From c537a59f36c3930f9cded4e3afb02f79bb3a3b9f Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Thu, 26 Mar 2026 12:27:25 +0100
Subject: [PATCH] fix: trustHost should be true when NEXTAUTH_URL is set

The H7 fix made trustHost default to false, which caused redirect loops
in environments where NEXTAUTH_URL is set (including Docker and tests).
When NEXTAUTH_URL is explicitly configured, the operator has declared
the canonical URL, making Host header validation unnecessary.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/auth.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index f672af77..8accb131 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -409,9 +409,9 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
     },
   },
   secret: config.sessionSecret,
-  // H7: Do not blindly trust Host header — use NEXTAUTH_URL instead.
-  // trustHost is only safe behind a proxy that normalizes the Host header.
-  trustHost: !!process.env.NEXTAUTH_TRUST_HOST,
+  // H7: Only trust Host header when explicitly opted in or when NEXTAUTH_URL
+  // is set (operator has declared the canonical URL, so Host validation is moot).
+  trustHost: !!process.env.NEXTAUTH_TRUST_HOST || !!process.env.NEXTAUTH_URL,
   basePath: "/api/auth",
 });