Home Original page

feat(clerk-js): Sign up if missing by dmoerner ยท Pull Request #8030 ยท clerk/javascript

Description

This PR re-reverts #7749, which adds support for sign up if missing for custom flows. We do this by adding the optional signUpIfMissing param on creating a sign in, and adding support for captchas. This requires both supporting captchas on sign in if signUpIfMissing is true, and making sure we don't show a double captcha on sign up after transfer from a sign up if missing sign in.

The original PR had to be reverted because it did not properly render captchas on Enterprise SSO transfers to sign up. The root of this mistake was my confusion over a bug in the existing code: We bailed out early in shouldBypassCaptchaForAttempt if there was no strategy. This had the effect that we unconditionally showed captchas on all transfers. This was correct behavior for EnterpriseSSO, which does not bypass captcha on transfer. This was a bug for OAuth, since we never checked if we should bypass captchas for OAuth.

This PR is identical to the previous one, except the logic in shouldBypassCaptchaForAttempt is fixed: We do show captchas on EnterpriseSSO transfers, and we properly check the bypass list for OAuth transfers. I also added further unit tests to verify these fixes.

This was tested in staging with SCIM to confirm that we did not have the EnterpriseSSO Captcha regression.

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • ๐Ÿ› Bug fix
  • ๐ŸŒŸ New feature
  • ๐Ÿ”จ Breaking change
  • ๐Ÿ“– Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

  • New Features
    • Added sign_up_if_missing parameter to sign-in requests, enabling automatic account creation for users who don't yet have an account
    • Integrated CAPTCHA bot protection challenges into the sign-in flow when your security configuration requires it
    • Improved CAPTCHA bypass logic for passwordless authentication strategies, including email code, email link, and phone code verification