraudProtection->>FraudProtection: inflight/captcha challenge & token submission
            FraudProtection->>API: replay original callback with token
            API-->>FraudProtection: response
            FraudProtection-->>Client: return response
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Single-file logic change but affects error-handling/control flow.
• Review attention:
  • Confirm isClerkRuntimeError usage and matching of code === 'network_error'.
  • Ensure early-throw interacts correctly with existing inflight/captcha state and callers expecting previous behavior.
  • Validate the changeset message and versioning intent.

Poem

🐰 A hop, a fix, a nimble feat,
When networks slip, we skip the beat —
No captcha maze to slow the track,
The cache hops in to bring things back. 🎩✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: it re-throws network errors in FraudProtection to fix offline cache fallback behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chris/mobile-322-the-customer-reports-that-offline-mode-stopped-working-after

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8a6baf9 and c1acc32.

📒 Files selected for processing (1)

• .changeset/fix-network-error-cache-fallback.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

.changeset/fix-network-error-cache-fallback.md (1)

1-5: Changeset format and description look good.

The YAML frontmatter correctly specifies the package and patch bump type, and the description accurately summarizes the fix for network error masking.

However, I can only review the changeset file itself—the actual code fix in packages/clerk-js/src/core/fraudProtection.ts was not provided for review. Please share the implementation changes so I can verify:

1. The early-throw logic for network errors (code === 'network_error') executes before accessing the errors array
2. The isClerkRuntimeError type guard is imported and used correctly
3. Existing captcha error handling for other error types remains unaffected
4. Error re-throwing preserves the original error context for cache fallback detection in clerk.ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chriscanin]

The app crashed when starting offline with __experimental_resourceCache enabled due to three interconnected issues:

• Missing protect_config field from FAPI: The Frontend API doesn't return protect_config in the environment response, causing it to be undefined.
• Undefined values in cache serialization: When protectConfig.loaders was undefined, the __internal_toSnapshot() method would serialize it as undefined, which can't be properly deserialized.
• Narrow error handling: The cache fallback logic only triggered for ClerkRuntimeError with code 'network_error', but offline startup threw a generic TypeError, preventing cache fallback.

How It Manifested:

• Online: App loads successfully, FAPI returns environment without protect_config.
• Offline on next launch: App tries to load from cache, encounters TypeError: Cannot convert undefined value to object. The error isn't caught as a network error, so cache fallback doesn't trigger → CRASH.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/clerk-js/src/core/clerk.ts (1)

2758-2770: Add a more specific error guard to prevent masking unexpected errors.

The broadened fallback condition correctly handles network errors currently (which escape as generic Errors from clerkNetworkError), but the !isClerkRuntimeError(err) check is overly permissive and could silently suppress unexpected exceptions in the future.

Narrow the condition to explicitly check for network error characteristics:

const shouldFallback =
  this.shouldFallbackToCachedResources() &&
  ((isClerkRuntimeError(err) && err.code === 'network_error') ||
   (err instanceof Error && err.message?.includes('Network error')));

This prevents masking programming errors, validation failures, or other unexpected exceptions while still catching the network errors that escape as generic Errors.

🧹 Nitpick comments (1)

packages/clerk-js/src/core/clerk.ts (1)

2743-2746: Consider simplifying the return statement.

The intermediate variable hasCacheFunction doesn't add clarity or enable reuse. You could simplify to:

 private shouldFallbackToCachedResources = (): boolean => {
-  const hasCacheFunction = !!this.__internal_getCachedResources;
-  return hasCacheFunction;
+  return !!this.__internal_getCachedResources;
 };

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between edbd18c and ffd4ab0.

📒 Files selected for processing (4)

• packages/clerk-js/src/core/clerk.ts (2 hunks)
• packages/clerk-js/src/core/resources/Environment.ts (1 hunks)
• packages/clerk-js/src/core/resources/ProtectConfig.ts (1 hunks)
• packages/expo/src/cache/dummy-data/environment-resource.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

packages/clerk-js/src/core/clerk.ts (1)

packages/shared/src/errors/helpers.ts (1)

• isClerkRuntimeError (83-85)

packages/clerk-js/src/core/resources/Environment.ts (3)

packages/clerk-js/src/core/resources/CommerceSettings.ts (1)

• CommerceSettings (8-55)

packages/clerk-js/src/core/resources/APIKeySettings.ts (1)

• APIKeySettings (8-35)

packages/clerk-js/src/core/resources/ProtectConfig.ts (1)

• ProtectConfig (10-39)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (3)

packages/clerk-js/src/core/resources/ProtectConfig.ts (1)

36-36: LGTM! Guard ensures consistent snapshot structure.

