Deployment issue with Route Handler

[ryanhay]

Environment

System:
OS: macOS 13.3.1
CPU: (10) arm64 Apple M1 Max
Memory: 16.40 GB / 64.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.15.0 - ~/Library/Caches/fnm_multishells/2264_1681008406169/bin/node
npm: 9.5.0 - ~/Library/Caches/fnm_multishells/2264_1681008406169/bin/npm
Browsers:
Brave Browser: 112.1.50.114
Chrome: 112.0.5615.49
Firefox Developer Edition: 112.0
Safari: 16.4

Reproduction URL

private repo

Describe the issue

When initialising NextAuth with the 'app dir' and the env variable AUTH_TRUST_HOST set the function detectHost always returns the default value 'http://localhost:3000'.

It seems the NextAuthRouteHandler uses the same method as the NextAuthApiHandler to get the host header.

Currently uses: req.headers["x-forwarded-host"] instead of req.headers.get('x-forwarded-host').

How to reproduce

Install 4.22 and initialise in the app dir with either AUTH_TRUST_HOST or VERCEL env vars set.

Expected behavior

When the env variable AUTH_TRUST_HOST is set the value of x-forwarded-host should be used instead of http://localhost:3000.

[bugplanter]

Possibly related to #7220

[hellodamien]

Yes, we have the same issue #7220

Maybe a fix can be : hellodamien@1870a38

[balazsorban44]

Thanks for the context #7220 (comment) @hellodamien! It actually points out something that might be a bug in Next.js. I'll investigate!

[balazsorban44]

I could identify this as an upstream Next.js bug, we will look into it there! I'll leave this open to be able to track the issue, but there is no code changes that would be needed in Auth.js once it's fixed in next

[balazsorban44]

Update, I pushed a temporary fix in next-auth@4.22.1 to unblock people or have to apply a workaround. We will follow the upstream releases and will handle changes internally, no change is needed on the user side.