fix(backend): Handle token type array in authenticateRequest

[wobsoriano]

Description

Cherry-picked changes from #7556

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Tests

  • Expanded test coverage for token authentication, including scenarios for session tokens, machine tokens, and mixed token types in various authentication methods (header, cookies).
  • Added tests for unauthenticated states and edge cases.

• Bug Fixes

  • Improved token handling in authentication requests to support array-type token configurations in header-based authentication.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: dc06f97

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 8, 2026 4:08pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds a changeset file for version tracking, expands the token request test suite to cover additional authentication scenarios including machine tokens, session tokens, mixed token types, and unauthenticated states, and updates the authenticateRequest function to handle acceptsToken as an array in header token processing. The implementation change extends the conditional logic that previously only handled acceptsToken as the 'any' string to also process array-typed acceptsToken values through the same authentication path.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: handling token type arrays in the authenticateRequest function, which matches the core modification in packages/backend/src/tokens/request.ts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7563

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7563

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7563

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7563

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7563

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7563

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7563

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7563

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7563

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7563

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7563

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7563

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7563

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7563

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7563

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7563

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7563

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7563

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7563

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7563

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7563

commit: dc06f97

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.changeset/weak-wombats-begin.md:
- Around line 1-2: The changeset file is empty (only YAML delimiters); replace
the empty content with a valid changeset YAML that names the affected
package(s), specifies the release type (patch/minor/major), and includes a short
descriptive summary of the change (and optionally author/PR) so
changelog/version tooling can parse it; ensure the YAML is syntactically correct
and not just '---' delimiters.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a7a38ab and dc06f97.

📒 Files selected for processing (3)

• .changeset/weak-wombats-begin.md
• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

🧰 Additional context used

📓 Path-based instructions (13)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• packages/backend/src/tokens/__tests__/request.test.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• packages/backend/src/tokens/__tests__/request.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use React Testing Library for component testing

Files:

• packages/backend/src/tokens/__tests__/request.test.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.

Files:

• packages/backend/src/tokens/__tests__/request.test.ts
• packages/backend/src/tokens/request.ts

🧬 Code graph analysis (1)

packages/backend/src/tokens/__tests__/request.test.ts (5)

packages/backend/src/fixtures/index.ts (1)

• mockJwks (59-61)

packages/express/src/__tests__/helpers.ts (1)

• mockRequest (26-28)

packages/backend/src/tokens/request.ts (1)

• authenticateRequest (147-808)

packages/backend/src/tokens/authStatus.ts (2)

• AuthErrorReason (105-122)
• AuthErrorReason (124-124)

packages/backend/src/fixtures/machine.ts (3)

• mockMachineAuthResponses (54-67)
• mockVerificationResults (7-52)
• mockTokens (1-5)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: Static analysis
• GitHub Check: Unit Tests (**)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/backend/src/tokens/request.ts (1)

785-785: LGTM - Array support correctly implemented.

The extension to handle Array.isArray(acceptsToken) alongside 'any' is correct. Both cases route to authenticateAnyRequestWithTokenInHeader(), which appropriately handles multiple token types. The pre-validation at lines 778-782 already ensures the token type is in the accepted array before reaching this point.

packages/backend/src/tokens/__tests__/request.test.ts (1)

1396-1522: LGTM - Comprehensive test coverage for array acceptsToken.

The new tests thoroughly cover the array acceptsToken functionality:

• Session token acceptance in both header and cookie scenarios
• Machine token acceptance with mixed token types
• Proper rejection when token types aren't in the accepted array
• Edge case handling (no token with machine-only array)

All tests follow established patterns and properly validate the implementation changes.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Empty changeset content.

The changeset file contains only YAML delimiters with no content describing the changes. Changeset files typically include the package name and a description of the change for version tracking and changelog generation. Verify whether this is intentional (e.g., auto-populated by tooling) or if content needs to be added manually.

🤖 Prompt for AI Agents

In @.changeset/weak-wombats-begin.md around lines 1 - 2, The changeset file is
empty (only YAML delimiters); replace the empty content with a valid changeset
YAML that names the affected package(s), specifies the release type
(patch/minor/major), and includes a short descriptive summary of the change (and
optionally author/PR) so changelog/version tooling can parse it; ensure the YAML
is syntactically correct and not just '---' delimiters.

[jacekradko]

@wobsoriano We should have a changeset for the backend pacakge

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[wobsoriano]

This was released in core 2 as well. Do we still need it here?

[jacekradko]

That's fair. We haven't really split the changesets this way for many of the core-2 + core-3 features so it feels odd to have this empty. All good though