test(react-router): cover auth context isolation under concurrency

[nikosdouvlis]

Summary by CodeRabbit

• Tests
  • Added coverage for concurrent server requests to verify authentication data stays isolated per request.
  • Confirmed that separate request contexts return the correct user identity, while sharing a context can cause cross-request auth leakage.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
swingset	Ready	Preview, Comment	Jun 17, 2026 9:28am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Skipped		Jun 17, 2026 9:28am

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8889

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8889

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8889

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8889

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8889

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8889

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8889

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8889

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8889

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8889

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8889

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8889

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8889

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8889

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8889

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8889

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8889

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8889

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8889

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8889

commit: f2512d8

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-17T09:29:50.390Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	0
🔴 Breaking changes	0
🟡 Non-breaking changes	0
🟢 Additions	0

No API Changes Detected

All packages have stable APIs with no detected changes.

---

Report generated by Break Check

_{Last ran on f2512d8.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Vitest test file is added that verifies concurrency isolation for clerkMiddleware() and getAuth() in React Router server usage. It introduces a runInterleaved harness that gates request A mid-execution to force overlap with request B, then asserts correct per-request auth with fresh RouterContextProvider instances and documents auth leakage when a single shared instance is reused.

Changes

Concurrency Isolation Tests

Layer / File(s)	Summary
Test documentation, mocks, and helper utilities packages/react-router/src/server/__tests__/clerkMiddleware.concurrency.test.ts	Top-level comments describe the shared-provider concurrency hazard; imports, Vitest mocks for clerkClient and loadOptions, a per-URL auth state generator, and a microtask flush helper are defined.
Interleaving harness and concurrency test cases packages/react-router/src/server/__tests__/clerkMiddleware.concurrency.test.ts	runInterleaved pauses request A before its loader reads auth context, runs request B to completion, then resumes A. Two cases assert: fresh RouterContextProvider per request preserves correct identities; a shared provider causes request A to read request B's userId.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Two requests hop down the middleware lane,
One waits mid-hop while the other goes plain.
Fresh burrows for each keep the auth squeaky clean,
Shared warrens get muddled — the leakage is seen!
I've locked in the chaos so no bug hides unseen. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: a new test covering authentication context isolation under concurrent conditions in the react-router integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

packages/react-router/src/server/__tests__/clerkMiddleware.concurrency.test.ts (1)

72-101: ⚡ Quick win

Consider adding an explicit return type for clarity.

The runInterleaved helper returns a structured object used by multiple test cases. Adding an explicit return type would improve type safety and make the function's contract clearer.

📝 Suggested return type annotation

-async function runInterleaved(contextFor: (req: Request) => RouterContextProvider) {
+async function runInterleaved(contextFor: (req: Request) => RouterContextProvider): Promise<{ A?: string | null; B?: string | null }> {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/react-router/src/server/__tests__/clerkMiddleware.concurrency.test.ts`
around lines 72 - 101, The runInterleaved function lacks an explicit return type
annotation, which reduces type safety and clarity of its contract. Add a return
type annotation to the function signature that reflects the Promise type it
returns, which should be Promise with a structure containing optional properties
A and B, both of type string or null. This will make the function's return type
explicit and improve type checking for callers of this helper function.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@packages/react-router/src/server/__tests__/clerkMiddleware.concurrency.test.ts`:
- Around line 72-101: The runInterleaved function lacks an explicit return type
annotation, which reduces type safety and clarity of its contract. Add a return
type annotation to the function signature that reflects the Promise type it
returns, which should be Promise with a structure containing optional properties
A and B, both of type string or null. This will make the function's return type
explicit and improve type checking for callers of this helper function.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5b3ca5f8-16b3-4a78-9d4e-bbf06e1c4f97

📥 Commits

Reviewing files that changed from the base of the PR and between 3b146a1 and f2512d8.

📒 Files selected for processing (1)

• packages/react-router/src/server/__tests__/clerkMiddleware.concurrency.test.ts