fix: safari itp handshake loo[

Author: jacekradko

packages/backend/src/tokens/__tests__/request.test.ts

@@ -877,6 +877,53 @@ describe('tokens.authenticateRequest(options)', () => {
     expect(requestState.toAuth()).toBeNull();
   });
 
+  test('cookieToken: returns signedIn when no clientUat but in redirect loop with valid session (Safari ITP workaround)', async () => {
+    server.use(
+      http.get('https://api.clerk.test/v1/jwks', () => {
+        return HttpResponse.json(mockJwks);
+      }),
+    );
+
+    // Simulate Safari ITP scenario: valid session token, no client_uat, redirect loop detected
+    const requestState = await authenticateRequest(
+      mockRequestWithCookies(
+        {},
+        {
+          __clerk_db_jwt: 'deadbeef',
+          __session: mockJwt,
+          __clerk_redirect_count: '1', // Redirect loop counter > 0
+        },
+      ),
+      mockOptions({
+        secretKey: 'test_deadbeef',
+      }),
+    );
+
+    expect(requestState).toBeSignedIn();
+    expect(requestState.toAuth()).toBeSignedInToAuth();
+  });
+
+  test('cookieToken: returns handshake when no clientUat and redirect loop but invalid session token', async () => {
+    // Simulate scenario where we're in a redirect loop but the session token is invalid
+    const requestState = await authenticateRequest(
+      mockRequestWithCookies(
+        {},
+        {
+          __clerk_db_jwt: 'deadbeef',
+          __session: mockMalformedJwt,
+          __clerk_redirect_count: '1',
+        },
+      ),
+      mockOptions({
+        secretKey: 'test_deadbeef',
+      }),
+    );
+
+    // Should still return handshake since token verification failed
+    expect(requestState).toMatchHandshake({ reason: AuthErrorReason.SessionTokenWithoutClientUAT });
+    expect(requestState.toAuth()).toBeNull();
+  });
+
   test('cookieToken: returns handshake when no cookies in development [5y]', async () => {
     const requestState = await authenticateRequest(
       mockRequestWithCookies({}),

packages/backend/src/tokens/request.ts

@@ -538,8 +538,27 @@ export const authenticateRequest: AuthenticateRequest = (async (
       });
     }
 
-    // This can eagerly run handshake since client_uat is SameSite=Strict in dev
+    // This can eagerly run handshake since client_uat is SameSite=Strict in dev.
+    // However, Safari's ITP can block the client_uat cookie during cross-site redirects,
+    // causing infinite redirect loops. If we detect a redirect loop and have a valid
+    // session token, authenticate the user instead of triggering another handshake.
     if (!hasActiveClient && hasSessionToken) {
+      if (authenticateContext.handshakeRedirectLoopCounter > 0) {
+        try {
+          const { data } = await verifyToken(authenticateContext.sessionTokenInCookie!, authenticateContext);
+          if (data) {
+            return signedIn({
+              tokenType: TokenType.SessionToken,
+              authenticateContext,
+              sessionClaims: data,
+              headers: new Headers(),
+              token: authenticateContext.sessionTokenInCookie!,
+            });
+          }
+        } catch {
+          // Token verification failed, proceed with normal handshake flow
+        }
+      }
       return handleMaybeHandshakeStatus(authenticateContext, AuthErrorReason.SessionTokenWithoutClientUAT, '');
     }