Merge commit from fork

`detectOrigin` returned the auto-detected forwarded host whenever
`VERCEL`/`AUTH_TRUST_HOST` was set, ignoring an explicitly configured
`NEXTAUTH_URL`. A configured canonical URL should always win; only fall
back to the forwarded host when no `NEXTAUTH_URL` is set.

Adds unit tests for detectOrigin precedence.

Author: Bekacru

packages/next-auth/src/utils/detect-origin.ts

@@ -1,9 +1,17 @@
 /** Extract the origin from the environment */
 export function detectOrigin(forwardedHost: any, protocol: any) {
-  // If we detect a Vercel environment, we can trust the host
+  // An explicitly configured `NEXTAUTH_URL` always takes precedence, even in
+  // trusted-host mode (Vercel / `AUTH_TRUST_HOST`), so a configured canonical
+  // URL is never overridden by the auto-detected forwarded host.
+  if (process.env.NEXTAUTH_URL) return process.env.NEXTAUTH_URL
+
+  // No canonical URL configured. On platforms known to set the host reliably
+  // (Vercel) or when the deployer has opted into trusting the host
+  // (`AUTH_TRUST_HOST`), derive the origin from the forwarded host.
   if (process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)
     return `${protocol === "http" ? "http" : "https"}://${forwardedHost}`
 
-  // If `NEXTAUTH_URL` is `undefined` we fall back to "http://localhost:3000"
+  // `NEXTAUTH_URL` is `undefined` here; callers fall back to
+  // "http://localhost:3000".
   return process.env.NEXTAUTH_URL
 }

packages/next-auth/tests/detect-origin.test.ts

@@ -0,0 +1,60 @@
+import { detectOrigin } from "../src/utils/detect-origin"
+
+// An explicitly configured `NEXTAUTH_URL` should always take precedence over the
+// auto-detected forwarded host, including when trusted-host mode is enabled via
+// `AUTH_TRUST_HOST` or a platform default such as `VERCEL`.
+
+const FORWARDED_HOST = "forwarded.example.test"
+const CONFIGURED_URL = "https://app.example.test"
+
+const ENV_KEYS = ["NEXTAUTH_URL", "AUTH_TRUST_HOST", "VERCEL"] as const
+
+describe("detectOrigin", () => {
+  const saved: Record<string, string | undefined> = {}
+
+  beforeEach(() => {
+    for (const key of ENV_KEYS) {
+      saved[key] = process.env[key]
+      delete process.env[key]
+    }
+  })
+
+  afterEach(() => {
+    for (const key of ENV_KEYS) {
+      if (saved[key] === undefined) delete process.env[key]
+      else process.env[key] = saved[key]
+    }
+  })
+
+  it("prefers NEXTAUTH_URL over the forwarded host when AUTH_TRUST_HOST is set", () => {
+    process.env.AUTH_TRUST_HOST = "true"
+    process.env.NEXTAUTH_URL = CONFIGURED_URL
+
+    expect(detectOrigin(FORWARDED_HOST, "https")).toBe(CONFIGURED_URL)
+  })
+
+  it("prefers NEXTAUTH_URL over the forwarded host on Vercel", () => {
+    process.env.VERCEL = "1"
+    process.env.NEXTAUTH_URL = CONFIGURED_URL
+
+    expect(detectOrigin(FORWARDED_HOST, "https")).toBe(CONFIGURED_URL)
+  })
+
+  it("derives the origin from the forwarded host in trusted-host mode when NEXTAUTH_URL is not set", () => {
+    process.env.AUTH_TRUST_HOST = "true"
+
+    expect(detectOrigin("app.example.test", "https")).toBe(
+      "https://app.example.test"
+    )
+  })
+
+  it("returns NEXTAUTH_URL when not in trusted-host mode", () => {
+    process.env.NEXTAUTH_URL = CONFIGURED_URL
+
+    expect(detectOrigin(FORWARDED_HOST, "https")).toBe(CONFIGURED_URL)
+  })
+
+  it("returns undefined when neither trusted-host mode nor NEXTAUTH_URL is configured", () => {
+    expect(detectOrigin(FORWARDED_HOST, "https")).toBeUndefined()
+  })
+})