fix(js): Handle native OAuth transfer callbacks

[wobsoriano]

Description

Resolves USER-5648

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

Summary by CodeRabbit

• Bug Fixes
  • Fixed native OAuth transport handling so combined sign-in/sign-up flows continue when a transfer callback reports specific “account not found/exists” conditions.
  • Improved error mapping for OAuth “access denied” messaging using the standardized error codes.
  • Updated and expanded automated tests to cover these OAuth callback scenarios and ensure the flow completes correctly.

[changeset-bot]

🦋 Changeset detected

Latest commit: f3e3a9b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 23 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/chrome-extension	Patch
@clerk/electron	Patch
@clerk/expo	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/headless	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/react	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch
@clerk/swingset	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 29, 2026 10:15pm
swingset	Ready	Preview, Comment	Jun 29, 2026 10:15pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 62426c4b-18d6-46b7-9b9f-c1a950eee28d

📥 Commits

Reviewing files that changed from the base of the PR and between 4df3d4e and aa61055.

📒 Files selected for processing (7)

• .changeset/native-oauth-transfer-signals.md
• packages/clerk-js/src/core/__tests__/clerk.test.ts
• packages/clerk-js/src/core/clerk.ts
• packages/clerk-js/src/core/resources/SignUp.ts
• packages/clerk-js/src/utils/__tests__/authenticateWithTransport.test.ts
• packages/clerk-js/src/utils/authenticateWithTransport.ts
• packages/shared/src/internal/clerk-js/constants.ts

✅ Files skipped from review due to trivial changes (1)

• .changeset/native-oauth-transfer-signals.md

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/clerk-js/src/utils/tests/authenticateWithTransport.test.ts
• packages/clerk-js/src/utils/authenticateWithTransport.ts

---

📝 Walkthrough

Walkthrough

A shared EXTERNAL_ACCOUNT_EXISTS error code is added and used across Clerk sign-up and redirect checks. Native OAuth callback failure handling now treats transfer-signal codes as non-failures, and tests plus a changeset document the behavior.

Changes

Native OAuth Transfer Signal Fix

Layer / File(s)	Summary
Shared error code and Clerk checks packages/shared/src/internal/clerk-js/constants.ts, packages/clerk-js/src/core/resources/SignUp.ts, packages/clerk-js/src/core/clerk.ts, packages/clerk-js/src/core/__tests__/clerk.test.ts	ERROR_CODES.EXTERNAL_ACCOUNT_EXISTS is added, and sign-up/redirect checks switch from the string literal to that constant. Related fixtures update mocked error codes to the shared value.
Native OAuth transfer signal bypass packages/clerk-js/src/utils/authenticateWithTransport.ts, packages/clerk-js/src/utils/__tests__/authenticateWithTransport.test.ts, .changeset/native-oauth-transfer-signals.md	getNativeOAuthCallbackFailure returns null for EXTERNAL_ACCOUNT_NOT_FOUND and EXTERNAL_ACCOUNT_EXISTS, native OAuth tests cover those transfer cases, and the changeset records the patch release note.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• jeremy-clerk

Poem

🐇 A hop for codes both old and new,
The transfer path now slips right through.
No false alarm for accounts in sight,
Just callback magic, swift and light ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: native OAuth transfer callbacks are now handled correctly in clerk-js.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9037

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9037

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9037

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9037

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9037

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9037

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9037

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9037

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9037

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9037

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9037

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9037

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9037

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9037

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9037

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9037

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9037

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9037

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9037

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9037

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9037

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9037

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9037

commit: f3e3a9b

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-29T22:16:25.130Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	0
🟡 Non-breaking changes	1
🟢 Additions	0

🤖 This report was reviewed by claude-sonnet-4-6.

---

@clerk/shared

Current version: 4.22.1
Recommended bump: MINOR → 4.23.0

Subpath ./internal/clerk-js/constants

🟡 Non-breaking Changes (1)

Modified: ERROR_CODES

// ... 9 unchanged lines elided ...
    readonly SAML_USER_ATTRIBUTE_MISSING: "saml_user_attribute_missing";
    readonly USER_LOCKED: "user_locked";
    readonly EXTERNAL_ACCOUNT_NOT_FOUND: "external_account_not_found";
+   readonly EXTERNAL_ACCOUNT_EXISTS: "external_account_exists";
    readonly SESSION_EXISTS: "session_exists";
    readonly SIGN_UP_MODE_RESTRICTED: "sign_up_mode_restricted";
    readonly SIGN_UP_MODE_RESTRICTED_WAITLIST: "sign_up_restricted_waitlist";
// ... 13 unchanged lines elided ...

Static analyzer: Breaking change in variable ERROR_CODES: Type changed: {readonly FORM_IDENTIFIER_NOT_FOUND:"form_identifier_not_found";readonly FORM_PASSWORD_INCORRECT:"form_password_incorre… → {readonly FORM_IDENTIFIER_NOT_FOUND:"form_identifier_not_found";readonly FORM_PASSWORD_INCORRECT:"form_password_incorre…

🤖 AI review (reclassified as non-breaking) (95%): A new readonly property EXTERNAL_ACCOUNT_EXISTS was added to the ERROR_CODES object; no existing properties were removed or changed. Consumers reading existing keys are unaffected, and since this is a readonly object (not a type consumers must implement or construct against), adding a new entry is purely additive.

---

Report generated by Break Check

_{Last ran on f3e3a9b.}

[jeremy-clerk]

👍