Defaulting loaders to an empty array when undefined ensures the serialized snapshot always has a defined array, preventing potential null/undefined issues downstream.

packages/clerk-js/src/core/resources/Environment.ts (1)

56-58: LGTM! Explicit null handling improves consistency.

Using the nullish coalescing operator to pass null instead of undefined to constructors ensures explicit handling of missing fields. The constructors (CommerceSettings, APIKeySettings, ProtectConfig) all properly handle null parameters in their fromJSON methods.

packages/expo/src/cache/dummy-data/environment-resource.ts (1)

234-260: LGTM! Dummy data expanded to match new environment shape.

The additions align with the environment resource changes:

• commerce_settings with detailed billing configuration matches CommerceSettings structure
• protect_config.loaders initialized as empty array matches the guard added in ProtectConfig
• api_keys_settings corresponds to APIKeySettings

This ensures test coverage for the expanded environment configuration.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7254

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7254

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7254

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7254

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7254

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7254

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7254

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7254

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7254

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7254

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7254

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7254

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7254

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7254

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7254

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7254

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7254

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7254

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7254

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7254

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7254

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7254

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7254

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7254

commit: c1acc32

[dstaley]

If protect_config can be undefined, we should also update the EnvironmentJSON type in shared to reflect that. I'm pinging some folks on the backend side to make sure this was intentional as no other value on the environment response is undefinable.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/fix-offline-mode-resource-cache.md (1)

6-6: Clarify the changeset description wording.

The phrase "broadening error handling to trigger cache fallback for non-network errors" is confusing because the code actually checks FOR network errors (including generic Error instances with network-related messages). Consider revising to something like:

"Fix offline mode crash when using __experimental_resourceCache by handling missing protect_config field from FAPI response and broadening network error detection to trigger cache fallback for network-like errors beyond just ClerkRuntimeError instances."

-Fix offline mode crash when using `__experimental_resourceCache` by handling missing `protect_config` field from FAPI response and broadening error handling to trigger cache fallback for non-network errors.
+Fix offline mode crash when using `__experimental_resourceCache` by handling missing `protect_config` field from FAPI response and broadening network error detection to trigger cache fallback for network-like errors beyond just ClerkRuntimeError instances.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ffd4ab0 and 30e90e5.

📒 Files selected for processing (2)

• .changeset/fix-offline-mode-resource-cache.md (1 hunks)
• packages/clerk-js/src/core/clerk.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

packages/clerk-js/src/core/clerk.ts (1)

packages/shared/src/errors/helpers.ts (2)

• isNetworkError (43-47)
• isClerkRuntimeError (83-85)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

packages/clerk-js/src/core/clerk.ts (1)

2757-2761: The review comment is incorrect.

The inline network error check at lines 2757-2759 is not code duplication; it's more comprehensive than the existing isNetworkError helper. The helper only inspects message/name text patterns and cannot detect ClerkRuntimeError objects by their code property. The inline check handles two distinct error patterns:

1. isClerkRuntimeError(err) && err.code === 'network_error' — catches errors thrown from Base.ts which may have generic messages like "Failed to fetch" that don't contain "network" text. The helper cannot detect these via message inspection alone.
2. err.message?.includes('Network error at') — catches errors from clerkNetworkError() in fapiClient.ts.

The helper would only catch pattern 2 (after normalizing spaces: "networkerrorat..." includes "networkerror"), but not pattern 1. Therefore, consolidating to use only the helper would remove critical error detection logic.

Likely an incorrect or invalid review comment.

[chriscanin]

for this one the ProtectConfig constructor expects: ProtectConfigJSON | ProtectConfigJSONSnapshot | null, not
undefined, or we could add | null | undefined to the ProtectConfig constructor, but it will receive undefined if we are not connected

When Online (Normal Case):

1. FAPI returns environment data
2. protect_config field is missing from FAPI response (not in
   the Go struct) (can we alter this? should we? it didn't seem like this was the right approach).
3. data.protect_config = undefined
4. new ProtectConfig(undefined) is called
5. Constructor accepts | undefined, so no type error
6. fromJSON checks if (!data) which catches undefined
7. Returns early with default empty ProtectConfig (id: '',
   loaders: undefined)
8. When serialized to cache: loaders ?? [] ensures it becomes []
   not undefined

When Offline (Cache Case):

1. Load from cache (DUMMY data or previously cached data)
2. Cached data has protect_config: { object: 'protect_config',
   id: '', loaders: [] }
3. data.protect_config = { object: 'protect_config', id: '',
   loaders: [] }
4. new ProtectConfig({ ... }) is called with actual data
5. fromJSON processes it normally
6. Everything works

[chriscanin]

If protect_config can be undefined, we should also update the EnvironmentJSON type in shared to reflect that. I'm pinging some folks on the backend side to make sure this was intentional as no other value on the environment response is undefinable.

