next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard
verified publisher icon nextauthjs

pathname of `NEXTAUTH_URL` is ignored in when deployed to vercel

Open Naddiseo opened this issue 3 years ago • 1 comments

Environment

System: OS: Linux 5.13 Ubuntu 21.10 21.10 (Impish Indri) CPU: (16) x64 AMD Ryzen 7 2700 Eight-Core Processor Memory: 4.38 GB / 31.30 GB Container: Yes Shell: 5.1.8 - /bin/bash Browsers: Firefox: 99.0 npmPackages: next: 12.1.x => 12.1.6 next-auth: 4.3.x => 4.3.4 react: 17.0.x => 17.0.2

Reproduction URL

Describe the issue

We have NEXTAUTH_URL set to "https://ourdomain.com/api/v1/auth" with the modified pathname since we're versioning our api, and we're correctly setting basePath in <SessionProvider>. This is working in our development environment, however when deploying to Vercel, the "login with google" oauth path no longer works. I have tracked this down in next-auth:

  1. "providers" is populated in parseProviders, which gets a "url" in init()
  2. init is called in NextAuthHandler which uses req.host
  3. And req.host is provided in NextAuthNextHandler but is constructed via detectHost
  4. detecthost will return the "x-forwarded-host" header if it detects it's in vercel
  5. Back in the init parseUrl is called on the host
  6. Since parseUrl is passed the "x-forwarded-host" header instead of the url in NEXTAUTH_URL it cannot parse any custom set pathname, and the signinUrl and callbackUrl in the providers call become incorrect.

This seems to have been broken by https://github.com/nextauthjs/next-auth/pull/3649 . I think if the two approaches could be used together, that would be ideal:

  1. use the x-forward-host + the pathname from NEXTAUTH_URL
  2. Or, allow basePath to be set in the nextauth config like it is for SessionProvider

How to reproduce

  1. use a custom pathname in NEXTAUTH_URL, eg: http://custom.vercel.app/api/v1/auth
  2. have a login with google
  3. deploy to vercel
  4. try logging in

The call to the /providers url will return a signinUrl, and callbackUrl that don't have the "/v1/" part of the url and will default to "/api/auth"

Expected behavior

The redirect url provided to the signIn call should have the custom pathname from the NEXTAUTH_URL

Naddiseo avatar May 05 '22 03:05 Naddiseo

We can confirm this is an issue for us as well, in 4.3.33. We use NEXTAUTH_URL (and have since we started using next-auth over a year ago), and we need it to be prioritized, because the use of the domain assigned to the app on Vercel doesn't work for us, because our app is running behind a reverse proxy, so redirecting to the subdomain (as is mentioned and crossed out in #4431) assigned to the Vercel app is breaking Google OAuth functionality for us, because the redirect_uri is getting set incorrectly for us.

It appears that the changes made in #3649, which appear to have superceded the use of NEXTAUTH_URL seem to not be in alignment with the documentation for how to use/configure next-auth. We need for the use of NEXTAUTH_URL to continue to work when it's set.

ryexley avatar May 05 '22 17:05 ryexley

Not vercel. Localhost too: https://github.com/nextauthjs/next-auth/issues/6768

khteh avatar Feb 21 '23 06:02 khteh

This can be solved now, without breaking current deployments, see https://github.com/nextauthjs/next-auth/issues/6763#issuecomment-1455927840

balazsorban44 avatar Mar 06 '23 11:03 balazsorban44