From 91bbddf62626193a0d673798bcb61cd8c2ea9a03 Mon Sep 17 00:00:00 2001
From: Brion <info@brionmario.com>
Date: Wed, 15 Oct 2025 02:45:03 +0530
Subject: [PATCH 1/3] fix: handle empty payload in sign-in action

---
 packages/nextjs/src/server/actions/signInAction.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/nextjs/src/server/actions/signInAction.ts b/packages/nextjs/src/server/actions/signInAction.ts
index 537dd6d25..69ba63533 100644
--- a/packages/nextjs/src/server/actions/signInAction.ts
+++ b/packages/nextjs/src/server/actions/signInAction.ts
@@ -20,12 +20,12 @@
 
 import {cookies} from 'next/headers';
 import {
-  CookieConfig,
   generateSessionId,
   EmbeddedSignInFlowStatus,
   EmbeddedSignInFlowHandleRequestPayload,
   EmbeddedFlowExecuteRequestConfig,
   EmbeddedSignInFlowInitiateResponse,
+  isEmpty,
 } from '@asgardeo/node';
 import AsgardeoNextClient from '../../AsgardeoNextClient';
 import SessionManager from '../../utils/SessionManager';
@@ -96,7 +96,7 @@ const signInAction = async (
     }
 
     // If no payload provided, redirect to sign-in URL for redirect-based sign-in.
-    if (!payload) {
+    if (!payload || isEmpty(payload)) {
       const defaultSignInUrl = await client.getAuthorizeRequestUrl({}, sessionId);
       return {success: true, data: {signInUrl: String(defaultSignInUrl)}};
     }

From 3146fb12bb8c41e17b2b7c277e0dbbd406c81fcc Mon Sep 17 00:00:00 2001
From: Brion <info@brionmario.com>
Date: Wed, 15 Oct 2025 02:48:26 +0530
Subject: [PATCH 2/3] fix: avoid race condition in oauth callback and route
 protection

---
 .../server/middleware/asgardeoMiddleware.ts   | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/packages/nextjs/src/server/middleware/asgardeoMiddleware.ts b/packages/nextjs/src/server/middleware/asgardeoMiddleware.ts
index da6d91fd2..c7d7a5c86 100644
--- a/packages/nextjs/src/server/middleware/asgardeoMiddleware.ts
+++ b/packages/nextjs/src/server/middleware/asgardeoMiddleware.ts
@@ -140,11 +140,43 @@ const asgardeoMiddleware = (
   return async (request: NextRequest): Promise<NextResponse> => {
     const resolvedOptions = typeof options === 'function' ? options(request) : options || {};
 
+    const url: URL = new URL(request.url);
+    const hasCallbackParams: boolean = url.searchParams.has('code') && url.searchParams.has('state');
+
+    let isValidOAuthCallback: boolean = false;
+    if (hasCallbackParams) {
+      // OAuth callbacks should not contain error parameters that indicate failed auth
+      const hasError: boolean = url.searchParams.has('error');
+
+      if (!hasError) {
+        // Validate that there's a temporary session that initiated this OAuth flow
+        const tempSessionToken: string | undefined = request.cookies.get(
+          SessionManager.getTempSessionCookieName(),
+        )?.value;
+        if (tempSessionToken) {
+          try {
+            // Verify the temporary session exists and is valid
+            await SessionManager.verifyTempSession(tempSessionToken);
+            isValidOAuthCallback = true;
+          } catch {
+            // Invalid temp session - this is not a legitimate OAuth callback
+            isValidOAuthCallback = false;
+          }
+        }
+      }
+    }
+
     const sessionId = await getSessionIdFromRequestMiddleware(request);
     const isAuthenticated = await hasValidSession(request);
 
     const asgardeo: AsgardeoMiddlewareContext = {
       protectRoute: async (options?: {redirect?: string}): Promise<NextResponse | void> => {
+        // Skip protection if this is a validated OAuth callback - let the callback handler process it first
+        // This prevents race conditions where middleware redirects before OAuth callback completes
+        if (isValidOAuthCallback) {
+          return;
+        }
+
         if (!isAuthenticated) {
           const referer = request.headers.get('referer');
           // TODO: Make this configurable or call the signIn() from here.

From 3b8724489132a850a74a82159bb144385bce10a3 Mon Sep 17 00:00:00 2001
From: Brion <info@brionmario.com>
Date: Wed, 15 Oct 2025 02:50:26 +0530
Subject: [PATCH 3/3] =?UTF-8?q?chore:=20add=20changeset=20=F0=9F=A6=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .changeset/afraid-pans-own.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changeset/afraid-pans-own.md

diff --git a/.changeset/afraid-pans-own.md b/.changeset/afraid-pans-own.md
new file mode 100644
index 000000000..59661adea
--- /dev/null
+++ b/.changeset/afraid-pans-own.md
@@ -0,0 +1,7 @@
+---
+'@asgardeo/nextjs': patch
+'@asgardeo/react': patch
+---
+
+- Avoid race condition in oauth callback and route protection
+- Handle empty payload in sign-in action