Skip to content

fix(backend): guard deleteOrganization against empty organization ID#9036

Merged
jacekradko merged 1 commit into
mainfrom
jacek/fix-delete-org-require-id
Jun 30, 2026
Merged

fix(backend): guard deleteOrganization against empty organization ID#9036
jacekradko merged 1 commit into
mainfrom
jacek/fix-delete-org-require-id

Conversation

@jacekradko

@jacekradko jacekradko commented Jun 29, 2026

Copy link
Copy Markdown
Member

OrganizationAPI.deleteOrganization() was the lone ID-based method on that client without a requireId() guard. Since joinPaths() filters out falsy segments, deleteOrganization('') quietly built /organizations and fired a DELETE at the collection route instead of throwing locally. This adds the guard so an empty ID fails fast with A valid resource ID is required., matching every sibling method.

Pre-existing on main (spotted by CodeRabbit on #8853); pulling it out as its own one-liner rather than folding a behavior change into that docs-only PR. The added test confirms the empty-ID call now rejects locally (it fails without the guard).

Summary by CodeRabbit

  • Bug Fixes

    • Organization deletion now validates that an organization ID is provided before sending the request.
    • If an empty ID is used, the app now returns a clear error message instead of attempting the action.
  • Tests

    • Added coverage for the new validation behavior to ensure the error is shown as expected.
  • Chores

    • Updated the release notes entry to document the behavior change.

deleteOrganization() was the only ID-based method on OrganizationAPI
without a requireId() guard. Because joinPaths() drops falsy segments,
deleteOrganization('') built the path /organizations and issued a DELETE
to the collection route instead of failing fast locally. Add the guard so
an empty ID throws 'A valid resource ID is required.' like its siblings.
@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jun 29, 2026 9:19pm
swingset Ready Ready Preview, Comment Jun 29, 2026 9:19pm

Request Review

@changeset-bot

changeset-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: cd53787

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@clerk/backend Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

deleteOrganization in OrganizationAPI now calls this.requireId(organizationId) before issuing the DELETE request. A test verifies rejection on empty ID, and a patch changeset documents the new validation behavior.

Changes

deleteOrganization ID validation

Layer / File(s) Summary
Validation, test, and changeset
packages/backend/src/api/endpoints/OrganizationApi.ts, packages/backend/src/api/__tests__/OrganizationApi.test.ts, .changeset/delete-organization-require-id.md
deleteOrganization calls requireId before DELETE; test asserts the method rejects with A valid resource ID is required. on empty input; changeset records the patch.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • wobsoriano

Poem

🐇 A blank org ID? No DELETE shall pass!
The rabbit says "requireId" first-class.
Empty strings beware, we check before we go,
Throwing errors swift before any request flows.
Hop hop, validation's the way to grow! 🌱

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding a guard for empty organization IDs in deleteOrganization.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands.

@pkg-pr-new

pkg-pr-new Bot commented Jun 29, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9036

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9036

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9036

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9036

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9036

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9036

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9036

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9036

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9036

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9036

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9036

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9036

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9036

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9036

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9036

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9036

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9036

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9036

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9036

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9036

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9036

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9036

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9036

commit: cd53787

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
packages/backend/src/api/endpoints/OrganizationApi.ts (1)

363-365: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Document the new fail-fast behavior on this public API.

deleteOrganization() now throws locally for empty IDs, but that contract still isn’t reflected in JSDoc on this reference-facing method. Please document the validation/throw behavior here, and loop in Docs if this surface is rendered in generated reference docs.

As per coding guidelines, "All public APIs must be documented with JSDoc"; as per path instructions, "If a PR adds or changes public/reference-facing API surface area, check whether the corresponding JSDoc is present, accurate, and aligned with the implementation" and "leave a review note reminding the contributor that the Docs team may need to review the change."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/api/endpoints/OrganizationApi.ts` around lines 363 -
365, The public OrganizationApi.deleteOrganization method now fail-fasts on
empty IDs via requireId(organizationId), but its JSDoc does not document this
validation or thrown behavior. Update the JSDoc on deleteOrganization to
describe the required non-empty organizationId and that it throws locally when
the ID is missing/invalid, and note that the Docs team should review this
reference-facing API if it is included in generated docs.

Sources: Coding guidelines, Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/backend/src/api/endpoints/OrganizationApi.ts`:
- Around line 363-365: The public OrganizationApi.deleteOrganization method now
fail-fasts on empty IDs via requireId(organizationId), but its JSDoc does not
document this validation or thrown behavior. Update the JSDoc on
deleteOrganization to describe the required non-empty organizationId and that it
throws locally when the ID is missing/invalid, and note that the Docs team
should review this reference-facing API if it is included in generated docs.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: fb335c10-7f8d-496c-9149-d56fad063b44

📥 Commits

Reviewing files that changed from the base of the PR and between b9edd48 and cd53787.

📒 Files selected for processing (3)
  • .changeset/delete-organization-require-id.md
  • packages/backend/src/api/__tests__/OrganizationApi.test.ts
  • packages/backend/src/api/endpoints/OrganizationApi.ts

@github-actions

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-06-29T21:20:53.671Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 0
🔴 Breaking changes 0
🟡 Non-breaking changes 0
🟢 Additions 0

No API Changes Detected

All packages have stable APIs with no detected changes.


Report generated by Break Check

Last ran on cd53787.

@wobsoriano wobsoriano left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch

@jacekradko jacekradko merged commit 2914c2c into main Jun 30, 2026
53 checks passed
@jacekradko jacekradko deleted the jacek/fix-delete-org-require-id branch June 30, 2026 00:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants