fix(backend): harden FAPI proxy resilience and spec compliance

[brkalow]

Summary

• Propagate client abort signal to upstream fetch() to prevent zombie requests when clients disconnect
• Strip dynamic hop-by-hop headers listed in the Connection header per RFC 7230 Section 6.1, for both request and response header copying
• Support request bodies on any HTTP method (e.g., DELETE-with-body) by checking request.body !== null instead of a method allowlist
• Add Cache-Control: no-store to all error responses to prevent CDN/browser caching of transient errors
• Only set duplex: 'half' when the request actually has a body, avoiding unnecessary option on bodyless requests
• Converted HOP_BY_HOP_HEADERS from array to Set for O(1) lookups

Test plan

• Existing proxy tests continue to pass (82 tests)
• New test: DELETE request with body is forwarded with duplex: 'half'
• New test: Abort signal from incoming request is propagated to fetch
• New test: Error responses (500 and 502) include Cache-Control: no-store
• New test: Dynamic hop-by-hop headers listed in Connection header are stripped from forwarded requests

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved proxy behavior: support DELETE requests with bodies, reliable request-body detection, forward abort signals to upstream, ensure error responses use no-cache, and strip dynamically nominated hop-by-hop headers.

• Tests

  • Added tests for DELETE-with-body forwarding, signal propagation, cache-control on failures, and dynamic hop-by-hop header stripping.

• Chores

  • Added a patch release entry for the backend package.

[changeset-bot]

🦋 Changeset detected

Latest commit: 7ac51f5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@clerk/backend	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8163

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8163

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8163

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8163

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8163

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8163

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8163

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8163

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8163

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8163

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8163

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8163

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8163

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8163

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8163

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8163

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8163

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8163

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8163

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8163

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8163

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8163

commit: 7ac51f5

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Proxy header handling switched from an array to a Set and now uses has() for hop-by-hop checks. Added getDynamicHopByHopHeaders(headers: Headers) to parse names from the Connection header and exclude them from both proxied requests and responses. Request body detection changed to request.body !== null; when a body exists the proxy sets duplex: 'half' and always forwards request.signal to upstream fetch. JSON error responses now include Cache-Control: no-store. Tests were added covering DELETE with a body, signal propagation, consistent cache behavior on failures, and dynamic hop-by-hop header stripping.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main intent of the changeset: hardening the FAPI proxy by improving its resilience and RFC compliance.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 30, 2026 9:26pm

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.changeset/tough-ghosts-ask.md:
- Line 5: The changeset summary contains a spelling mistake: replace the
misspelled token "aobrt" with "abort" in the summary sentence (the phrase
"adding support for aobrt signals" should read "adding support for abort
signals") so the release notes/changelog shows the correct word; update the
summary text in the changeset file where that token appears.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: a8f5d12c-abae-4778-9f39-edecdb62d566

📥 Commits

Reviewing files that changed from the base of the PR and between 2809448 and 1fbdcef.

📒 Files selected for processing (1)

• .changeset/tough-ghosts-ask.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/backend/src/proxy.ts (1)

320-346: ⚠️ Potential issue | 🟠 Major

Don't restore Location after stripping dynamic hop-by-hop headers.

Line 320 strips headers named by the upstream Connection header, but Lines 338-346 can add Location back from response.headers. If FAPI ever sends Connection: location, this still forwards a hop-by-hop response header and breaks the RFC 7230 behavior this change is adding.

🐛 Proposed fix

-    if (locationHeader) {
+    if (locationHeader && !responseDynamicHopByHop.has('location')) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/backend/src/proxy.ts` around lines 320 - 346, The Location rewrite
logic can re-add a hop-by-hop header if the upstream Connection header listed
"location"; update the Location handling in the response rewrite to check the
same dynamic hop-by-hop set before restoring or setting Location: use
responseDynamicHopByHop (from getDynamicHopByHopHeaders(response.headers)) and
the same lowercase membership tests (HOP_BY_HOP_HEADERS and
RESPONSE_HEADERS_TO_STRIP) to skip rewriting/setting Location when it was listed
as a dynamic hop-by-hop header; ensure you consult response.headers and
lower-case the key like the earlier loop before calling
responseHeaders.set('Location', ...).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@packages/backend/src/proxy.ts`:
- Around line 320-346: The Location rewrite logic can re-add a hop-by-hop header
if the upstream Connection header listed "location"; update the Location
handling in the response rewrite to check the same dynamic hop-by-hop set before
restoring or setting Location: use responseDynamicHopByHop (from
getDynamicHopByHopHeaders(response.headers)) and the same lowercase membership
tests (HOP_BY_HOP_HEADERS and RESPONSE_HEADERS_TO_STRIP) to skip
rewriting/setting Location when it was listed as a dynamic hop-by-hop header;
ensure you consult response.headers and lower-case the key like the earlier loop
before calling responseHeaders.set('Location', ...).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: ad9397c6-e66f-4599-85cc-262daab25aac

📥 Commits

Reviewing files that changed from the base of the PR and between 545a88c and ccf5a79.

📒 Files selected for processing (1)

• packages/backend/src/proxy.ts

[dstaley]

AbortSignal.timeout was added in Node 17. What other backend runtime are we waiting for support for?

[brkalow]

Good Q! Seems like it's also supported in CF workers as well, so I don't think we need to worry too much about runtime compat.

I'll handle the generic top-level timeout in a follow-up

[dstaley]

which definitions is it not in?

[brkalow]

It's not present on the RequestInit type, I will clarify 👀

[jacekradko]

[nit] we could also convert RESPONSE_HEADERS_TO_STRIP to a set for the .has() method. But super super minor

[jacekradko]

We could probably add a unit test for this

[jacekradko]

Just some nits, but overall this is 🔥