feat(eslint-plugin-next): Add initial @clerk/eslint-plugin-next package and rule#8704
Open
Ephem wants to merge 9 commits into
Open
feat(eslint-plugin-next): Add initial @clerk/eslint-plugin-next package and rule#8704Ephem wants to merge 9 commits into
Ephem wants to merge 9 commits into
Conversation
🦋 Changeset detectedLatest commit: fd1048d The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Repository UI (inherited) Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThis PR introduces ChangesAuth Protection ESLint Plugin
Sequence Diagram(s)sequenceDiagram
participant ESLint
participant RequireAuthRule
participant FileInfo
participant MatchFolders
participant Exports
participant ProtectionChecks
ESLint->>RequireAuthRule: visit program node
RequireAuthRule->>FileInfo: getRelativeFolder, getFileKind, isClientModule
RequireAuthRule->>MatchFolders: classifyFolder
alt Protected Folder
RequireAuthRule->>Exports: resolveDefaultExportTarget or iterateNamedExports
Exports-->>RequireAuthRule: export target (function or imported)
RequireAuthRule->>ProtectionChecks: hasProtectAtTop, findAuthLocalNames
ProtectionChecks-->>RequireAuthRule: boolean protection status
end
RequireAuthRule-->>ESLint: report violation or pass
sequenceDiagram
participant Rule
participant ProtectionChecks
participant FunctionNode
Rule->>ProtectionChecks: hasProtectAtTop(fn, authNames)
ProtectionChecks->>FunctionNode: find first executable statement
alt Top-level auth.protect() call
FunctionNode-->>ProtectionChecks: returns true
else await auth() destructuring + guard
ProtectionChecks->>FunctionNode: extract captured auth fields
ProtectionChecks->>FunctionNode: recognize auth-check condition
ProtectionChecks->>FunctionNode: verify guard consequent exits
FunctionNode-->>ProtectionChecks: returns true if exits via return/throw/redirect
else No recognized pattern
FunctionNode-->>ProtectionChecks: returns false
end
ProtectionChecks-->>Rule: boolean protection status
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
Warning Review ran into problems🔥 ProblemsStopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a Comment |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/eslint-plugin-next/README.md`:
- Line 5: The <img> tag in the README is missing an alt attribute; add an
appropriate alt attribute to the image element (e.g., alt="Clerk logo" or a more
descriptive string) so screen readers can convey the image content—if the image
is decorative, use alt="" to mark it as decorative; update the <img
src="/asset?url=https%3A%2F%2Fimages.clerk.com%2Fstatic%2Flogo-light-mode-400x400.png" height="64">
element accordingly.
In `@packages/eslint-plugin-next/src/lib/protection-checks.ts`:
- Around line 96-133: The current logic in capturedAuthBindings wrongly treats
multi-declarator statements like `const {userId} = await auth(), side =
doWork()` as safe; update the guard to require a single declarator by checking
that stmt.declarations.length === 1 and returning null if not, so only
statements with exactly one declarator (the destructuring await) are considered;
keep the existing checks (decl.id/ObjectPattern, decl.init/AwaitExpression, arg
CallExpression, callee in authNames, and the AUTH_FIELDS/property identity
checks) unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 7ac258ec-bf2d-4658-bdc3-ee5333e132e6
⛔ Files ignored due to path filters (2)
packages/eslint-plugin-next/src/__tests__/__snapshots__/plugin-shape.test.ts.snapis excluded by!**/*.snappnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (19)
.changeset/eslint-plugin-next-initial.md.github/labeler.ymlpackages/eslint-plugin-next/README.mdpackages/eslint-plugin-next/package.jsonpackages/eslint-plugin-next/src/__tests__/file-info.test.tspackages/eslint-plugin-next/src/__tests__/match-folders.test.tspackages/eslint-plugin-next/src/__tests__/plugin-shape.test.tspackages/eslint-plugin-next/src/__tests__/require-auth-protection.test.tspackages/eslint-plugin-next/src/global.d.tspackages/eslint-plugin-next/src/index.tspackages/eslint-plugin-next/src/lib/exports.tspackages/eslint-plugin-next/src/lib/file-info.tspackages/eslint-plugin-next/src/lib/match-folders.tspackages/eslint-plugin-next/src/lib/protection-checks.tspackages/eslint-plugin-next/src/rules/require-auth-protection.tspackages/eslint-plugin-next/tsconfig.jsonpackages/eslint-plugin-next/tsup.config.tspackages/eslint-plugin-next/vitest.config.mtspackages/eslint-plugin-next/vitest.setup.mts
jacekradko
reviewed
Jun 4, 2026
| @@ -0,0 +1,9 @@ | |||
| // Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html | |||
Member
There was a problem hiding this comment.
Now that we have break-check, these snapshot tests are duplicative
jacekradko
reviewed
Jun 4, 2026
|
|
||
| This project is licensed under the **MIT license**. | ||
|
|
||
| See [LICENSE](https://github.com/clerk/javascript/blob/main/packages/eslint-plugin-next/LICENSE) for more information. |
Member
There was a problem hiding this comment.
I don't see a LICENSE file in this PR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds
@clerk/eslint-plugin-next, an ESLint plugin for the Next app router. Adds a first rule,require-auth-protectionthat enforces auth protections at the page/route/server action level.The rule flags any
page,layout,template,default,route, or Server Action under folders configured asprotectedthat doesn't guard itself withawait auth.protect()(or an equivalent early-exitauth()check).What's included
packages/eslint-plugin-next(dual CJS/ESM, type-only deps,eslint >=9peer, ships at0.0.0→0.1.0)require-auth-protectionrule withprotected(required),public, andmixedScopeLayoutsoptionsConfig
Also see README.
Errors
await auth.protect()at the top of {{subject}} in a folder configured as protected. Add the call to the top of the function, move the file into a public folder, or configure this folder as public.',await auth.protect(), or ensure the imported function calls it and add an eslint-disable comment with a reason.",const handler = withAuth(impl)). Inline a function literal that callsawait auth.protect(), or add an eslint-disable comment with a reason.',mixedScopeLayoutswas provided in config):mixedScopeLayouts. Either add '{{folder}}' to the list to acknowledge the mixed scope, or restructure so the {{fileKind}} wraps only public or protected descendants.",Notes
Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change
Summary by CodeRabbit
Release Notes
@clerk/eslint-plugin-nextESLint plugin for Next.js App Routerrequire-auth-protectionrule to enforce authentication protection in pages, routes, layouts, and server actions