From fa2e094f5e716ee59f21f9b9329cc62683f2fc44 Mon Sep 17 00:00:00 2001
From: ChrisCanin <chris@clerk.dev>
Date: Wed, 20 May 2026 16:35:27 -0700
Subject: [PATCH] fix(expo): Fix expo-auth-session import leak and env var
 detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`ClerkProvider` previously called `require('expo-web-browser')` synchronously
inside an `isWeb()` runtime gate. Metro's static analyzer resolves literal-string
`require()` calls regardless of runtime gates or try/catch, so production
bundling failed for native consumers who don't install `expo-web-browser` (an
optional peer dependency).

Splits the web-only `maybeCompleteAuthSession()` call into a platform-specific
helper. Metro/Expo's platform resolver picks `maybeCompleteAuthSession.web.ts`
for web bundles and the no-op `maybeCompleteAuthSession.ts` for native — so
native dist no longer references `expo-web-browser`.

Behavior is unchanged at runtime on both platforms; the fix is purely at bundle
time.

The "env var detection" half of MOBILE-402 was already resolved in #7655
(publishableKey made a required prop, env-var fallback removed). No further
change needed there.

MOBILE-402
---
 .../expo_avoid_web_browser_static_require.md   |  7 +++++++
 packages/expo/src/provider/ClerkProvider.tsx   | 17 ++++++-----------
 .../src/provider/maybeCompleteAuthSession.ts   |  9 +++++++++
 .../provider/maybeCompleteAuthSession.web.ts   | 18 ++++++++++++++++++
 4 files changed, 40 insertions(+), 11 deletions(-)
 create mode 100644 .changeset/expo_avoid_web_browser_static_require.md
 create mode 100644 packages/expo/src/provider/maybeCompleteAuthSession.ts
 create mode 100644 packages/expo/src/provider/maybeCompleteAuthSession.web.ts

diff --git a/.changeset/expo_avoid_web_browser_static_require.md b/.changeset/expo_avoid_web_browser_static_require.md
new file mode 100644
index 00000000000..4b8fb1125e3
--- /dev/null
+++ b/.changeset/expo_avoid_web_browser_static_require.md
@@ -0,0 +1,7 @@
+---
+'@clerk/clerk-expo': patch
+---
+
+Stop statically resolving `expo-web-browser` in native bundles. `ClerkProvider` previously called `require('expo-web-browser')` synchronously inside an `isWeb()` runtime gate, but Metro's static analyzer resolved the literal-string require regardless of the gate, causing production bundling to fail for native consumers who don't install `expo-web-browser` (an optional peer dependency).
+
+The web-only call to `WebBrowser.maybeCompleteAuthSession()` has been moved into a platform-split helper (`maybeCompleteAuthSession.web.ts` for web, no-op `maybeCompleteAuthSession.ts` for native). Behavior on web is unchanged; native bundles no longer reference `expo-web-browser`.
diff --git a/packages/expo/src/provider/ClerkProvider.tsx b/packages/expo/src/provider/ClerkProvider.tsx
index d096cea4724..3c683be6c26 100644
--- a/packages/expo/src/provider/ClerkProvider.tsx
+++ b/packages/expo/src/provider/ClerkProvider.tsx
@@ -12,6 +12,7 @@ import { useNativeAuthEvents } from '../hooks/useNativeAuthEvents';
 import NativeClerkModule from '../specs/NativeClerkModule';
 import { tokenCache as defaultTokenCache } from '../token-cache';
 import { isNative, isWeb } from '../utils/runtime';
+import { maybeCompleteAuthSession } from './maybeCompleteAuthSession';
 import { getClerkInstance } from './singleton';
 import type { BuildClerkOptions } from './singleton/types';
 
@@ -371,18 +372,12 @@ export function ClerkProvider<TUi extends Ui = Ui>(props: ClerkProviderProps<TUi
     void syncNativeAuthToJs();
   }, [nativeAuthState, clerkInstance]);
 
+  // Needed for `useOAuth` / `useSSO` to work correctly on web — must stay synchronous during render
+  // so the redirect URL is caught before children mount. Resolves to a no-op on native via the
+  // sibling `maybeCompleteAuthSession.ts`, which keeps Metro from statically bundling
+  // `expo-web-browser` (an optional peer) for native consumers.
   if (isWeb()) {
-    // This is needed in order for useOAuth to work correctly on web.
-    // Must stay synchronous during render to catch the redirect URL before children mount.
-    try {
-      // eslint-disable-next-line @typescript-eslint/no-require-imports
-      const WebBrowser = require('expo-web-browser');
-      WebBrowser.maybeCompleteAuthSession();
-    } catch (e) {
-      if (__DEV__) {
-        console.warn('[ClerkProvider] expo-web-browser not available, OAuth/SSO on web will not work:', e);
-      }
-    }
+    maybeCompleteAuthSession();
   }
 
   return (
diff --git a/packages/expo/src/provider/maybeCompleteAuthSession.ts b/packages/expo/src/provider/maybeCompleteAuthSession.ts
new file mode 100644
index 00000000000..e32907806ab
--- /dev/null
+++ b/packages/expo/src/provider/maybeCompleteAuthSession.ts
@@ -0,0 +1,9 @@
+/**
+ * Native no-op. The web bundle resolves `maybeCompleteAuthSession.web.ts` instead.
+ *
+ * `expo-web-browser` is declared as an optional peer dependency of `@clerk/expo` because
+ * it is only required for OAuth/SSO flows. Importing it synchronously here would cause
+ * Metro to statically resolve `expo-web-browser` during native bundling — failing the
+ * build for consumers who do not install it.
+ */
+export function maybeCompleteAuthSession(): void {}
diff --git a/packages/expo/src/provider/maybeCompleteAuthSession.web.ts b/packages/expo/src/provider/maybeCompleteAuthSession.web.ts
new file mode 100644
index 00000000000..c09b3dfae79
--- /dev/null
+++ b/packages/expo/src/provider/maybeCompleteAuthSession.web.ts
@@ -0,0 +1,18 @@
+/**
+ * Web-only implementation. Resolved by Metro / the bundler in place of
+ * `maybeCompleteAuthSession.ts` when targeting `web`.
+ *
+ * Must stay synchronous during render so the OAuth/SSO redirect URL is caught
+ * before children mount.
+ */
+export function maybeCompleteAuthSession(): void {
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const WebBrowser = require('expo-web-browser');
+    WebBrowser.maybeCompleteAuthSession();
+  } catch (e) {
+    if (__DEV__) {
+      console.warn('[ClerkProvider] expo-web-browser not available, OAuth/SSO on web will not work:', e);
+    }
+  }
+}