Skip to content

Fix Clerk middleware on public auth routes#76

Merged
DevCalebR merged 1 commit into
mainfrom
fix/clerk-public-auth-middleware
May 25, 2026
Merged

Fix Clerk middleware on public auth routes#76
DevCalebR merged 1 commit into
mainfrom
fix/clerk-public-auth-middleware

Conversation

@DevCalebR

@DevCalebR DevCalebR commented May 25, 2026

Copy link
Copy Markdown
Owner

Root cause:
middleware.ts only invoked clerkMiddleware() for protected routes. Public routes returned NextResponse.next() directly, so public auth pages like /sign-up and /sign-in could call auth() without the request ever passing through Clerk middleware. Clerk then crashed because auth() could not detect clerkMiddleware().

Changed middleware structure:

  • replaced the old protected-only Clerk wrapper with one shared clerkMiddleware(async (auth, req) => { ... })
  • all matched middleware requests now flow through that single Clerk middleware path when Clerk env is valid
  • await auth.protect() only runs for the protected subset: /app(.), /admin(.), /api/stripe/checkout(.), /api/stripe/portal(.), and /api/twilio/provision-number(.*)
  • protected POST mutation rate limiting still runs only on the protected mutation subset
  • security headers still wrap the response
  • production demo guardrails are unchanged
  • if Clerk env is missing, protected routes and public Clerk-backed routes fail closed with a clear auth-unavailable response, while marketing pages like /, /pricing, /demo, and /contact still render

Tests added:

  • middleware route classification tests for public auth pages, public marketing pages, protected routes, and protected API mutation rate limiting
  • middleware source-level regression test proving the app now uses one shared clerkMiddleware() path instead of early-returning before Clerk on public routes
  • updated tenant-isolation wiring assertions to cover the shared middleware access helper

Validation:

  • npm run typecheck
  • npm run lint
  • npm test
  • npm run build

Manual incognito QA checklist:

  • open /sign-up while logged out and confirm the page renders without the Clerk middleware crash
  • open /sign-in while logged out and confirm the page renders without the Clerk middleware crash
  • open /, /pricing, /demo, and /contact while logged out and confirm they stay public
  • open /app while logged out and confirm auth is required
  • open /admin while logged out and confirm auth is required
  • verify protected POST API routes still return rate-limit headers after repeated requests

@vercel

vercel Bot commented May 25, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
callbackcloser Ready Ready Preview, Comment May 25, 2026 10:43pm

Request Review

@DevCalebR DevCalebR merged commit 6f78114 into main May 25, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DevCalebR