Looking into this.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/shared/src/types/json.ts (1)

85-95: Clarify whether protect_config is always present or truly optional on the wire

Changing protect_config to ProtectConfigJSON | null models responses that always include the field but sometimes set it to null. The reported issue, however, mentions FAPI responses where protect_config is missing entirely, which this interface still treats as a contract violation.

If FAPI will be updated to always send protect_config (possibly null), this type is correct and keeps the DTO shape strict. If omission remains valid, consider reflecting that here instead:

-  protect_config: ProtectConfigJSON | null;
+  protect_config?: ProtectConfigJSON | null;

Either way, it would be good to explicitly confirm and document the intended contract for this field so the JSON types and backend stay in sync.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e769ad5 and d7ed9c1.

📒 Files selected for processing (2)

• packages/clerk-js/src/core/resources/Environment.ts (0 hunks)
• packages/shared/src/types/json.ts (1 hunks)

💤 Files with no reviewable changes (1)

• packages/clerk-js/src/core/resources/Environment.ts

🧰 Additional context used

🧬 Code graph analysis (1)

packages/shared/src/types/json.ts (1)

packages/shared/src/types/protectConfig.ts (1)

• ProtectConfigJSON (12-16)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

[chriscanin]

Before:
https://github.com/user-attachments/assets/c26e4407-a01e-475c-bd1d-2297258381e5

And after:
https://github.com/user-attachments/assets/b66beaa4-5fd1-482d-91a5-e0991fe050f3

[chriscanin]

When the app starts offline, Clerk attempts to fetch environment and client data from FAPI, but the network requests fail, throwing a ClerkRuntimeError with code: network_error. This error gets caught by FraudProtection.execute(), which wraps all FAPI requests to handle captcha challenges. The fraud protection code checks if it's a ClerkAPIResponseError (which network errors are classified as) and then tries to access e.errors[0]?.code to determine if it's a captcha challenge.
However, network errors do not have an errors array that only exists on actual API validation errors. Accessing this undefined property causes a new TypeError: Cannot convert undefined value to object (this led me down the wrong path), which masks the original network error. Because the error type changed, Clerk's cache fallback logic in clerk.ts no longer recognizes it as a network error, so it never attempts to load from cache, causing the app to crash instead of working offline.

We added a simple check in FraudProtection.execute() at:
/Users/chris/workspace/javascript/packages/clerk-js/src/core/fraudProtection.ts:48-52
This check detects network errors before trying to access the errors array. When a ClerkRuntimeError with code network_error is caught, it is immediately re-thrown, bypassing the captcha logic entirely.
This allows the network error to propagate correctly back to clerk.ts, where it is recognized as a real network error and triggers the cache fallback mechanism. As a result, the app correctly loads the user's authentication state from cache and works offline without crashing.

Mobile is now working with this change.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/clerk-js/src/core/fraudProtection.ts (1)

48-52: Excellent fix for preventing TypeError that masked network errors.

This correctly addresses the offline crash by re-throwing network errors before accessing e.errors[0], which would throw a TypeError when e.errors is undefined. The early throw preserves the original network error, allowing clerk.ts to recognize it and trigger cache fallback.

The logic is sound:

• Checks occur after confirming e is a ClerkAPIResponseError
• Type guard ensures safe access to e.code
• Network errors bypass captcha logic entirely, as intended

Optional defensive improvement:

Consider making line 54 more defensive as well:

-      if (e.errors[0]?.code !== 'requires_captcha') {
+      if (e.errors?.[0]?.code !== 'requires_captcha') {

This would provide belt-and-suspenders protection against any other error types without an errors array, though with your current fix this scenario should not occur.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d7ed9c1 and 8a6baf9.

📒 Files selected for processing (1)

• packages/clerk-js/src/core/fraudProtection.ts (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

packages/clerk-js/src/core/fraudProtection.ts (1)

packages/shared/src/errors/helpers.ts (1)

• isClerkRuntimeError (83-85)

🔇 Additional comments (1)

packages/clerk-js/src/core/fraudProtection.ts (1)

1-1: LGTM! Import addition is correct.

The isClerkRuntimeError import is properly sourced from @clerk/shared/error and used as a type guard in the network error check below.