Skip to content

fix(env): surface CLERK_PLATFORM_API_URL credential mismatch#344

Open
rafa-thayto wants to merge 4 commits into
mainfrom
fix/platform-api-url-credential-warning
Open

fix(env): surface CLERK_PLATFORM_API_URL credential mismatch#344
rafa-thayto wants to merge 4 commits into
mainfrom
fix/platform-api-url-credential-warning

Conversation

@rafa-thayto

Copy link
Copy Markdown
Contributor

Summary

Addresses the immediate, concrete gap from #329. CLERK_PLATFORM_API_URL redirects API traffic to an arbitrary host, but credentials are keyed by environment name (via switch-env), not by URL — so when the override points somewhere else, the active environment's token is silently sent to that host with no credential isolation.

This is a Tier-1 / diagnostic fix:

  • Warn in human mode when CLERK_PLATFORM_API_URL differs from the active environment's platform URL (agent/scripted stderr stays clean — it would otherwise corrupt machine-readable output; agents get the same info from doctor).
  • clerk doctor now reports the active environment name and effective API URL in the "Logged in" check.

The broader request in #329 (user-definable environment profiles for full multi-env credential isolation) is a separate, larger change and is not included here — this PR makes the silent failure visible.

Test plan

  • New src/lib/environment.test.ts: warns on override mismatch in human mode; silent when unset, when equal, and in agent mode
  • doctor tests pass

Refs #329

@changeset-bot

changeset-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: d654b19

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
clerk Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

A new exported helper isPlatformApiUrlOverridden() compares CLERK_PLATFORM_API_URL with the active environment’s platform API URL and returns override details when they differ. The CLI now calls this helper during preAction and emits a warning in human mode when an override is detected. The doctor command updates its “Logged in” message to include the current environment name and API URL. Integration tests now extract JSON from the first {-prefixed stderr line instead of parsing all stderr as JSON.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: warning on CLERK_PLATFORM_API_URL credential mismatches.
Description check ✅ Passed The description matches the changeset and explains the warning and doctor output changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 7 linked repositories, but your current plan allows 1. Analyzed clerk/clerk_go, skipped clerk/dashboard, clerk/accounts, clerk/backoffice, clerk/clerk, clerk/clerk-docs, clerk/cloudflare-workers.


Comment @coderabbitai help to get the list of available commands.

@wyattjoh wyattjoh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean, well-scoped diagnostic fix with good test coverage. One minor robustness note on the URL comparison and a small test-quality suggestion.

Comment thread packages/cli-core/src/lib/environment.ts Outdated
Comment thread packages/cli-core/src/lib/environment.test.ts
@rafa-thayto rafa-thayto force-pushed the fix/platform-api-url-credential-warning branch from 3c4cc3a to e59876a Compare June 18, 2026 12:15
@rafa-thayto rafa-thayto requested a review from wyattjoh June 18, 2026 12:15
Comment thread packages/cli-core/src/lib/environment.ts Outdated
Comment thread packages/cli-core/src/cli-program.ts Outdated
@rafa-thayto rafa-thayto requested a review from wyattjoh June 22, 2026 20:57
@rafa-thayto rafa-thayto force-pushed the fix/platform-api-url-credential-warning branch from 39bbf59 to 15534ac Compare June 24, 2026 13:31

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
packages/cli-core/src/test/integration/input-json.test.ts (1)

21-28: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Optional: dedupe the stderr JSON extractor.

