fix(backend): harden FAPI proxy resilience and spec compliance

[brkalow]

Summary

• Propagate client abort signal to upstream fetch() to prevent zombie requests when clients disconnect
• Strip dynamic hop-by-hop headers listed in the Connection header per RFC 7230 Section 6.1, for both request and response header copying
• Support request bodies on any HTTP method (e.g., DELETE-with-body) by checking request.body !== null instead of a method allowlist
• Add Cache-Control: no-store to all error responses to prevent CDN/browser caching of transient errors
• Only set duplex: 'half' when the request actually has a body, avoiding unnecessary option on bodyless requests
• Converted HOP_BY_HOP_HEADERS from array to Set for O(1) lookups

Test plan

• Existing proxy tests continue to pass (82 tests)
• New test: DELETE request with body is forwarded with duplex: 'half'
• New test: Abort signal from incoming request is propagated to fetch
• New test: Error responses (500 and 502) include Cache-Control: no-store
• New test: Dynamic hop-by-hop headers listed in Connection header are stripped from forwarded requests

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved proxy request forwarding to properly handle DELETE requests with request bodies.
  • Enhanced abort signal propagation for better request cancellation control.
  • Fixed error response caching with appropriate Cache-Control headers.
  • Improved HTTP header filtering for RFC 7230 compliance with dynamic hop-by-hop headers.

• Tests

  • Added comprehensive test coverage for proxy request handling, abort signals, and header management.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e7346d8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8163

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8163

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8163

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8163

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8163

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8163

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8163

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8163

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8163

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8163

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8163

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8163

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8163

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8163

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8163

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8163

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8163

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8163

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8163

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8163

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8163

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8163

commit: e7346d8

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: ba6f7153-05b5-4a2c-8444-ac097f632c6a

📥 Commits

Reviewing files that changed from the base of the PR and between 857823e and e7346d8.

📒 Files selected for processing (2)

• packages/backend/src/__tests__/proxy.test.ts
• packages/backend/src/proxy.ts

---

📝 Walkthrough

Walkthrough

The PR modifies proxy request/response handling to improve RFC 7230 compliance and cache semantics. Changes include converting hop-by-hop header tracking to a Set and adding logic to parse dynamically-nominated headers from the Connection header. Error responses now include Cache-Control: no-store headers. Request body detection was changed from method-based checks to null checking against request.body. The fetch signal from incoming requests is now propagated upstream. Corresponding test coverage was added for these changes, including tests for DELETE with body, signal propagation, cache semantics, and dynamic hop-by-hop header handling.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'fix(backend): harden FAPI proxy resilience and spec compliance' accurately reflects the main changes: improving proxy resilience (abort signal propagation, error caching) and spec compliance (RFC 7230 hop-by-hop headers, request body handling).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 25, 2026 5:10pm