Environment
System:
OS: Linux 5.13 Ubuntu 21.10 21.10 (Impish Indri)
CPU: (16) x64 AMD Ryzen 7 2700 Eight-Core Processor
Memory: 4.38 GB / 31.30 GB
Container: Yes
Shell: 5.1.8 - /bin/bash
Browsers:
Firefox: 99.0
npmPackages:
next: 12.1.x => 12.1.6
next-auth: 4.3.x => 4.3.4
react: 17.0.x => 17.0.2
Reproduction URL
Describe the issue
We have NEXTAUTH_URL set to "https://ourdomain.com/api/v1/auth" with the modified pathname since we're versioning our api, and we're correctly setting basePath in <SessionProvider>. This is working in our development environment, however when deploying to Vercel, the "login with google" oauth path no longer works. I have tracked this down in next-auth:
"providers" is populated in parseProviders, which gets a "url" in init()init is called in NextAuthHandler which uses req.host- And
req.host is provided in NextAuthNextHandler but is constructed via detectHost
detecthost will return the "x-forwarded-host" header if it detects it's in vercel- Back in the
init parseUrl is called on the host
- Since
parseUrl is passed the "x-forwarded-host" header instead of the url in NEXTAUTH_URL it cannot parse any custom set pathname, and the signinUrl and callbackUrl in the providers call become incorrect.
This seems to have been broken by #3649 . I think if the two approaches could be used together, that would be ideal:
- use the
x-forward-host + the pathname from NEXTAUTH_URL
- Or, allow
basePath to be set in the nextauth config like it is for SessionProvider
How to reproduce
- use a custom pathname in
NEXTAUTH_URL, eg: http://custom.vercel.app/api/v1/auth
- have a login with google
- deploy to vercel
- try logging in
The call to the /providers url will return a signinUrl, and callbackUrl that don't have the "/v1/" part of the url and will default to "/api/auth"
Expected behavior
The redirect url provided to the signIn call should have the custom pathname from the NEXTAUTH_URL
Environment
System:
OS: Linux 5.13 Ubuntu 21.10 21.10 (Impish Indri)
CPU: (16) x64 AMD Ryzen 7 2700 Eight-Core Processor
Memory: 4.38 GB / 31.30 GB
Container: Yes
Shell: 5.1.8 - /bin/bash
Browsers:
Firefox: 99.0
npmPackages:
next: 12.1.x => 12.1.6
next-auth: 4.3.x => 4.3.4
react: 17.0.x => 17.0.2
Reproduction URL
Describe the issue
We have
NEXTAUTH_URLset to "https://ourdomain.com/api/v1/auth" with the modified pathname since we're versioning our api, and we're correctly settingbasePathin<SessionProvider>. This is working in our development environment, however when deploying to Vercel, the "login with google" oauth path no longer works. I have tracked this down in next-auth:"providers"is populated inparseProviders, which gets a"url"ininit()initis called in NextAuthHandler which usesreq.hostreq.hostis provided inNextAuthNextHandlerbut is constructed viadetectHostdetecthostwill return the "x-forwarded-host" header if it detects it's in vercelinitparseUrlis called on the hostparseUrlis passed the "x-forwarded-host" header instead of the url inNEXTAUTH_URLit cannot parse any custom set pathname, and the signinUrl and callbackUrl in the providers call become incorrect.This seems to have been broken by #3649 . I think if the two approaches could be used together, that would be ideal:
x-forward-host+ the pathname fromNEXTAUTH_URLbasePathto be set in the nextauth config like it is forSessionProviderHow to reproduce
NEXTAUTH_URL, eg:http://custom.vercel.app/api/v1/authThe call to the /providers url will return a
signinUrl, andcallbackUrlthat don't have the "/v1/" part of the url and will default to "/api/auth"Expected behavior
The redirect url provided to the
signIncall should have the custom pathname from theNEXTAUTH_URL