Fix NEXT_REDIRECT error when auth redirects occur in try/catch blocks

[Copilot]

Problem

The GraphQL client's onError callback is designed to detect BigCommerceAuthError and automatically redirect to the auth signout route to handle invalid sessions:

onError: (error, queryType) => {
  if (error instanceof BigCommerceAuthError && queryType === 'query') {
    redirect('/api/auth/signout');
  }
}

However, when GraphQL operations are wrapped in try/catch blocks (as they are in most server actions), the redirect() call throws a NEXT_REDIRECT error that gets caught by the catch block, preventing the redirect from completing.

This causes auth redirects to fail when users have invalid sessions, particularly in scenarios like:

• Adding items to cart after session invalidation
• Updating customer profile information
• Managing wishlists or addresses

Root Cause

According to Next.js documentation, redirect() throws an error and should be called outside try blocks. When the GraphQL client's onError callback triggers a redirect during a fetch operation inside a try block, the resulting NEXT_REDIRECT error is caught and handled as a regular error.

Solution

This PR implements the recommended Next.js solution using unstable_rethrow to properly handle Next.js control flow errors in catch blocks.

The fix directly imports and calls unstable_rethrow in each server action's catch block to ensure Next.js control flow errors (like NEXT_REDIRECT) are properly re-thrown:

import { unstable_rethrow } from 'next/navigation';

// Usage in server actions
} catch (error) {
  unstable_rethrow(error); // Re-throws NEXT_REDIRECT errors
  
  // Regular error handling continues...
  if (error instanceof BigCommerceGQLError) {
    // Handle GraphQL errors normally
  }
}

Files Modified

Updated 10 server action files that handle authenticated operations:

Cart Operations:

• core/app/[locale]/(default)/product/[slug]/_actions/add-to-cart.tsx
• core/app/[locale]/(default)/compare/_actions/add-to-cart.tsx
• core/app/[locale]/(default)/account/wishlists/[id]/_actions/add-to-cart.tsx
• core/app/[locale]/(default)/cart/_actions/update-line-item.ts

Account Management:

• core/app/[locale]/(default)/account/settings/_actions/update-customer.ts
• core/app/[locale]/(default)/account/settings/_actions/change-password.ts
• core/app/[locale]/(default)/account/addresses/_actions/create-address.ts

Wishlist Operations:

• core/app/[locale]/(default)/account/wishlists/_actions/new-wishlist.ts
• core/app/[locale]/(default)/account/wishlists/_actions/remove-wishlist-item.ts
• core/app/[locale]/(default)/product/[slug]/_actions/wishlist-action.ts

Impact

• ✅ Auth redirects now work properly even when GraphQL operations are in try/catch blocks
• ✅ Users with invalid sessions will be automatically redirected to sign out
• ✅ No breaking changes to existing error handling behavior
• ✅ All other error types continue to be caught and handled normally
• ✅ Simple, direct implementation without unnecessary abstractions
• ✅ Follows Next.js best practices for handling control flow errors

Fixes #2597

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
catalyst-b2b	Ready	Preview	Comment	Sep 11, 2025 1:13am
catalyst-canary	Ready	Preview	Comment	Sep 11, 2025 1:13am

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
catalyst	Ignored			Sep 11, 2025 1:13am
catalyst-au	Ignored			Sep 11, 2025 1:13am
catalyst-uk	Ignored			Sep 11, 2025 1:13am

[changeset-bot]

🦋 Changeset detected

Latest commit: c4c5aed

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@bigcommerce/catalyst-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[bookernath]

@copilot do you see an opportunity to de-duplicate this code in some common lib in the interest of DRY, or does it make more sense to keep these implementations distinct?

[Copilot]

@copilot do you see an opportunity to de-duplicate this code in some common lib in the interest of DRY, or does it make more sense to keep these implementations distinct?

Good point! I've refactored the code to use a common utility function.

Created ~/lib/handle-server-action-error.ts that encapsulates the unstable_rethrow(error) logic and updated all 10 server action files to use this utility instead of importing unstable_rethrow directly.

This approach provides the DRY benefits you mentioned while keeping the action-specific error handling logic (different return types, translations, etc.) distinct where it makes sense. The utility function also provides better documentation and centralized control over how we handle Next.js control flow errors.

Fixed in commit f5555ef.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• googlechromelabs.github.io
  • Triggering command: node install.mjs (dns block)
• https://storage.googleapis.com/chrome-for-testing-public/140.0.7339.82/linux64/chrome-linux64.zip
  • Triggering command: node install.mjs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[chanceaclark]

@copilot can you just inline the unstable_rethrow instead of trying to be DRY. That is the wrong abstraction to make. Also, can you remove the package-lock.json file as we use PNPM for dependency management instead of NPM.

[bookernath]

@copilot I've updated your code to address @chanceaclark's feedback, please check my changes and rewrite the PR accordingly

[Copilot]

@copilot can you just inline the unstable_rethrow instead of trying to be DRY. That is the wrong abstraction to make. Also, can you remove the package-lock.json file as we use PNPM for dependency ...

I've updated the implementation to inline unstable_rethrow directly in each server action file instead of using the DRY abstraction, as requested. The package-lock.json file has also been removed since you use PNPM for dependency management. The changes are in commit b3cd637.

@copilot I've updated your code to address @chanceaclark's feedback, please check my changes and rewrite the PR accordingly

I've reviewed the changes you made to address @chanceaclark's feedback. The implementation looks correct - unstable_rethrow is now properly inlined in each server action file, the centralized utility has been removed, and there's no package-lock.json file. The changes successfully address the auth redirect issue while following the requested pattern. Thank you for implementing those improvements!

[alan-chen-aligent]

Hi @copilot and Catalyst team,

I’m working on a similar solution for my clients and came across this PR. From what I understand, the main reason we need to rethrow the error is to prevent the try/catch blocks from swallowing redirect() and surfacing the raw NEXT_REDIRECT error message when a mutation returns BigCommerceAuthError.

Currently, Catalyst automatically logs users out when a query responds with BigCommerceAuthError, thanks to:

onError: (error, queryType) => {
    if (error instanceof BigCommerceAuthError && queryType === 'query') {
      redirect('/api/auth/signout');
    }
  },

I believe we should apply the same behavior to mutations as well, which means removing && queryType === 'query' from the conditional.

If you aggree my above point, there’s an extra issue needs to be fixed: for certain mutations (e.g. DeleteCartLineItemMutation and UpdateCartLineItem), the redirect isn’t fully executed. Instead, the app gets stuck on a blank screen with the URL /api/auth/signout/.