v4.0.0-beta.6 - APP_BASE_URL needs to include scheme

[robcaldecott]

Checklist

• [X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

When we deploy our app to prod using the v3 client, the base URL does not require the scheme (e.g. https://) and all the auth0 supplied middleware works with no issues, including redirects to login for any protected routes.

We are now using the v4 beta, which has been excellent so far, but when we deployed to prod we were greeted with a 500 error when our middleware attempts to redirect the user to the auth0 login page.

Our middleware looks something like this:

import { NextResponse, type NextRequest } from "next/server";
import { auth0 } from "@/lib/auth0";

export async function middleware(req: NextRequest) {
  // Handle auth-specific routes
  const authResponse = await auth0.middleware(req);
  if (req.nextUrl.pathname.startsWith("/auth")) {
    return authResponse;
  }

  const accessToken = await auth0.getAccessToken();
  if (!accessToken) {
    // Exception thrown here if the base URL is missing the scheme
    return NextResponse.redirect(new URL("/auth/login", req.url));
  }
  // We have a token
  return authResponse;
}

The missing https:// on the base URL causes that new URL to throw an Invalid URL error.

We are working around this by changing our custom auth0 client to something like this:

export const auth0 = new Auth0Client({
  appBaseUrl: !process.env.APP_BASE_URL?.includes("http")
    ? "https://" + process.env.APP_BASE_URL
    : process.env.APP_BASE_URL,
});

And this fixes the issue.

I'm not sure if this is a bug but I fear it might catch others out so wanted to know the "right" way to handle the base URL and if a lack of scheme is likely to cause us issues elsewhere.

Thanks.

Reproduction

See middleware above.

Additional context

No response

nextjs-auth0 version

4.0.0-beta.6

Next.js version

15.0.3

Node.js version

20

[guabu]

Hey @robcaldecott 👋

We recently released a fix in 4.0.0-beta.7 that removes the check that enforces this — would you mind upgrading to that latest version and letting me know if that fixes the issue for you?

I'm not sure if this is a bug but I fear it might catch others out so wanted to know the "right" way to handle the base URL and if a lack of scheme is likely to cause us issues elsewhere.

The APP_BASE_URL environment variable should include the protocol as well, for example: http://localhost:3000