Skip to content

fix(backend): Clock skew of 0 should not fall back#8359

Open
dominic-clerk wants to merge 1 commit intomainfrom
dc-clock-skew-zero
Open

fix(backend): Clock skew of 0 should not fall back#8359
dominic-clerk wants to merge 1 commit intomainfrom
dc-clock-skew-zero

Conversation

@dominic-clerk
Copy link
Copy Markdown
Contributor

@dominic-clerk dominic-clerk commented Apr 20, 2026

Description

Because 0 is falsy the current code fell back to the default value when the clock skew was configured to 0. This changes the syntax to fall back on null-ish values which 0 is not.

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Because 0 is falsy the current code fell back to the default value when
the clock skew was configured to 0. This changes the syntax to fall back
on null-ish values which 0 is not.
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 20, 2026

🦋 Changeset detected

Latest commit: 0cdc524

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@clerk/backend Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 20, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Apr 20, 2026 10:35am

Request Review

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 20, 2026

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8359

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8359

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8359

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8359

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8359

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8359

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8359

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8359

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8359

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8359

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8359

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8359

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8359

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8359

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8359

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8359

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8359

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8359

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8359

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8359

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8359

commit: 0cdc524

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 20, 2026

📝 Walkthrough

Walkthrough

A patch update was made to the @clerk/backend package addressing clock skew handling in JWT verification. The change replaces the logical OR operator with nullish coalescing in the verifyJwt function, allowing a clock skew value of 0 to be respected rather than falling back to the default value.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main fix: preventing clock skew of 0 from incorrectly falling back to default, which matches the core change in the codebase.
Description check ✅ Passed The description explains the bug (0 is falsy and triggered fallback), the solution (using nullish coalescing), and why it matters, directly addressing the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/backend/src/jwt/verifyJwt.ts`:
- Line 134: The resolved clockSkew value currently uses nullish coalescing but
can remain NaN; before calling assertExpirationClaim, assertActivationClaim, and
assertIssuedAtClaim validate that clockSkew (the const clockSkew variable) is a
finite number (e.g., Number.isFinite(clockSkew)), and if not replace it with
DEFAULT_CLOCK_SKEW_IN_MS or throw a descriptive error; update the code around
the clockSkew assignment so callers passing NaN cannot bypass claim checks by
ensuring a finite skew is passed into
assertExpirationClaim/assertActivationClaim/assertIssuedAtClaim.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 478f1c59-4092-4cbe-828b-319201b9cd77

📥 Commits

Reviewing files that changed from the base of the PR and between d7758e3 and 0cdc524.

📒 Files selected for processing (2)
  • .changeset/wacky-dryers-hammer.md
  • packages/backend/src/jwt/verifyJwt.ts

): Promise<JwtReturnType<JwtPayload, TokenVerificationError>> {
const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
const clockSkew = clockSkewInMs || DEFAULT_CLOCK_SKEW_IN_MS;
const clockSkew = clockSkewInMs ?? DEFAULT_CLOCK_SKEW_IN_MS;
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Demonstrate that `??` preserves NaN and time-claim comparisons become false.
node <<'NODE'
const DEFAULT_CLOCK_SKEW_IN_MS = 5000;
const clockSkewInMs = Number(undefined);
const clockSkew = clockSkewInMs ?? DEFAULT_CLOCK_SKEW_IN_MS;

const now = Date.now();
console.log({
  clockSkew: String(clockSkew),
  expirationRejected: now - 1000 <= now - clockSkew,
  notBeforeRejected: now + 1000 > now + clockSkew,
  issuedAtRejected: now + 1000 > now + clockSkew,
});
NODE

Repository: clerk/javascript

Length of output: 166


🏁 Script executed:

cat packages/backend/src/jwt/verifyJwt.ts | head -200 | tail -100

Repository: clerk/javascript

Length of output: 3039


🏁 Script executed:

# Search for the function signature and clockSkewInMs type
rg "clockSkewInMs" packages/backend/src/jwt/verifyJwt.ts -B 10 -A 5 | head -100

