fix: Strip query string from Express proxy path matching

brkalow · claude · brkalow · commit 78f01a3a7d43 · 2026-02-09T14:39:57.000-06:00
request.originalUrl includes query parameters, causing proxy path matching
to fail for requests like /__clerk?_clerk_js_version=5.0.0. Parse the URL
to extract pathname before comparing, consistent with the backend's
matchProxyPath implementation.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/express/src/__tests__/clerkMiddleware.test.ts b/packages/express/src/__tests__/clerkMiddleware.test.ts
@@ -1,6 +1,17 @@
 import type { Request, RequestHandler, Response } from 'express';
 import { vi } from 'vitest';
 
+const { mockClerkFrontendApiProxy } = vi.hoisted(() => ({
+  mockClerkFrontendApiProxy: vi.fn(),
+}));
+vi.mock('@clerk/backend/proxy', async () => {
+  const actual = await vi.importActual('@clerk/backend/proxy');
+  return {
+    ...actual,
+    clerkFrontendApiProxy: mockClerkFrontendApiProxy,
+  };
+});
+
 import { clerkMiddleware } from '../clerkMiddleware';
 import { getAuth } from '../getAuth';
 import { assertNoDebugHeaders, assertSignedOutDebugHeaders, runMiddleware, runMiddlewareOnPath } from './helpers';
@@ -116,6 +127,22 @@ describe('clerkMiddleware', () => {
   });
 
   describe('Frontend API proxy handling', () => {
+    beforeEach(() => {
+      mockClerkFrontendApiProxy.mockReset();
+    });
+
+    it('intercepts proxy path with query parameters', async () => {
+      mockClerkFrontendApiProxy.mockResolvedValueOnce(new globalThis.Response('proxied', { status: 200 }));
+
+      const response = await runMiddlewareOnPath(
+        clerkMiddleware({ frontendApiProxy: { enabled: true } }),
+        '/__clerk?_clerk_js_version=5.0.0',
+        {},
+      ).expect(200);
+
+      expect(mockClerkFrontendApiProxy).toHaveBeenCalled();
+    });
+
     it('authenticates default path when custom proxy path is set', async () => {
       // When using a custom path, the default /__clerk should be authenticated
       const response = await runMiddlewareOnPath(
diff --git a/packages/express/src/authenticateRequest.ts b/packages/express/src/authenticateRequest.ts
@@ -131,7 +131,7 @@ export const authenticateAndDecorateRequest = (options: ClerkMiddlewareOptions =
 
     // Handle Frontend API proxy requests early, before authentication
     if (proxyEnabled) {
-      const requestPath = request.originalUrl || request.url;
+      const requestPath = new URL(request.originalUrl || request.url, `http://${request.headers.host}`).pathname;
       if (requestPath === proxyPath || requestPath.startsWith(proxyPath + '/')) {
         // Convert Express request to Fetch API Request
         const proxyRequest = requestToProxyRequest(request);
