akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

fix: trustHost should be true when NEXTAUTH_URL is set

Browse Source 
The H7 fix made trustHost default to false, which caused redirect loops
in environments where NEXTAUTH_URL is set (including Docker and tests).
When NEXTAUTH_URL is explicitly configured, the operator has declared
the canonical URL, making Host header validation unnecessary.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-03-26 12:27:25 +01:00
parent debd0d98fc
commit c537a59f36
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/lib/auth.ts
View File

@@ -409,9 +409,9 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
},
},
secret: config.sessionSecret,
// H7: Do not blindly trust Host header — use NEXTAUTH_URL instead.
// trustHost is only safe behind a proxy that normalizes the Host header.
trustHost: !!process.env.NEXTAUTH_TRUST_HOST,
// H7: Only trust Host header when explicitly opted in or when NEXTAUTH_URL
// is set (operator has declared the canonical URL, so Host validation is moot).
trustHost: !!process.env.NEXTAUTH_TRUST_HOST || !!process.env.NEXTAUTH_URL,
basePath: "/api/auth",
});