Open kevinmitch14 opened 1 month ago
Also trying EmailProvider
w/ Resend, I am making the request on http://tenant.localhost:3000, the email URL is tenant.localhost:3000/api/auth/callback/[...] and then when I click the link, it redirects me back to localhost:3000 (no subdomain)
I do face this weird issue. After being logged in, I could see the cookie authjs.callback-url
is been set to http://localhost:3000/
in my PROD for a second and then been corrected to my PROD url http://aaa.bbb.com
. Due to this at times it's been redirected to http://localhost:3000/
when session timeout. I have no traces of http://localhost:3000/
anywhere in my code or environment variable. I haven't set AUTH_URL
as it's not necessary for v5 and I faced some other issues while setting it.
I use
"next": "14.1.4"
"next-auth": "^5.0.0-beta.18",
I am having the same issue.
"next": "14.1.0"
"next-auth": "^5.0.0-beta.19"
I can confirm that the x-forwarded-host
header is correctly set.
Environment
Reproduction URL
https://github.com/kevinmitch14/next-auth-subdomains
Describe the issue
I've noticed some discrepancies between v4 and v5. For some context, our app is a multi tenant nextjs app. Each tenant is housed on their own subdomain. I am using middleware rewrites to handle multitenancy.
As a result, I want to have authentication on a subdomain basis. I want to be able to enter the site via a subdomain Eg: http://tenant1.localhost:3000, login and have my auth session on this subdomain only.
In v5 I cannot seem to get this to work. Although my sign in is being initialized on http://tenant1.localhost:3000, I get CSFR errors. (Missing CSRF). I think the issue is that next-auth is hitting the api route at http://localhost:3000/api/auth instead of http://tenant1.localhost:3000/api/auth, causing the issues.
v5 steps: Go to sign in from http://test.localhost:3000 Network tab shows authjs.callback-url cookie being set on http://localhost:3000, not on http://test.localhost:3000. Try to log in, CSRF issues. Add
AUTH_URL=http://test.localhost:3000/api/auth
Login, success.If I hardcode
AUTH_URL
to the subdomain I am on, like http://tenant1.localhost:3000/api/auth, then api requests to/credentials
are made to the subdomain. However I can't set theAUTH_URL
at build time because I don't know what the active tenant will be. It seems that I could maybe set the basePath when initializing NextAuth, but this doesn't work either..I also saw a mention of
TRUST_HOST
which respects the x-forwarded-header, I thought this would solve my issues, but also no. The docs for this are super confusing too across the docs:When using v4 +
AUTH_TRUST_HOST=true
, API requests are made to the subdomain API route as wanted.So if I am trying to log in on http://tenant1.localhost:3000, the api requests to
/credentials
etc are made to http://tenant1.localhost:3000/api/auth, as opposed to http://localhost:3000/api/authAny ideas as to why this is happening? Is this expected in v5, or a bug?
Some guidance on building multi-tenant auth with next-auth would be really helpful too if possible. There does not seem to be a very definitive blueprint of how to actually achieve this.
How to reproduce
v5 steps: Go to sign in from http://test.localhost:3000 Network tab shows authjs.callback-url cookie being set on http://localhost:3000, not on http://test.localhost:3000. Try to log in, CSRF issues. Add
AUTH_URL=http://test.localhost:3000/api/auth
Login, success.v4 steps: Comment out v5 code, use v4 code. Change dep version. Repeat steps and should be no issues.
Expected behavior
I want to be able to enter the site via a subdomain Eg: http://tenant1.localhost:3000, login and have my auth session on this subdomain only.