Use host and proto headers to determine request origin if AUTH_URL is not set #12421
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
☕️ Reasoning
The v5 docs state that
AUTH_URL
"is mostly unnecessary with v5 as the host is inferred from the request headers," but this is only the case in some areas of@auth/core
, and theurl
of the request is often the fallback for determining URLs in the framework. But in the case that the app is running behind a reverse proxy or in a number of other networking setups, requests to@auth/core
fromnext-auth
won't have a relevant url (0.0.0.0
observed in our use case) and authentication will fail in a number of ways withoutAUTH_URL
set.This change checks request headers (if they're set) to determine the url to send to
@auth/core
, in the case thatAUTH_URL
orNEXTAUTH_URL
are not set. This properly cuts reliance onAUTH_URL
(in our use case) and also as a bonus enables multiple authentication urls to be used in a given system.Possibly this behavior should be behind some config if we want to make it opt in. If so I'm happy to add that.
🧢 Checklist
🎫 Affected issues
📌 Resources