fix(backend): Clock skew of 0 should not fall back

[dominic-clerk]

Description

Because 0 is falsy the current code fell back to the default value when the clock skew was configured to 0. This changes the syntax to fall back on null-ish values which 0 is not.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[changeset-bot]

🦋 Changeset detected

Latest commit: 0cdc524

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages

Name	Type
@clerk/backend	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 20, 2026 10:35am

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8359

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8359

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8359

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8359

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8359

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8359

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8359

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8359

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8359

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8359

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8359

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8359

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8359

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8359

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8359

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8359

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8359

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8359

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8359

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8359

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8359

commit: 0cdc524

[coderabbitai]

📝 Walkthrough

Walkthrough

A patch update was made to the @clerk/backend package addressing clock skew handling in JWT verification. The change replaces the logical OR operator with nullish coalescing in the verifyJwt function, allowing a clock skew value of 0 to be respected rather than falling back to the default value.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main fix: preventing clock skew of 0 from incorrectly falling back to default, which matches the core change in the codebase.
Description check	✅ Passed	The description explains the bug (0 is falsy and triggered fallback), the solution (using nullish coalescing), and why it matters, directly addressing the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/backend/src/jwt/verifyJwt.ts`:
- Line 134: The resolved clockSkew value currently uses nullish coalescing but
can remain NaN; before calling assertExpirationClaim, assertActivationClaim, and
assertIssuedAtClaim validate that clockSkew (the const clockSkew variable) is a
finite number (e.g., Number.isFinite(clockSkew)), and if not replace it with
DEFAULT_CLOCK_SKEW_IN_MS or throw a descriptive error; update the code around
the clockSkew assignment so callers passing NaN cannot bypass claim checks by
ensuring a finite skew is passed into
assertExpirationClaim/assertActivationClaim/assertIssuedAtClaim.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 478f1c59-4092-4cbe-828b-319201b9cd77

📥 Commits

Reviewing files that changed from the base of the PR and between d7758e3 and 0cdc524.

📒 Files selected for processing (2)

• .changeset/wacky-dryers-hammer.md
• packages/backend/src/jwt/verifyJwt.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Demonstrate that `??` preserves NaN and time-claim comparisons become false.
node <<'NODE'
const DEFAULT_CLOCK_SKEW_IN_MS = 5000;
const clockSkewInMs = Number(undefined);
const clockSkew = clockSkewInMs ?? DEFAULT_CLOCK_SKEW_IN_MS;

const now = Date.now();
console.log({
  clockSkew: String(clockSkew),
  expirationRejected: now - 1000 <= now - clockSkew,
  notBeforeRejected: now + 1000 > now + clockSkew,
  issuedAtRejected: now + 1000 > now + clockSkew,
});
NODE

Repository: clerk/javascript

Length of output: 166

---

🏁 Script executed:

cat packages/backend/src/jwt/verifyJwt.ts | head -200 | tail -100

Repository: clerk/javascript

Length of output: 3039

---

🏁 Script executed:

# Search for the function signature and clockSkewInMs type
rg "clockSkewInMs" packages/backend/src/jwt/verifyJwt.ts -B 10 -A 5 | head -100

Repository: clerk/javascript

Length of output: 1052

---

🏁 Script executed:

# Check where clockSkew is used in comparisons
rg "clockSkew" packages/backend/src/jwt/verifyJwt.ts -A 2 -B 2

Repository: clerk/javascript

Length of output: 734

---

🏁 Script executed:

# Check if there are existing input validations in the function
rg "Number.isFinite|isNaN|Infinity" packages/backend/src/jwt/ -A 1 -B 1

Repository: clerk/javascript

Length of output: 42

---

🏁 Script executed:

# Find and examine the assertion functions that use clockSkew
rg "assertExpirationClaim|assertActivationClaim|assertIssuedAtClaim" packages/backend/src/jwt/ -A 10

Repository: clerk/javascript

Length of output: 17574

---

🏁 Script executed:

# Check the DEFAULT_CLOCK_SKEW_IN_MS value
rg "DEFAULT_CLOCK_SKEW_IN_MS" packages/backend/src/jwt/verifyJwt.ts -B 2 -A 2

Repository: clerk/javascript

Length of output: 536

---

🏁 Script executed:

# Look for type imports and error handling patterns in the file
head -50 packages/backend/src/jwt/verifyJwt.ts

Repository: clerk/javascript

Length of output: 1727

---

🏁 Script executed:

# Look at the full implementation of the assertion functions
rg "export const assertExpirationClaim|export const assertActivationClaim|export const assertIssuedAtClaim" packages/backend/src/jwt/assertions.ts -A 25 | head -150

Repository: clerk/javascript

Length of output: 2790

---

🏁 Script executed:

# Check if there's any validation of clockSkew parameter anywhere in the codebase
rg "clockSkew" packages/backend/src/jwt/assertions.ts

Repository: clerk/javascript

Length of output: 565

---

🏁 Script executed:

# Check if there are any existing tests for NaN clockSkew
rg "NaN|Infinity" packages/backend/src/jwt/__tests__/ -B 2 -A 2

Repository: clerk/javascript

Length of output: 42

---

🏁 Script executed:

# Verify how clockSkewInMs could realistically be passed as NaN
# Check how verifyJwt is called in the codebase
rg "verifyJwt\(" packages/backend/src/ -B 2 -A 2 | head -50

Repository: clerk/javascript

Length of output: 3348

---

Add validation for finite clockSkew before timestamp comparisons.

Line 134 correctly preserves 0 with the nullish coalescing operator, but it also preserves NaN. If a caller passes NaN (e.g., from invalid config parsing), the timestamp comparisons in assertExpirationClaim, assertActivationClaim, and assertIssuedAtClaim all evaluate to false, silently bypassing exp, nbf, and iat claim validation. Validate that the resolved skew is finite before passing it to the assertions.

Proposed fix

  const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
  const clockSkew = clockSkewInMs ?? DEFAULT_CLOCK_SKEW_IN_MS;
+  if (!Number.isFinite(clockSkew)) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          action: TokenVerificationErrorAction.EnsureClerkJWT,
+          reason: TokenVerificationErrorReason.TokenVerificationFailed,
+          message: '`clockSkewInMs` must be a finite number.',
+        }),
+      ],
+    };
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/backend/src/jwt/verifyJwt.ts` at line 134, The resolved clockSkew
value currently uses nullish coalescing but can remain NaN; before calling
assertExpirationClaim, assertActivationClaim, and assertIssuedAtClaim validate
that clockSkew (the const clockSkew variable) is a finite number (e.g.,
Number.isFinite(clockSkew)), and if not replace it with DEFAULT_CLOCK_SKEW_IN_MS
or throw a descriptive error; update the code around the clockSkew assignment so
callers passing NaN cannot bypass claim checks by ensuring a finite skew is
passed into assertExpirationClaim/assertActivationClaim/assertIssuedAtClaim.

[jacekradko]

Good enhancement, but we should add tests for this