fix(backend): guard primary cross-origin sync handshake against non-GET requests

jacekradko · jacekradko · commit 01b0d2273bc8 · 2026-03-11T14:42:07.000-05:00
diff --git a/packages/backend/src/tokens/__tests__/request.test.ts b/packages/backend/src/tokens/__tests__/request.test.ts
@@ -1815,6 +1815,39 @@ describe('tokens.authenticateRequest(options)', () => {
       });
     });
 
+    test('does not trigger handshake for cross-origin POST document request on primary domain', async () => {
+      const cookieStr = Object.entries({
+        __session: mockJwt,
+        __client_uat: '12345',
+      })
+        .map(([k, v]) => `${k}=${v}`)
+        .join(';');
+
+      const request = new Request('https://primary.com/dashboard', {
+        method: 'POST',
+        headers: {
+          ...defaultHeaders,
+          referer: 'https://satellite.com/form',
+          'sec-fetch-dest': 'document',
+          cookie: cookieStr,
+        },
+      });
+
+      const requestState = await authenticateRequest(request, {
+        ...mockOptions(),
+        publishableKey: PK_LIVE,
+        domain: 'primary.com',
+        isSatellite: false,
+        signInUrl: 'https://primary.com/sign-in',
+      });
+
+      expect(requestState).toBeSignedIn({
+        domain: 'primary.com',
+        isSatellite: false,
+        signInUrl: 'https://primary.com/sign-in',
+      });
+    });
+
     test('does not trigger handshake for non-document requests', async () => {
       const request = mockRequestWithCookies(
         {
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -652,6 +652,7 @@ export const authenticateRequest: AuthenticateRequest = (async (
       // Check for cross-origin requests from satellite domains to primary domain
       const shouldForceHandshakeForCrossDomain =
         !authenticateContext.isSatellite && // We're on primary
+        authenticateContext.method === 'GET' && // Only GET navigations (POST form submissions set sec-fetch-dest: document too)
         authenticateContext.secFetchDest === 'document' && // Document navigation
         authenticateContext.isCrossOriginReferrer() && // Came from different domain
         !authenticateContext.isKnownClerkReferrer() && // Not from Clerk accounts portal or FAPI
