Closed bryan-robitaille closed 3 weeks ago
Removes any remaining reference to NEXTAUTH_URL in the codebase as we can implicitly trust that the Elastic Load Balancer safely sets the Host header and ignores any header provided in the original request.
Confirmed here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#host-header-preservation
It would also appear that Auth.js guidance is now that the trusted_host should always be set to true: https://authjs.dev/reference/core#trusthost
trusted_host
https://fldpvdocupnmzvo2sxro3lzsl40gcgdw.lambda-url.ca-central-1.on.aws/
Summary | Résumé
Removes any remaining reference to NEXTAUTH_URL in the codebase as we can implicitly trust that the Elastic Load Balancer safely sets the Host header and ignores any header provided in the original request.
Confirmed here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#host-header-preservation
It would also appear that Auth.js guidance is now that the
trusted_host
should always be set to true: https://authjs.dev/reference/core#trusthost