next-auth: VERCEL env causes signinUrl and others to be prefixed with https in local development

Environment

System: OS: macOS 13.3 CPU: (10) arm64 Apple M1 Pro Memory: 5.52 GB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 17.4.0 - ~/Library/Caches/fnm_multishells/16656_1681032588306/bin/node Yarn: 1.22.15 - ~/Library/Caches/fnm_multishells/16656_1681032588306/bin/yarn npm: 8.3.1 - ~/Library/Caches/fnm_multishells/16656_1681032588306/bin/npm Browsers: Chrome: 112.0.5615.49 Firefox: 111.0.1 Safari: 16.4

Reproduction URL

can be reproduced with next-auth-example by adding VERCEL=“1” env var

Describe the issue

next-auth fails if an VERCEL="1" env var is present - even if it’s set to VERCEL="0".

I use vc env pull .env.local to pull the Vercel defined env vars to my machine.

This creates a VERCEL="1" env var. But as soon as this is present the sign in no longer works as I get redirected to https://localhost:3000/api/auth/signin?csrf=true (notice the https) when trying to sign in.

I debugged this and noticed the following: If you open http://localhost:3000/api/auth/providers you will see this

{
  "github": {
    "id": "github",
    "name": "GitHub",
    "type": "oauth",
    "signinUrl": "https://localhost:3000/api/auth/signin/github",
    "callbackUrl": "https://localhost:3000/api/auth/callback/github"
  }
}

Note that signinUrl and callbackUrl are prefixed with https. This prefix goes away as soon as you remove the VERCEL="1" env var.

How to reproduce

Create a VERCEL="1" env var and try to sign in.

Next.js version 13.3.0 next-auth version 4.21.1

Expected behavior

_This slightly relates to https://github.com/nextauthjs/next-auth/issues/4363_

About this issue

Original URL
State: closed
Created a year ago
Reactions: 3
Comments: 24 (2 by maintainers)

Most upvoted comments

@dferber90 @balazsorban44 @leogilmour There is a more convenient workaround I just tested, to be able to still use vercel env pull without having to comment out VERCEL="1" every time. Just add an env var for development only on vercel platform, name this env var VERCEL and leave the value blank. This is pretty dumb but it works without breaking vercel env updating flow.

A fix on nextauth side is still needed IMO because this shouldn’t be needed.

+10

toniopelo on Oct 1, 2023

I too, am a haver of this issue

piersolenski on Nov 29, 2023

I found the issue and created an experimental release with a fix, if anyone wants to test https://github.com/nextauthjs/next-auth/pull/7214#issuecomment-1503033702

TLDR; we need to respect the x-forwarded-proto header if present when trusting the host. (In this case when VERCEL environment variable is set).

VERCEL=0 did not help BTW because env variables are always read as strings, and we do not parse the variable to int, so only removing/commenting out would have worked.

balazsorban44 on Apr 11, 2023

It’s not related. This is really about the use of process.env.VERCEL within the next-auth code base itself. It is even reproducible locally, so it’s not an issue of being hosted on Vercel

Sorry if it wasn’t clear earlier: I work at Vercel and I’ll get this sorted internally too 😃

I know this isn’t related, but that is really cool! I am a student just playing around in the web dev space, and normally I use C++. Thank you for your contribution!

Crazypersonalph on Apr 10, 2023

It’s not related. This is really about the use of process.env.VERCEL within the next-auth code base itself. It is even reproducible locally, so it’s not an issue of being hosted on Vercel <picture data-single-emoji=":blob_smile:" title=":blob_smile:"></picture>

Sorry if it wasn’t clear earlier: I work at Vercel and I’ll get this sorted internally too 😃

dferber90 on Apr 10, 2023