feat(clerk-js): Add sign_up_if_missing for SignIn.create #7749

dmoerner · 2026-02-03T20:40:48Z

This check guards against an attacker who tries to make a fake transfer and then changes strategy at the same time, which would be an attempt to get around WAF rules and Captcha rules that exclude transfers. We already guard against this on the backend on both sign in and sign up, but in the SDK we were only checking it on sign up. So I took this opportunity to also add the check on sign in.

coderabbitai · 2026-02-03T21:17:27Z

⚠️ Potential issue | 🟡 Minor

Potential null reference when accessing signUp properties during transfer.

Line 186 uses optional chaining on client? but not on the subsequent property chain. If client exists but signUp, verifications, or externalAccount is null/undefined, this will throw a TypeError.

Proposed fix

if (params.transfer && this.shouldBypassCaptchaForAttempt(params)) { - const strategy = SignIn.clerk.client?.signUp.verifications.externalAccount.strategy; + const strategy = SignIn.clerk.client?.signUp?.verifications?.externalAccount?.strategy; if (strategy) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

if (params.transfer && this.shouldBypassCaptchaForAttempt(params)) {

const strategy = SignIn.clerk.client?.signUp.verifications.externalAccount.strategy;

if (strategy) {

// When transfer is true, we're in the OAuth/Enterprise SSO transfer case

type TransferParams = Extract<SignInCreateParams, { transfer: true }>;

(finalParams as TransferParams).strategy = strategy as TransferParams['strategy'];

}

}

if (params.transfer && this.shouldBypassCaptchaForAttempt(params)) {

const strategy = SignIn.clerk.client?.signUp?.verifications?.externalAccount?.strategy;

if (strategy) {

// When transfer is true, we're in the OAuth/Enterprise SSO transfer case

type TransferParams = Extract<SignInCreateParams, { transfer: true }>;

(finalParams as TransferParams).strategy = strategy as TransferParams['strategy'];

}

}

🤖 Prompt for AI Agents

In `@packages/clerk-js/src/core/resources/SignIn.ts` around lines 185 - 192, The code accesses nested properties on SignIn.clerk.client without guarding signUp/verifications/externalAccount; change the retrieval of strategy in the SignIn transfer branch to use safe checks (e.g. optional chaining or explicit null checks) so you do const strategy = SignIn.clerk.client?.signUp?.verifications?.externalAccount?.strategy and only assign (finalParams as TransferParams).strategy = strategy as TransferParams['strategy'] if strategy is not undefined/null; update the logic inside the transfer block (related to shouldBypassCaptchaForAttempt and finalParams assignment) to avoid any potential TypeError from missing intermediate objects.

If it's a sign in and a transfer and there's no signup or verification or externalaccount, that would be an error.

@dmoerner, thank you for the clarification. You're right—in this transfer flow context, if those nested properties are missing, that would indicate a legitimate error state that should surface rather than be silently handled. The current implementation with optional chaining only on client is appropriate here.

coderabbitai · 2026-02-03T21:17:27Z

⚠️ Potential issue | 🟡 Minor

Same null reference risk in the transfer branch.

Line 625 accesses signUp.verifications.externalAccount.strategy without optional chaining. This could throw if the signUp state is incomplete during a transfer scenario.

Proposed fix

if ( params.transfer && captchaOauthBypass.some( // eslint-disable-next-line `@typescript-eslint/no-non-null-assertion` - strategy => strategy === SignIn.clerk.client!.signUp.verifications.externalAccount.strategy, + strategy => strategy === SignIn.clerk.client?.signUp?.verifications?.externalAccount?.strategy, ) ) {

🤖 Prompt for AI Agents

In `@packages/clerk-js/src/core/resources/SignIn.ts` around lines 621 - 629, The transfer branch accesses SignIn.clerk.client!.signUp.verifications.externalAccount.strategy directly which can throw if signUp/verifications/externalAccount is undefined; update the condition inside the captchaOauthBypass check to use optional chaining (e.g., SignIn.clerk.client?.signUp?.verifications?.externalAccount?.strategy) and compare safely (guarding null/undefined) so the predicate returns false when the nested property is missing, ensuring the transfer path doesn't cause a runtime error.

As in the other case, a transfer with a sign up that's incomplete in the sense of missing an external account is an error.

@dmoerner, understood. If the external account is expected to exist during transfer scenarios, the assertion is appropriate to catch that error early. Thanks for the clarification.

-Original file line number
+Diff line change
@@ -0,0 +1,6 @@
+    ---
+    '@clerk/clerk-js': minor
+    '@clerk/shared': minor
+    ---
+    Support `sign_up_if_missing` on SignIn.create, including captcha

-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,7 @@ @@
         { "path": "./dist/clerk.browser.js", "maxSize": "66KB" },
         { "path": "./dist/clerk.chips.browser.js", "maxSize": "66KB" },
         { "path": "./dist/clerk.legacy.browser.js", "maxSize": "106KB" },
-        { "path": "./dist/clerk.no-rhc.js", "maxSize": "305KB" },
+        { "path": "./dist/clerk.no-rhc.js", "maxSize": "306KB" },
         { "path": "./dist/clerk.native.js", "maxSize": "65KB" },
         { "path": "./dist/vendors*.js", "maxSize": "7KB" },
         { "path": "./dist/coinbase*.js", "maxSize": "36KB" },
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(clerk-js): Add sign_up_if_missing for SignIn.create #7749

Diff view

Diff view

There are no files selected for viewing

dmoerner Feb 3, 2026

Uh oh!

coderabbitai bot Feb 3, 2026 •

edited

Loading

Uh oh!

dmoerner Feb 3, 2026

Uh oh!

coderabbitai bot Feb 3, 2026

Uh oh!

coderabbitai bot Feb 3, 2026 •

edited

Loading

Uh oh!

dmoerner Feb 3, 2026

Uh oh!

coderabbitai bot Feb 3, 2026

Uh oh!

Uh oh!

Uh oh!

feat(clerk-js): Add sign_up_if_missing for SignIn.create #7749

Are you sure you want to change the base?

feat(clerk-js): Add sign_up_if_missing for SignIn.create #7749

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

dmoerner Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dmoerner Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dmoerner Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot Feb 3, 2026 •

edited

Loading

coderabbitai bot Feb 3, 2026 •

edited

Loading