Calculate NEXTAUTH_URL based on incoming request

[buehler]

Description 📓

Setting the NEXTAUTH_URL environment variable seems unnecessary in certain environments. For example, when running a next app on google cloud run, the URL of the application is only available after the first deployment. Therefore, to create preview deployments, one needs to deploy an application twice. First, without the URL env, and after the url is available, a second time with the NEXTAUTH url var set.

As I'm aware of, other frameworks like ASP.Net do calculate the current host based on the incoming request. Would it be possible to do the same for next auth as well?

The calculation of ASP.net even works with proxies since the framework does respect X-Forwarded-For headers.

Then, one could remove the need of this variable altogether or just use it to overwrite the calculation for good.

How to reproduce ☕️

Create a nextjs app with next auth (let's say a google login), and try to deploy it on google cloud run.

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

This is currently only supported when deploying to Vercel. We cannot blindly trust request headers. Vercel overrides the correct ones in their proxy so it's safe to rely on it. Other proxies might not do that so we have to be careful and let the user be intentional about trusting headers.

An environment variable or other methods are necessary.

Currently we detect if VERCEL exists and then trust the host.

See:
https://next-auth.js.org/deployment#vercel

next-auth/packages/next-auth/src/next/utils.ts

Lines 18 to 23 in 8b6d2e3

	export function detectHost(forwardedHost: any) {
	// If we detect a Vercel environment, we can trust the host
	if (process.env.VERCEL) return forwardedHost
	// If `NEXTAUTH_URL` is `undefined` we fall back to "http://localhost:3000"
	return process.env.NEXTAUTH_URL
	}

[buehler]

Why do you only trust the Vercel host? I'm curious because other frameworks do exactly that. It's the programmer's responsibility to configure trust settings.

As I mentioned, in ASP.Net, one can configure trusted proxies, trusted networks and trusted headers. Then, the app is able to inherit the redirect information without the need for an environment variable.

As a sidenote: if I understand your code snippet correctly, I could just set the vercel env var and then it would blindly trust the forwarded host, right?

[buehler]

anything? :-(

[DoodlesEpic]

Funnily enough the solution to the problem if you don't know the host in advance, or if it changes ports (for always on deployments for instance) is to just set VERCEL=1 in your environment variables. The code path @balazsorban44 has put here shows that it essentially just trusts the host if that environment variable is set, which is ridiculous. Either this is pure ignore/incompetence in which case I'm not sure I want to trust this library, or it is a way to make people feel nudged to deploy to Vercel, in which case I hope this gets changed soon. The cookies implementation already does not need to use the NEXTAUTH_URL envvar and they have a comment saying TODO: Remove this at the definition of that function, so hopefully it's just a bit of tech debt.

The worst part of it for me is that setting it to https://127.0.0.1:10000/api/auth/session also works, and that is the URL which is printed in the console by the library. Trusting localhost is truly useless, so again I hope this gets changed soon.

[balazsorban44]

Currently undocumented, but a non-Vercel specific variable is also possible now.

next-auth/packages/next-auth/src/utils/detect-host.ts

Line 4 in f12b527

if (process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)

at the time, I didn't want to hunt down other services' environment variables for this, but happy to add support for others out of the box in the new @auth/* framework libraries.

Happy to take suggestions on how we can make a good/secure default that requires no configuration from the user on popular services! Feel free to open a detailed feature request, and let's leave the derogatory language behind us. This is a community-driven, open source project! 💚

[DoodlesEpic]

Thank you very much for this, I'll use that envvar. Maybe add one for render.com which is basically the same as vercel but just RENDER instead of VERCEL.

Anyways I still think this should not be a feature. If setting an envvar to true just goes around it I don't really get the point of it, what kind of protection does it provide?

Anyways hopefully it will be possible to set NEXTAUTH_URL with the current URL (which is already printed to the console nonetheless).

I will look into providing some documentation improvements and feature requests right after Christmas.

Also, merry christmas for you and everyone at Vercel!

Cheers.