Relates to the web-support work in #237 / #362 — happy to move this there if you prefer, but it seemed distinct enough from the Origin/Authorization issue to deserve its own repro.
Steps to reproduce
Tested on Flutter 3.44.4 stable, clerk_flutter 0.0.16-beta, Chrome (headed and headless), against a development instance. To make web reachable at all we applied the accommodations below plus the allowed_origins escape hatch Clerk support suggested (exact web origin allowlisted on the instance via the Backend API), so all FAPI calls succeed.
- Build for web with: (a) a
PasskeyAuthenticator stub in index.html (without it, passkeys_web calls window.close() at startup), and (b) a localStorage-backed Persistor + no-op ClerkFileCache passed to ClerkAuthConfig (the default persistor's path_provider has no web implementation).
- Sign in through
ClerkAuthentication (email + password, plus the email-code second step). Works: session established, sessionToken() refreshes the ~60s JWT transparently, session restores across page reloads.
- Open the
ClerkUserButton panel and click Sign out.
Expected results
The session ends and the UI returns to the signed-out state (as on Android).
Actual results
Nothing happens — the click never takes effect. The panel stays open, no sign-out request is observed, and the session remains active (verified by continuing to call our backend with fresh session tokens, and by reloading the page and still being signed in). Reproduced in both headed Chrome (real user clicks) and a headless CDP harness. Curiously, force-dispatching pointer events at the button's semantics node did emit a POST /v1/client/sessions/<id>/..., but the client state and persisted session still survived.
Everything else we exercised on web works behind the allowlist workaround, so this appears to be a hit-testing/interaction issue specific to the ClerkUserButton overlay on web rather than an API-level failure.
Code sample
Code sample
ClerkAuth(
config: ClerkAuthConfig(
publishableKey: publishableKey,
supportsHardwareSecurityKeys: false,
persistor: LocalStoragePersistor(), // localStorage-backed clerk.Persistor
fileCache: NoopFileCache(), // Stream<File> is unimplementable on web
),
child: MaterialApp(
home: Scaffold(
body: ClerkErrorListener(
child: ClerkAuthBuilder(
signedInBuilder: (context, authState) => Row(
children: const [Text('Signed in'), ClerkUserButton()],
),
signedOutBuilder: (context, authState) =>
const Center(child: ClerkAuthentication()),
),
),
),
),
);
Logs / environment
clerk_flutter 0.0.16-beta / clerk_auth 0.0.16-beta
- Flutter 3.44.4 (stable), Dart 3.12.2
- Chrome 149, Linux
- Development instance with the exact web origin present in
allowed_origins
Relates to the web-support work in #237 / #362 — happy to move this there if you prefer, but it seemed distinct enough from the Origin/Authorization issue to deserve its own repro.
Steps to reproduce
Tested on Flutter 3.44.4 stable,
clerk_flutter0.0.16-beta, Chrome (headed and headless), against a development instance. To make web reachable at all we applied the accommodations below plus theallowed_originsescape hatch Clerk support suggested (exact web origin allowlisted on the instance via the Backend API), so all FAPI calls succeed.PasskeyAuthenticatorstub inindex.html(without it,passkeys_webcallswindow.close()at startup), and (b) alocalStorage-backedPersistor+ no-opClerkFileCachepassed toClerkAuthConfig(the default persistor'spath_providerhas no web implementation).ClerkAuthentication(email + password, plus the email-code second step). Works: session established,sessionToken()refreshes the ~60s JWT transparently, session restores across page reloads.ClerkUserButtonpanel and click Sign out.Expected results
The session ends and the UI returns to the signed-out state (as on Android).
Actual results
Nothing happens — the click never takes effect. The panel stays open, no sign-out request is observed, and the session remains active (verified by continuing to call our backend with fresh session tokens, and by reloading the page and still being signed in). Reproduced in both headed Chrome (real user clicks) and a headless CDP harness. Curiously, force-dispatching pointer events at the button's semantics node did emit a
POST /v1/client/sessions/<id>/..., but the client state and persisted session still survived.Everything else we exercised on web works behind the allowlist workaround, so this appears to be a hit-testing/interaction issue specific to the
ClerkUserButtonoverlay on web rather than an API-level failure.Code sample
Code sample
Logs / environment
clerk_flutter0.0.16-beta /clerk_auth0.0.16-betaallowed_origins