Repository: clerk/javascript

Length of output: 1052


🏁 Script executed:

# Check where clockSkew is used in comparisons
rg "clockSkew" packages/backend/src/jwt/verifyJwt.ts -A 2 -B 2

Repository: clerk/javascript

Length of output: 734


🏁 Script executed:

# Check if there are existing input validations in the function
rg "Number.isFinite|isNaN|Infinity" packages/backend/src/jwt/ -A 1 -B 1

Repository: clerk/javascript

Length of output: 42


🏁 Script executed:

# Find and examine the assertion functions that use clockSkew
rg "assertExpirationClaim|assertActivationClaim|assertIssuedAtClaim" packages/backend/src/jwt/ -A 10

Repository: clerk/javascript

Length of output: 17574


🏁 Script executed:

# Check the DEFAULT_CLOCK_SKEW_IN_MS value
rg "DEFAULT_CLOCK_SKEW_IN_MS" packages/backend/src/jwt/verifyJwt.ts -B 2 -A 2

Repository: clerk/javascript

Length of output: 536


🏁 Script executed:

# Look for type imports and error handling patterns in the file
head -50 packages/backend/src/jwt/verifyJwt.ts

Repository: clerk/javascript

Length of output: 1727


🏁 Script executed:

# Look at the full implementation of the assertion functions
rg "export const assertExpirationClaim|export const assertActivationClaim|export const assertIssuedAtClaim" packages/backend/src/jwt/assertions.ts -A 25 | head -150

Repository: clerk/javascript

Length of output: 2790


🏁 Script executed:

# Check if there's any validation of clockSkew parameter anywhere in the codebase
rg "clockSkew" packages/backend/src/jwt/assertions.ts

Repository: clerk/javascript

Length of output: 565


🏁 Script executed:

# Check if there are any existing tests for NaN clockSkew
rg "NaN|Infinity" packages/backend/src/jwt/__tests__/ -B 2 -A 2

Repository: clerk/javascript

Length of output: 42


🏁 Script executed:

# Verify how clockSkewInMs could realistically be passed as NaN
# Check how verifyJwt is called in the codebase
rg "verifyJwt\(" packages/backend/src/ -B 2 -A 2 | head -50

Repository: clerk/javascript

Length of output: 3348


Add validation for finite clockSkew before timestamp comparisons.

Line 134 correctly preserves 0 with the nullish coalescing operator, but it also preserves NaN. If a caller passes NaN (e.g., from invalid config parsing), the timestamp comparisons in assertExpirationClaim, assertActivationClaim, and assertIssuedAtClaim all evaluate to false, silently bypassing exp, nbf, and iat claim validation. Validate that the resolved skew is finite before passing it to the assertions.

Proposed fix
  const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
  const clockSkew = clockSkewInMs ?? DEFAULT_CLOCK_SKEW_IN_MS;
+  if (!Number.isFinite(clockSkew)) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          action: TokenVerificationErrorAction.EnsureClerkJWT,
+          reason: TokenVerificationErrorReason.TokenVerificationFailed,
+          message: '`clockSkewInMs` must be a finite number.',
+        }),
+      ],
+    };
+  }
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@packages/backend/src/jwt/verifyJwt.ts` at line 134, The resolved clockSkew
value currently uses nullish coalescing but can remain NaN; before calling
assertExpirationClaim, assertActivationClaim, and assertIssuedAtClaim validate
that clockSkew (the const clockSkew variable) is a finite number (e.g.,
Number.isFinite(clockSkew)), and if not replace it with DEFAULT_CLOCK_SKEW_IN_MS
or throw a descriptive error; update the code around the clockSkew assignment so
callers passing NaN cannot bypass claim checks by ensuring a finite skew is
passed into assertExpirationClaim/assertActivationClaim/assertIssuedAtClaim.

Copy link
Copy Markdown
Member

@jacekradko jacekradko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good enhancement, but we should add tests for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants