fix: server action redirects use soft RSC navigation instead of hard reload (#654)

[yunus25jmi1]

Fixes #654

What changed

This PR fixes the RSC parity gap where server action redirects caused full page reloads instead of SPA-style soft navigation like Next.js does.

Server-side (app-rsc-entry.ts)

• When a server action calls redirect(), the server now pre-renders the redirect target's RSC payload
• For same-origin routes: builds and renders the redirect target page to an RSC stream
• For external URLs or unmatched routes: falls back to empty-body response (hard redirect)
• Graceful error handling: if pre-rendering fails, falls back to hard redirect instead of 500

Client-side (app-browser-entry.ts)

• Detects RSC payload via content-type header
• When payload present: parses RSC stream, updates React tree with startTransition, updates URL via history.pushState/replaceState
• Falls back to hard redirect for empty bodies or parse errors

Tests

• Added E2E test verifying soft RSC navigation (no page reload on redirect)
• All 11 server actions tests pass

Additional fix

• Fixed file-matcher.ts to use manual glob implementation for Node.js < 22.14 compatibility

Testing

• All server actions E2E tests pass (11/11)
• TypeScript type checks pass
• Build completes successfully

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/vinext@698

commit: 7a249da

[yunus25jmi1]

@southpolesteve @james-elicx review the PR.

[james-elicx]

You don't need to tag us to ask for a review - we'll take a look when we get a chance :)

[james-elicx]

/bigbonk review

[ask-bonk]

Thanks for working on this — the feature direction is right (pre-rendering the redirect target for soft RSC navigation is how Next.js does it). However, there are several correctness issues that need to be fixed before this can be merged.

Critical bugs

1. Duplicate Set-Cookie headers — cookies are appended to redirectHeaders at lines 1896-1899, then the same cookies are appended again to the redirectResponse at lines 1946-1951. Since redirectResponse was constructed with redirectHeaders (which already contain the cookies), every cookie will appear twice in the response. This will cause duplicate cookie writes on the client.

2. Missing setNavigationContext(null) cleanup — the navigation context is set for the redirect target at line 1915 but never cleaned up. If pre-rendering fails (catch block at 1956) or the fallback path is taken, the navigation context is left pointing at the redirect target instead of being reset. The original code calls setNavigationContext(null) at line 1888 and the new code overwrites it at 1915 without restoring it on failure.

3. Client-side setNavigationContext / setClientParams not called — when navigateRsc() does a normal soft navigation (lines 285-298 in app-browser-entry.ts), it calls setClientParams() to update the client-side navigation shims. The new soft-redirect code path (lines 155-190) skips this entirely. After a server action redirect, usePathname(), useSearchParams(), and useParams() will return stale values from the previous page, not the redirect target.

Significant concerns

4. Middleware is bypassed for the redirect target — the pre-render calls matchRoute() + buildPageElement() directly, skipping the entire middleware pipeline. If a user's middleware sets auth headers, rewrites the path, or injects cookies for the target route, none of that will happen. Next.js does run middleware for the redirect target. This is a correctness gap that should at minimum be documented as a known limitation.

5. file-matcher.ts rewrite is unrelated and risky — replacing node:fs/promises glob() with a hand-rolled recursive readdir implementation is a large behavioral change bundled into a feature PR. The original code used Node's built-in glob() (which handles brace expansion, **, and edge cases correctly). The replacement has subtle issues:

   • The exclude callback receives entry.name (just the filename), but the original glob API's function-form exclude receives the full relative path. Callers pass (name) => name === "api" which happens to work for directory names but would break for file-name exclusions at nested paths.
   • Non-glob stems (e.g., a literal path like pages/index) go through a convoluted matching path with relativeBase that may not match correctly when stem contains path separators.
   • The isGlob check only looks for * and **, missing ?, [...], and {...} patterns that buildExtensionGlob generates.
   • There are no new tests for scanWithExtensions despite rewriting its internals completely.

   This should either be a separate PR with dedicated tests, or the Node.js version requirement should be documented instead.

Minor issues

6. Test is in the wrong describe block — the new soft-navigation test is inside test.describe("useActionState") but it tests basic server action redirect behavior, not useActionState. It belongs in the "Server Actions" describe block.

7. content-type detection is fragile — the client checks contentType.includes("text/x-component") to decide if there's an RSC payload, but the fallback path also sends Content-Type: text/x-component (set in redirectHeaders) with a null body. The check works because of the && fetchResponse.body guard, but new Response(null) can still have a non-null .body in some environments. A more robust signal (e.g., a dedicated header like x-action-rsc-prerender: 1) would be safer.

[ask-bonk]

Bug: duplicate Set-Cookie headers. redirectHeaders already has the cookies appended at lines 1896-1899 above. Since redirectResponse was constructed from redirectHeaders, appending again here doubles every cookie.

This entire block should be removed:

Suggested change

	// Append cookies to the response
	if (actionPendingCookies.length > 0 || actionDraftCookie) {
	for (const cookie of actionPendingCookies) {
	redirectResponse.headers.append("Set-Cookie", cookie);
	}
	if (actionDraftCookie) redirectResponse.headers.append("Set-Cookie", actionDraftCookie);
	}

[ask-bonk]

Bug: navigation context is not cleaned up on failure. If the try block throws after this point, setNavigationContext is left pointing at the redirect target. The catch block at line 1956 doesn't reset it.

This should be wrapped in a try/finally, or the catch block should call setNavigationContext(null).

[ask-bonk]

Bug: client-side navigation context is not updated. After soft-navigating to the redirect target, usePathname(), useSearchParams(), and useParams() will return stale values from the previous page.

Compare with the navigateRsc function (lines 285-294) which calls setClientParams() after navigation. This code path needs equivalent updates:

// After startTransition + history update:
setNavigationContext({
  pathname: new URL(actionRedirect, window.location.origin).pathname,
  searchParams: new URL(actionRedirect, window.location.origin).searchParams,
  params: {}, // or parse from X-Vinext-Params header
});

[ask-bonk]

This is a complete rewrite of scanWithExtensions from a 6-line glob() wrapper to a 70-line hand-rolled recursive directory walker. This is unrelated to the server action redirect feature and should be in a separate PR with dedicated unit tests.

The original used Node's built-in glob() which correctly handles brace expansion, ** recursion, and other edge cases. The replacement has several issues:

• exclude receives entry.name (bare filename) instead of the relative path that glob's function-form exclude receives
• isGlob only checks for */**, missing ?, [...], {...} which buildExtensionGlob generates
• No tests were added for the new implementation

If the goal is Node < 22.14 compatibility, that's worth doing — but as a focused, well-tested change.

[ask-bonk]

Nit: this test is inside test.describe("useActionState") but it doesn't test useActionState. It should be in the "Server Actions" describe block above (after line 122).

[ask-bonk]

The content-type check is fragile: the fallback Response(null) path also sends Content-Type: text/x-component because it uses the same redirectHeaders. The && fetchResponse.body guard saves you today, but new Response(null).body is non-null in some environments (it's an empty ReadableStream).

Consider adding an explicit signal header on the server side (e.g., x-action-rsc-prerender: 1) to distinguish pre-rendered responses from empty fallbacks, rather than relying on content-type + body presence.

[ask-bonk]

Review posted. Here's a summary of the findings:

3 critical bugs:

1. Duplicate Set-Cookie headers — cookies are appended to redirectHeaders and then appended again to the redirectResponse (which was constructed from those same headers), doubling every cookie in the response.
2. Missing setNavigationContext(null) cleanup — if pre-rendering fails, the navigation context is left pointing at the redirect target instead of being reset.
3. Client-side navigation context not updated — after soft navigation, usePathname(), useSearchParams(), and useParams() will return stale values because setNavigationContext/setClientParams are never called on the client side for this code path.

2 significant concerns:
4. Middleware is completely bypassed for the redirect target (pre-render calls matchRoute + buildPageElement directly).
5. The file-matcher.ts rewrite (replacing Node's glob() with a hand-rolled 70-line recursive walker) is unrelated to the feature, has no tests, and introduces subtle behavioral differences.

2 minor issues:
6. New test is in the wrong describe block (useActionState instead of Server Actions).
7. Content-type sniffing to detect RSC payload is fragile since the fallback also sends text/x-component.

github run

[yunus25jmi1]

Changes done.

[james-elicx]

/bigbonk review

[ask-bonk]

Thanks for working on this — the approach is correct (pre-rendering the redirect target for soft RSC navigation), and the update addresses several issues from the previous review (duplicate cookies in the fallback path are fixed, x-action-rsc-prerender header was added for robust detection, setNavigationContext cleanup in the catch block was added). However, there are still a few correctness issues and the file-matcher.ts rewrite remains bundled in.

Issues to fix

1. Action cookies are dropped on successful pre-render (bug)

actionPendingCookies (cookies set during the server action itself, e.g. cookies().set(...)) are collected at line 1889 but never appended to the response when the pre-render succeeds. Only redirectPendingCookies (cookies set during the pre-render of the redirect target) are appended. This means any Set-Cookie calls made in the action before redirect() are silently lost.

The fallback path correctly uses actionPendingCookies, but the success path at lines 1950-1956 only appends redirectPendingCookies.

2. X-Vinext-Params header missing from pre-rendered response

The pre-render response doesn't include the X-Vinext-Params header with the matched route params. On the client side (line 185), fetchResponse.headers.get("X-Vinext-Params") will always be null, so setClientParams({}) is called. This means useParams() will return {} after a soft redirect to any route with dynamic segments (e.g., redirecting to /posts/[slug] would lose the slug param).

Compare with buildAppPageRscResponse in server/app-page-response.ts:169-172 which sets this header.

3. file-matcher.ts rewrite should be a separate PR

The previous review flagged this and it still applies: replacing node:fs/promises glob() with a 70-line hand-rolled recursive walker is a significant behavioral change that is unrelated to the server action redirect feature. It has no tests, and the implementation has known gaps (only checks for */** in isGlob, missing ?/[...]/{...}). Even though the current callers only use **/*, **/page, and **/route patterns (so the gaps don't bite today), this should be a focused, separately-tested change.

4. notifyListeners() not called after pushState/replaceState

This is a minor correctness issue. The normal client-side navigation path in navigation.ts calls notifyListeners() after history.pushState/replaceState to trigger useSyncExternalStore re-renders for usePathname(), useSearchParams(), etc. The new soft-redirect code path skips this. In practice, render(result.root) replaces the entire React tree so components remount with correct values from window.location, but any persistent components (e.g. in a layout that survives the transition) won't be notified of the URL change.

[ask-bonk]

Bug: actionPendingCookies (cookies set by the server action before calling redirect()) are collected at line 1889 but never appended to this response. Only redirectPendingCookies (from the pre-render) are appended.

This means cookies like cookies().set('session', token) called before redirect('/dashboard') in a server action will be silently dropped.

Both sets of cookies need to be included:

Suggested change

	// Append cookies (collected after rendering, not duplicated)
	if (redirectPendingCookies.length > 0 || redirectDraftCookie) {
	for (const cookie of redirectPendingCookies) {
	redirectResponse.headers.append("Set-Cookie", cookie);
	}
	if (redirectDraftCookie) redirectResponse.headers.append("Set-Cookie", redirectDraftCookie);
	}
	if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
	for (const cookie of actionPendingCookies) {
	redirectResponse.headers.append("Set-Cookie", cookie);
	}
	if (actionDraftCookie) redirectResponse.headers.append("Set-Cookie", actionDraftCookie);
	for (const cookie of redirectPendingCookies) {
	redirectResponse.headers.append("Set-Cookie", cookie);
	}
	if (redirectDraftCookie) redirectResponse.headers.append("Set-Cookie", redirectDraftCookie);
	}

[ask-bonk]

Missing X-Vinext-Params header. The client-side code at app-browser-entry.ts:185 reads this header to call setClientParams(). Without it, useParams() will return {} after a soft redirect to a dynamic route.

Add the params header (same as buildAppPageRscResponse does):

Suggested change

	const redirectHeaders = {
	"Content-Type": "text/x-component; charset=utf-8",
	"Vary": "RSC, Accept",
	"x-action-redirect": actionRedirect.url,
	"x-action-redirect-type": actionRedirect.type,
	"x-action-redirect-status": String(actionRedirect.status),
	"x-action-rsc-prerender": "1",
	const redirectHeaders = {
	"Content-Type": "text/x-component; charset=utf-8",
	"Vary": "RSC, Accept",
	"x-action-redirect": actionRedirect.url,
	"x-action-redirect-type": actionRedirect.type,
	"x-action-redirect-status": String(actionRedirect.status),
	"x-action-rsc-prerender": "1",
	...(Object.keys(redirectParams).length > 0 ? { "X-Vinext-Params": encodeURIComponent(JSON.stringify(redirectParams)) } : {}),
	};

[ask-bonk]

After pushState/replaceState, the normal navigation path in navigation.ts:608 calls notifyListeners() to trigger useSyncExternalStore re-renders for usePathname(), useSearchParams(), and useParams(). This code path skips that notification.

In practice, render(result.root) replaces the entire tree so most components remount with correct values. But any persistent layout components that use these hooks won't re-render with updated values.

Consider importing and calling notifyListeners (it would need to be exported from navigation.ts), or dispatching a popstate event after the URL update.

[ask-bonk]

This is still an unrelated change bundled into a feature PR. The rewrite replaces a 6-line glob() wrapper with a 70-line hand-rolled recursive walker, with no new tests.

Additional issues beyond what the previous review noted:

• Always recurses into all subdirectories even for non-glob stems (e.g., a literal "page" stem would scan the entire tree instead of checking a single file)
• The relativeBase parameter passed to recursive calls is the relative path of the current directory, but for non-glob stems the matching logic at line 150 compares relativePath against relativeBase.${ext} — since relativeBase is the directory path and relativePath is the file path, this comparison is unlikely to match correctly for files in subdirectories

This doesn't affect the current callers (all use ** glob patterns), but it means the non-glob branch is dead/broken code.

Please move this to a separate PR with dedicated tests.

[ask-bonk]

The test looks good and validates the core behavior well. One note: this is inside the "Server Actions" describe block (which is correct — the previous review's concern about it being in useActionState was addressed by the fact that it's placed before line 150 where useActionState begins).

Consider adding a test case for redirecting to a dynamic route (e.g., /posts/[slug]) to verify that useParams() works correctly after soft redirect. That would catch the missing X-Vinext-Params issue.

[ask-bonk]

Nit: this setNavigationContext call is correct for the pre-render, but if buildPageElement or renderToReadableStream throws, the catch block at line 1961 resets it to null. However, if the renderToReadableStream call succeeds but the stream itself errors during lazy consumption (after the return redirectResponse), the navigation context will be left pointing at the redirect target for any subsequent requests in the same isolate.

This is the same pattern as the normal RSC render path (line 1995-1999), so it's not a regression — just worth noting as a pre-existing concern with streaming responses.

[ask-bonk]

Review posted on PR #698. Here's a summary of the findings:

2 bugs found:

1. Action cookies dropped on successful pre-render — actionPendingCookies (cookies set by the server action before redirect()) are collected but never appended to the response in the pre-render success path. Only redirectPendingCookies from the pre-render are included. This silently drops cookies like session tokens set before the redirect.

2. Missing X-Vinext-Params header — The pre-rendered response doesn't include the X-Vinext-Params header, so useParams() returns {} after a soft redirect to any dynamic route (e.g., /posts/[slug]).

2 other concerns:

3. file-matcher.ts rewrite still bundled — The previous review flagged this unrelated change (replacing glob() with a 70-line hand-rolled walker, no tests) and it should still be a separate PR.

4. notifyListeners() not called after pushState — Minor: persistent layout components using usePathname()/useSearchParams() won't re-render after soft redirect, though full-tree replacement mitigates this in most cases.

The PR also addressed several issues from the previous review: duplicate cookies in the fallback path were fixed, x-action-rsc-prerender header was added for robust detection, and setNavigationContext(null) cleanup in the catch block was added.

github run

[james-elicx]

/bigbonk review

[ask-bonk]

Thanks for the continued work on this. The approach is correct and the file-matcher.ts change was removed as requested — good. However, there are still two bugs that need fixing (one flagged in the previous review and still present, one new), plus a correctness concern.

Bugs

1. Action cookies dropped on successful pre-render (from previous review, still present)

actionPendingCookies — cookies set by the server action before calling redirect() (e.g. cookies().set('session', token)) — are collected at line 1889 but never appended to the response when pre-rendering succeeds. Only redirectPendingCookies (from rendering the target page) are included. This silently drops session cookies and similar state.

2. headersContext is null during pre-render

setHeadersContext(null) is called at line 1891, before the pre-render attempt starts. The redirect target page's server components may call headers() or cookies() during rendering. Worse, renderToReadableStream returns a lazily-consumed stream — async server components will read headersContext during stream consumption, well after it's been cleared.

Compare with the normal action re-render path (lines 2015-2019), which explicitly says: "Do NOT clear headers/navigation context here — the RSC stream is consumed lazily by the client, and async server components that run during consumption need the context to still be live." The redirect pre-render violates this same principle.

The fix is to either: (a) not clear headersContext before the pre-render, or (b) create a fresh headersContextFromRequest(request) for the redirect target rendering.

3. Missing X-Vinext-Params header (from previous review, still present)

The pre-rendered response doesn't include the X-Vinext-Params header. The client reads it at line 185 to call setClientParams(). Without it, useParams() returns {} after a soft redirect to any dynamic route.

Minor

4. notifyListeners() not called after URL update

The normal navigation path in navigation.ts:608 calls notifyListeners() after pushState/replaceState to trigger useSyncExternalStore re-renders. The soft-redirect path skips this. Persistent layout components using usePathname() or useSearchParams() won't re-render. Since notifyListeners isn't exported, you could dispatch a synthetic popstate event or export the function.

[ask-bonk]

Bug (from previous review, still present): actionPendingCookies are collected at line 1889 but never appended here. Only redirectPendingCookies are included. This drops cookies set by the action before redirect() was called (e.g., cookies().set('session', token)).

Both sets need to be included:

Suggested change

	}
	if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
	for (const cookie of actionPendingCookies) {
	redirectResponse.headers.append("Set-Cookie", cookie);
	}
	if (actionDraftCookie) redirectResponse.headers.append("Set-Cookie", actionDraftCookie);
	for (const cookie of redirectPendingCookies) {
	redirectResponse.headers.append("Set-Cookie", cookie);
	}
	if (redirectDraftCookie) redirectResponse.headers.append("Set-Cookie", redirectDraftCookie);
	}

[ask-bonk]

Bug: headersContext is cleared here, but the pre-render at lines 1915-1931 builds and renders the redirect target page. If any server component in that page calls headers() or cookies(), it will get null context.

Worse, renderToReadableStream returns a lazily-consumed stream. Async server components that run during stream consumption (after return redirectResponse) will also see null headersContext. Compare with the normal re-render path at lines 2015-2019, which explicitly documents: "Do NOT clear headers/navigation context here — the RSC stream is consumed lazily."

Don't clear headersContext before the pre-render. Either leave it alive (matching the normal action re-render path), or create a fresh context for the redirect target:

Suggested change

	setHeadersContext(null);
	setHeadersContext(headersContextFromRequest(request));
	setNavigationContext(null);

[ask-bonk]

Bug (from previous review, still present): missing X-Vinext-Params header. The client at app-browser-entry.ts:185 reads this to call setClientParams(). Without it, useParams() returns {} after soft redirect to a dynamic route (e.g., /posts/[slug]).

Compare with buildAppPageRscResponse at server/app-page-response.ts:169-172.

Suggested change

	"x-action-rsc-prerender": "1",
	const redirectHeaders = {
	"Content-Type": "text/x-component; charset=utf-8",
	"Vary": "RSC, Accept",
	"x-action-redirect": actionRedirect.url,
	"x-action-redirect-type": actionRedirect.type,
	"x-action-redirect-status": String(actionRedirect.status),
	"x-action-rsc-prerender": "1",
	...(Object.keys(redirectParams).length > 0 ? { "X-Vinext-Params": encodeURIComponent(JSON.stringify(redirectParams)) } : {}),
	};

[ask-bonk]

Minor: after pushState/replaceState, the normal navigation path in navigation.ts:608 calls notifyListeners() to trigger useSyncExternalStore re-renders for usePathname(), useSearchParams(), etc. This code path skips that.

In practice, render(result.root) replaces the tree so most components remount correctly. But persistent layout components that use these hooks won't re-render with the updated URL.

Since notifyListeners isn't currently exported, one option is to dispatch a synthetic popstate event after the URL update:

window.dispatchEvent(new PopStateEvent("popstate"));

(Though this would also trigger the popstate listener at line 326 which calls navigateRsc — so it needs care. Exporting notifyListeners from navigation.ts is probably cleaner.)

[ask-bonk]

Nit: this setNavigationContext(null) is redundant when falling through from the catch block, since line 1964 already resets it. Not harmful, but a bit confusing to read — it looks like it should be unreachable from that path.

[ask-bonk]

Review posted successfully. Here's a summary of what I found:

2 bugs (still present from previous review):

1. Action cookies dropped on successful pre-render — actionPendingCookies (cookies set by the action before redirect(), like session tokens) are collected but never appended to the pre-rendered response. Only redirectPendingCookies from the target page render are included.

2. Missing X-Vinext-Params header — The pre-rendered response doesn't include route params, so useParams() returns {} after soft redirect to dynamic routes.

1 new bug:

3. headersContext is null during pre-render — setHeadersContext(null) is called at line 1891 before the pre-render starts. If the redirect target page's server components call headers() or cookies(), they'll get null. This is especially problematic because renderToReadableStream returns a lazily-consumed stream — async server components run during stream consumption after the context is cleared. The normal re-render path explicitly documents not clearing context for this reason.

1 minor issue:

4. notifyListeners() not called — Persistent layout components using usePathname()/useSearchParams() won't re-render after soft redirect.

All issues have inline suggestions with code fixes.

github run