This helper is byte-for-byte equivalent to parseJsonError's new line-scanning logic in error-codes.test.ts (only the return type/.error access differs). Consider extracting a shared extractFirstJsonLine(stderr) into a test util so future changes to the parsing contract stay in one place.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli-core/src/test/integration/input-json.test.ts` around lines 21 -
28, The stderr JSON parsing logic in parseJsonFromStderr duplicates the new
line-scanning behavior already used by parseJsonError, so factor that shared
extraction into a common test utility. Create a reusable helper like
extractFirstJsonLine(stderr) and update parseJsonFromStderr and parseJsonError
to call it, keeping only their type-specific JSON parsing/field access in each
test.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/cli-core/src/cli-program.ts`:
- Around line 138-143: The override warning in cli-program.ts should not emit
during agent/scripted runs because log.warn still writes to stderr. Update the
warning path around isPlatformApiUrlOverridden() to only call log.warn when
isHuman() is true, or otherwise gate the logger invocation so non-human/JSON
consumers never see the message. Keep the existing override check and warning
text intact, just add the human-mode guard in this branch.

---

Nitpick comments:
In `@packages/cli-core/src/test/integration/input-json.test.ts`:
- Around line 21-28: The stderr JSON parsing logic in parseJsonFromStderr
duplicates the new line-scanning behavior already used by parseJsonError, so
factor that shared extraction into a common test utility. Create a reusable
helper like extractFirstJsonLine(stderr) and update parseJsonFromStderr and
parseJsonError to call it, keeping only their type-specific JSON parsing/field
access in each test.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4be00fb3-cd7c-4e46-9794-6ce90373fddf

📥 Commits

Reviewing files that changed from the base of the PR and between 8f54a92 and 15534ac.

📒 Files selected for processing (7)
  • .changeset/platform-api-url-credential-warning.md
  • packages/cli-core/src/cli-program.ts
  • packages/cli-core/src/commands/doctor/checks.ts
  • packages/cli-core/src/lib/environment.test.ts
  • packages/cli-core/src/lib/environment.ts
  • packages/cli-core/src/test/integration/error-codes.test.ts
  • packages/cli-core/src/test/integration/input-json.test.ts

Comment thread packages/cli-core/src/cli-program.ts
@rafa-thayto rafa-thayto force-pushed the fix/platform-api-url-credential-warning branch 2 times, most recently from cbf951d to 944826a Compare June 28, 2026 12:13

@wyattjoh wyattjoh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the authentication information is tied to the URL being authenticated with, doesn't it make sense just to instead refuse to use that credential and consider the user as locked out?

@rafa-thayto rafa-thayto force-pushed the fix/platform-api-url-credential-warning branch from 944826a to ce52649 Compare July 1, 2026 14:24
CLERK_PLATFORM_API_URL redirects API traffic to an arbitrary host, but
credentials are keyed by environment name, not by URL, so the active env's
token is sent to the override host with no isolation. Warn about this in human
mode (agent/scripted output stays clean), and report the active environment and
API URL in clerk doctor so the mismatch is visible.

Refs #329
…warnings

Use new URL().href to normalize both the override and profile URL before
comparing, so trailing slashes and host-case differences don't produce
false positives. Falls back to raw string comparison when either URL is
malformed.

Also pin the test to a concrete literal ("https://api.clerk.com") instead
of the self-referencing getPlapiBaseUrl() call, and strengthen the positive
warning case by asserting the override host appears in the message.
…ll site

Export `isPlatformApiUrlOverridden()` from environment.ts that returns
the override/profile URLs and env name as data, rather than emitting
the warning itself. Move the `log.warn` call to the preAction hook in
cli-program.ts so the decision of whether/how to warn is at the call
site, and so warnings go to stderr unconditionally (not just in human
mode) since machine-readable stdout data is never polluted by stderr.

Update integration tests to extract the JSON line from stderr before
parsing so the warning line doesn't break `JSON.parse(result.stderr)`.
log.warn is not mode-aware; without an isHuman() guard the warning
leaks to stderr in agent mode, corrupting machine-readable output.

Claude-Session: https://claude.ai/code/session_01Fch1D1a2XLtPBeMD7r5tED
@rafa-thayto rafa-thayto force-pushed the fix/platform-api-url-credential-warning branch from ce52649 to d654b19 Compare July 1, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants