-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@clerk/remix integration returns a 401 + redirect when viewing a website after the short lived token has expired #2166
Comments
We definitely understand your frustration here, and have heard it from others as well. We are currently actively looking into ways that we can change this behavior and still have everything work correctly. We are hoping to have a modified version out in the next few months that does not include this redirect behavior 🙌 However, as it stands, this is not a bug and the library still works correctly, so we're going to close this issue. But appreciate your surfacing this and again hoping to have it fixed soon! |
Hey @jescalan , really glad to hear that this is a fix actively being worked on 😄 . Happy to do some early testing if needed, so don't hesitate to reach out. Just a note, given that this issue is actually being worked on, it feels like it would be a good idea to leave this open with maybe a |
Hey @jescalan I wanted to follow up again on this issue. You mentioned the team was researching a way to not have this behaviour, has there been any progress in this matter? This is still a really annoying side effect of using Clerk, one that causes much grief when we work hard on website performance. Would really love to know what is being done to solve this. |
Hi there! So sorry for the slow response here @AdiRishi. There has been indeed, we have changed this mechanism in the latest beta of the remix SDK. Give it a shot and see if this does the trick for you. Also note that the previous behavior (interstitial) was replaced by a new behavior (handshake) that runs faster and does not render an actual page in its redirect cycle, but will still redirect a short loop if it detects an expired session token. There isn't a way for us to remove the need to re-validate if there's an expired session token the way that clerk's auth is architected. This should pay off overall in your page render speed however, since your backend only needs to verify the token's signature, which is very fast (usually ~1ms or less), rather than making a database call to verify auth state, which is much slower. Happy to go into more detail on this if you're curious. |
@jescalan Sorry for the super delayed response, I just got to updating the production sites that use Clerk to the latest version with Clerk Core 2. The update's working really well, flash is gone, super smooth experience 😄 |
Amazing, this is so great to hear! Thank you so much for the feedback here and for using Clerk 💖 |
Preliminary Checks
I have reviewed the documentation: https://clerk.com/docs
I have searched for existing issues: https://github.com/clerk/javascript/issues
I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)
This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.
Reproduction / Replay Link
https://github.com/AdiRishi/clerk-remix-401-demo
Publishable key
pk_live_Y2xlcmsubmFhbWRlby5vcmck
Description
Description
The
@clerk/remix
integration seems to have behavior where when you visit a webpage with an expired short lived session token, the app will initially respond with a 401 code, then redirect the user back to the same page, finally loading with a 200.Although this behavior won't be obvious to a user, for those of us trying to optimize the initial page load as much as possible, this creates a rather noticeable delay on the first page load (anywhere from 300ms to 1-2s).
Because the remix integration wraps the whole app, even content pages that need no auth will exhibit this behavior.
I personally feel like this is not really acceptable behavior. It should be possible to wrap your app in authentication and not have the first response always be a 401.
Looking forward to some feedback or advice on if this is a planned fix, or if there is no possible way to get around this.
Steps to reproduce
I've recorded examples from both my provided reproduction repository and one from the official clerk remix starter app found here.
Steps taken
Expected Behavior
The web page should load with a 200 response code
Actual behavior
The web page initially loads with a 401 and then redirects back to itself and finally loads with a 200. My guess is the initial 401 response contains the now refreshed session token.
Environment
The text was updated successfully, but these errors were encountered: