fix(backend): Sanitize slashes in URL paths (#3982)

Co-authored-by: Robert Soriano <sorianorobertc@gmail.com>
clerk · Aug 29, 2024 · c9ef591 · c9ef591
1 parent 9d04777
commit c9ef591
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/.changeset/dull-goats-tie.md b/.changeset/dull-goats-tie.md
@@ -0,0 +1,5 @@
+---
+"@clerk/backend": patch
+---
+
+Fix error from duplicate leading slashes in URL path on Cloudflare Pages
diff --git a/packages/backend/src/tokens/__tests__/clerkRequest.test.ts b/packages/backend/src/tokens/__tests__/clerkRequest.test.ts
@@ -151,6 +151,14 @@ export default (QUnit: QUnit) => {
         });
         assert.equal(createClerkRequest(req).clerkUrl.toString(), 'https://example.com/path?foo=bar');
       });
+
+      it('with duplicate leading slashes in URL path', assert => {
+        const req1 = new Request('http://localhost:3000//path');
+        assert.equal(createClerkRequest(req1).clerkUrl.toString(), 'http://localhost:3000//path');
+
+        const req2 = new Request('http://localhost:3000////path');
+        assert.equal(createClerkRequest(req2).clerkUrl.toString(), 'http://localhost:3000////path');
+      });
     });
 
     module('toJSON', () => {

diff --git a/packages/backend/src/tokens/clerkRequest.ts b/packages/backend/src/tokens/clerkRequest.ts
@@ -51,6 +51,9 @@ class ClerkRequest extends Request {
     const resolvedProtocol = this.getFirstValueFromHeader(forwardedProto) ?? protocol?.replace(/[:/]/, '');
     const origin = resolvedHost && resolvedProtocol ? `${resolvedProtocol}://${resolvedHost}` : initialUrl.origin;
 
+    if (origin === initialUrl.origin) {
+      return createClerkUrl(initialUrl);
+    }
     return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);
   }