fix(core): detect Vercel without NEXTAUTH_URL (nextauthjs#3649)

* fix(core): detect Vercel without `NEXTAUTH_URL`

* chore(ts): use `any`

* chore: use `process.env.VERCEL` to detect Vercel

Author: mnphpexpert

src/jwt/index.ts

@@ -71,7 +71,7 @@ export async function getToken<R extends boolean = false>(
   const {
     req,
     secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??
-      !!process.env.VERCEL_URL,
+      !!process.env.VERCEL,
     cookieName = secureCookie
       ? "__Secure-next-auth.session-token"
       : "next-auth.session-token",

src/lib/types.ts

@@ -50,7 +50,7 @@ export type NextAuthAction =
 export interface InternalOptions<T extends ProviderType = any> {
   providers: InternalProvider[]
   /**
-   * Parsed from `NEXTAUTH_URL` or `VERCEL_URL`.
+   * Parsed from `NEXTAUTH_URL` or `x-forwarded-host` on Vercel.
    * @default "http://localhost:3000/api/auth"
    */
   url: InternalUrl

src/next/index.ts

@@ -1,5 +1,5 @@
 import { NextAuthHandler } from "../core"
-import { setCookie } from "./cookie"
+import { setCookie, detectHost } from "./utils"
 
 import type {
   GetServerSidePropsContext,
@@ -21,7 +21,7 @@ async function NextAuthNextHandler(
   const { nextauth, ...query } = req.query
   const handler = await NextAuthHandler({
     req: {
-      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
+      host: detectHost(req.headers["x-forwarded-host"]),
       body: req.body,
       query,
       cookies: req.cookies,
@@ -87,7 +87,7 @@ export async function getServerSession(
   const session = await NextAuthHandler<Session | {}>({
     options,
     req: {
-      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
+      host: detectHost(context.req.headers["x-forwarded-host"]),
       action: "session",
       method: "GET",
       cookies: context.req.cookies,
@@ -108,7 +108,7 @@ declare global {
   namespace NodeJS {
     interface ProcessEnv {
       NEXTAUTH_URL?: string
-      VERCEL_URL?: string
+      VERCEL?: "1"
     }
   }
 }

src/next/cookie.ts src/next/utils.tssrc/next/cookie.ts renamed to src/next/utils.ts

@@ -13,3 +13,11 @@ export function setCookie(res, cookie: Cookie) {
   setCookieHeader.push(cookieHeader)
   res.setHeader("Set-Cookie", setCookieHeader)
 }
+
+/** Extract the host from the environment */
+export function detectHost(forwardedHost: any) {
+  // If we detect a Vercel environment, we can trust the host
+  if (process.env.VERCEL) return forwardedHost
+  // If `NEXTAUTH_URL` is `undefined` we fall back to "http://localhost:3000"
+  return process.env.NEXTAUTH_URL
+}