Skip to content

fix(core): respect forwarded headers for base URL detection #13365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
FDiskas wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(core): respect forwarded headers for base URL detection #13365

FDiskas wants to merge 1 commit into from
+11 −1

Conversation

@FDiskas
Copy link

@FDiskas FDiskas commented Jan 15, 2026

☕️ Reasoning

In containerized environments (like Docker) or multi-tenant setups behind a reverse proxy, Request.url often reflects the internal network address (e.g., http://0.0.0.0:3000) rather than the public-facing domain.

When trustHost is enabled, the library should prioritize X-Forwarded-Host and X-Forwarded-Proto headers to reconstruct the application's base URL. Without this, callbackUrl validation fails because the incoming URL behaves as a mismatch against the detected internal base URL, leading to incorrect redirects

🧢 Checklist

  • Documentation
  • Tests
  • Ready to be merged

🎫 Affected issues

Potential issue fixes: #8154

📌 Resources

@FDiskas
fix(core): respect forwarded headers for base URL detection when trus…
b28c90d 
…tHost is enabled

In containerized environments (like Docker) or multitenant setups behind a reverse proxy, Request.url often reflects the internal network address (e.g., http://0.0.0.0:3000) rather than the public-facing domain.
@FDiskas FDiskas requested a review from ThangHuuVu as a code owner January 15, 2026 16:41
@vercel
Copy link

vercel bot commented Jan 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
auth-docs Ready Ready Preview, Comment Jan 15, 2026 4:46pm
1 Skipped Deployment
Project Deployment Review Updated (UTC)
next-auth-docs Ignored Ignored Preview Jan 15, 2026 4:46pm

Review with Vercel Agent

@vercel
Copy link

vercel bot commented Jan 15, 2026

@FDiskas is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added the core Refers to `@auth/core` label Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThangHuuVu ThangHuuVu Awaiting requested review from ThangHuuVu ThangHuuVu is a code owner

Assignees

No one assigned

Labels

core Refers to `@auth/core`

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@FDiskas