From 1edd78672e82702e3d9de73503134900f31c7567 Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Thu, 26 Feb 2026 14:26:54 +0100
Subject: [PATCH] fix: treat session-flow callback (no state) as valid when
 coming from auth hub

Made-with: Cursor
---
 app/auth/callback/page.tsx | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/app/auth/callback/page.tsx b/app/auth/callback/page.tsx
index 1e69707..2359b75 100644
--- a/app/auth/callback/page.tsx
+++ b/app/auth/callback/page.tsx
@@ -56,12 +56,15 @@ function AuthCallbackContent() {
     const storedState = localStorage.getItem('oauth_state')
     const codeVerifier = localStorage.getItem('oauth_code_verifier')
 
-    // * Full OAuth flow (app-initiated): validate state + use PKCE
-    // * Session-authorized flow (from auth hub): no stored state or verifier
-    const isFullOAuth = !!storedState && !!codeVerifier
-
-    if (isFullOAuth) {
-      if (state !== storedState) {
+    // * Session flow (from auth hub): redirect has code but no state. Clear stale PKCE
+    // * data from any previous app-initiated OAuth so exchange proceeds without validation.
+    if (!state) {
+      localStorage.removeItem('oauth_state')
+      localStorage.removeItem('oauth_code_verifier')
+    } else {
+      // * Full OAuth flow (app-initiated): validate state + use PKCE
+      const isFullOAuth = !!storedState && !!codeVerifier
+      if (isFullOAuth && state !== storedState) {
         logger.error('State mismatch', { received: state, stored: storedState })
         setError('Invalid state')
         return