From 15bc603bb1ebeeb3382dad9daef07e595c0a92bc Mon Sep 17 00:00:00 2001
From: Koosha Owji <koosha.owji@gmail.com>
Date: Thu, 21 Aug 2025 15:04:08 +1000
Subject: [PATCH] Fix: prevent TypeError when callback state is missing; accept
 nullable state and throw OAuthException

---
 lib/KindeClientSDK.php      | 6 +++---
 test/Sdk/KindeClientSDK.php | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/KindeClientSDK.php b/lib/KindeClientSDK.php
index d54a062..d6bad58 100644
--- a/lib/KindeClientSDK.php
+++ b/lib/KindeClientSDK.php
@@ -834,15 +834,15 @@ private function getProtocol()
     /**
      * Checks the authentication state against the provided state from the server.
      *
-     * @param string $stateServer The state received from the server.
+     * @param string|null $stateServer The state received from the server, or null if missing.
      *
      * @throws OAuthException If the authentication state is empty or does not match the provided state.
      */
-    private function checkStateAuthentication(string $stateServer)
+    private function checkStateAuthentication(?string $stateServer)
     {
         $storageOAuthState = $this->storage->getState();
 
-        if (empty($storageOAuthState) || $stateServer != $storageOAuthState) {
+        if (empty($stateServer) || empty($storageOAuthState) || $stateServer !== $storageOAuthState) {
             throw new OAuthException("Authentication failed because it tries to validate state");
         }
     }
diff --git a/test/Sdk/KindeClientSDK.php b/test/Sdk/KindeClientSDK.php
index c331c25..e0f4fb4 100644
--- a/test/Sdk/KindeClientSDK.php
+++ b/test/Sdk/KindeClientSDK.php
@@ -506,11 +506,11 @@ private function getProtocol()
         return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http";
     }
 
-    private function checkStateAuthentication(string $stateServer)
+    private function checkStateAuthentication(?string $stateServer)
     {
         $storageOAuthState = $this->storage->getState();
 
-        if (empty($storageOAuthState) || $stateServer != $storageOAuthState) {
+        if (empty($stateServer) || empty($storageOAuthState) || $stateServer !== $storageOAuthState) {
             throw new OAuthException("Authentication failed because it tries to validate state");
         }
     }