fix: respect protocol too, when host is trusted (#7214)

* fix: respect protocol too when host is trusted * simplify
nextauthjs · Apr 12, 2023 · 6edb6dd · 6edb6dd · vercel · Apr 12, 2023
1 parent 0711d32
commit 6edb6dd
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 17 deletions.
diff --git a/packages/next-auth/src/core/index.ts b/packages/next-auth/src/core/index.ts
@@ -1,5 +1,5 @@
 import logger, { setLogger } from "../utils/logger"
-import { detectHost } from "../utils/detect-host"
+import { detectOrigin } from "../utils/detect-origin"
 import * as routes from "./routes"
 import renderPage from "./pages"
 import { init } from "./init"
@@ -13,7 +13,7 @@ import { parse as parseCookie } from "cookie"
 
 export interface RequestInternal {
   /** @default "http://localhost:3000" */
-  host?: string
+  origin?: string
   method?: string
   cookies?: Partial<Record<string, string>>
   headers?: Record<string, any>
@@ -70,7 +70,10 @@ async function toInternalRequest(
       cookies: parseCookie(req.headers.get("cookie") ?? ""),
       providerId: nextauth[1],
       error: url.searchParams.get("error") ?? nextauth[1],
-      host: detectHost(headers["x-forwarded-host"] ?? headers.host),
+      origin: detectOrigin(
+        headers["x-forwarded-host"] ?? headers.host,
+        headers["x-forwarded-proto"]
+      ),
       query,
     }
   }
@@ -132,7 +135,7 @@ export async function AuthHandler<
     authOptions,
     action,
     providerId,
-    host: req.host,
+    origin: req.origin,
     callbackUrl: req.body?.callbackUrl ?? req.query?.callbackUrl,
     csrfToken: req.body?.csrfToken,
     cookies: req.cookies,

diff --git a/packages/next-auth/src/core/init.ts b/packages/next-auth/src/core/init.ts
@@ -15,7 +15,7 @@ import type { InternalOptions } from "./types"
 import parseUrl from "../utils/parse-url"
 
 interface InitParams {
-  host?: string
+  origin?: string
   authOptions: AuthOptions
   providerId?: string
   action: InternalOptions["action"]
@@ -33,7 +33,7 @@ export async function init({
   authOptions,
   providerId,
   action,
-  host,
+  origin,
   cookies: reqCookies,
   callbackUrl: reqCallbackUrl,
   csrfToken: reqCsrfToken,
@@ -42,7 +42,7 @@ export async function init({
   options: InternalOptions
   cookies: cookie.Cookie[]
 }> {
-  const url = parseUrl(host)
+  const url = parseUrl(origin)
 
   const secret = createSecret({ authOptions, url })
 

diff --git a/packages/next-auth/src/core/lib/assert.ts b/packages/next-auth/src/core/lib/assert.ts
@@ -48,7 +48,7 @@ export function assertConfig(params: {
   const warnings: WarningCode[] = []
 
   if (!warned) {
-    if (!req.host) warnings.push("NEXTAUTH_URL")
+    if (!req.origin) warnings.push("NEXTAUTH_URL")
 
     // TODO: Make this throw an error in next major. This will also get rid of `NODE_ENV`
     if (!options.secret && process.env.NODE_ENV !== "production")
@@ -70,7 +70,7 @@ export function assertConfig(params: {
 
   const callbackUrlParam = req.query?.callbackUrl as string | undefined
 
-  const url = parseUrl(req.host)
+  const url = parseUrl(req.origin)
 
   if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam, url.base)) {
     return new InvalidCallbackUrl(

diff --git a/packages/next-auth/src/core/types.ts b/packages/next-auth/src/core/types.ts
@@ -587,7 +587,7 @@ export interface InternalOptions<
 > {
   providers: InternalProvider[]
   /**
-   * Parsed from `NEXTAUTH_URL` or `x-forwarded-host` on Vercel.
+   * Parsed from `NEXTAUTH_URL` or `x-forwarded-host` and `x-forwarded-proto` if the host is trusted.
    * @default "http://localhost:3000/api/auth"
    */
   url: InternalUrl

diff --git a/packages/next-auth/src/next/index.ts b/packages/next-auth/src/next/index.ts
@@ -1,5 +1,4 @@
 import { AuthHandler } from "../core"
-import { detectHost } from "../utils/detect-host"
 import { setCookie, getBody, toResponse } from "./utils"
 
 import type {
@@ -31,7 +30,6 @@ async function NextAuthApiHandler(
 
   const handler = await AuthHandler({
     req: {
-      host: detectHost(req.headers["x-forwarded-host"]),
       body: req.body,
       query,
       cookies: req.cookies,
@@ -80,7 +78,6 @@ async function NextAuthRouteHandler(
   const body = await getBody(req)
   const internalResponse = await AuthHandler({
     req: {
-      host: detectHost(req.headers["x-forwarded-host"]),
       body,
       query,
       cookies: Object.fromEntries(
@@ -213,7 +210,6 @@ export async function getServerSession<
   const session = await AuthHandler<Session | {} | string>({
     options,
     req: {
-      host: detectHost(req.headers["x-forwarded-host"]),
       action: "session",
       method: "GET",
       cookies: req.cookies,

diff --git a/packages/next-auth/src/utils/detect-host.ts → ...ages/next-auth/src/utils/detect-origin.ts b/packages/next-auth/src/utils/detect-host.ts → ...ages/next-auth/src/utils/detect-origin.ts
@@ -1,8 +1,9 @@
-/** Extract the host from the environment */
-export function detectHost(forwardedHost: any) {
+/** Extract the origin from the environment */
+export function detectOrigin(forwardedHost: any, protocol: any) {
   // If we detect a Vercel environment, we can trust the host
   if (process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)
-    return forwardedHost
+    return `${protocol === "http" ? "http" : "https"}://${forwardedHost}`
+
   // If `NEXTAUTH_URL` is `undefined` we fall back to "http://localhost:3000"
   return process.env.NEXTAUTH_URL
 }