Cookies in responses are sent with __Secure prefix in local environment when using Nextjs 13.5

Environment

System: OS: macOS 13.3.1 CPU: (8) arm64 Apple M1 Memory: 344.88 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.7.0 - /usr/local/bin/node Yarn: 1.22.17 - /opt/homebrew/bin/yarn npm: 10.1.0 - /opt/homebrew/bin/npm Watchman: 2023.06.12.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 116.0.5845.187 Safari: 16.4

Reproduction URL

Repo is private. See How to Reproduce to see how to make a minimal example that demonstrates the problem

Describe the issue

I recently upgraded from Nextjs 13.4.10 to 13.5.2, and pretty much all of my authentication using next-auth broke. After a few hours debugging it I have identified the issue. After upgrading to Nextjs 13.5, the cookies sent back from the server are not saved in development, because they are sent back with the Secure or Host prefix. Because the csrf is not stored, it is regenerated on each request, which breaks authentication. This is not an issue in production, because the __Secure prefix is expected when using https, but it breaks local development using http.

I may be wrong, but after diving into the code, I think I have found the problem: next-auth uses a combination of the x-forwarded-proto header and the VERCEL env variable to determine if the request is coming from http or https (As can be seen here and here). If the VERCEL variable is set, then the x-forwarded-proto header is used to determine if the protocol is http or https, which determines if the Secure/Host prefixes are added to cookies. By default, vercel projects have the VERCEL env variable set to "1", so I expect this will be a problem for all vercel projects running Nextjs 13.5.

However, in Nextjs 13.5, the x-forwarded-proto is no longer sent in requests. Not sure why this was changed, but I just noticed it through my testing, and it results in next-auth assuming the protocol is https, when it is not.

Like I said, the lack if the x-forwarded-proto header, results in next-auth assuming https, resulting in the cookies being sent with Secure/Host prefixes, which the browser rejects because the protocol is actually http.

Note: this can be easily worked around by manually removing the VERCEL environment variable, however this isn't ideal, as vercel expects it to be there and every time I run vercel env pull it adds back in the variable.

How to reproduce

Create next app: npx create-next-app@latest auth-test --js --app --eslint --tailwind --no-src-dir --import-alias "@/*"
Install next-auth: npm i next-auth
Create .env.local file with contents: VERCEL="1"

Create app/api/auth/[...nextauth]/route.ts file with contents


import NextAuth from "next-auth"
import { headers } from "next/headers"

async function handler(req, res) { console.log([...headers().keys()]) return await NextAuth(req, res, { providers: [] }) }

export { handler as GET, handler as POST }

5. Run in development (`npm run dev`) and go to `localhost:3000/api/auth/csrf`. Refresh a few times and the token is different every time. If you open dev tools, you can see the csrf cookie is not being saved, and the response header with the cookie has the __Host prefix.

### Expected behavior

Since we are in a development environment (http), the cookie should have been sent without the __Secure/__Host prefixes. This results in the cookie being stored in the browser, and the returned csrf token from the api endpoint is always the same.

This behaviour can be seen by removing the `VERCEL` environment variable or downgrading Nextjs to 13.4. The above example also prints out the request headers. In Nextjs 13.4.10 the header keys are

[ 'accept', 'accept-language', 'cache-control', 'connection', 'cookie', 'host', 'pragma', 'sec-ch-ua', 'sec-ch-ua-mobile', 'sec-ch-ua-platform', 'sec-fetch-dest', 'sec-fetch-mode', 'sec-fetch-site', 'sec-fetch-user', 'upgrade-insecure-requests', 'user-agent', 'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-port', 'x-forwarded-proto', 'x-invoke-path', 'x-invoke-query', 'x-middleware-invoke' ]

In Nextjs 13.5, the header keys are (notice there are no `x-forwarded-` headers):

[ 'accept', 'accept-encoding', 'accept-language', 'cache-control', 'connection', 'cookie', 'host', 'pragma', 'sec-ch-ua', 'sec-ch-ua-mobile', 'sec-ch-ua-platform', 'sec-fetch-dest', 'sec-fetch-mode', 'sec-fetch-site', 'sec-fetch-user', 'upgrade-insecure-requests', 'user-agent' ]

We could not detect a valid reproduction link. Make sure to follow the bug report template carefully.

Why was this issue closed?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We need a link to a public GitHub repository. Example: (NextAuth.js example repository).

The bug template that you filled out has a section called "Reproduction URL", which is where you should provide the link to the reproduction.

If you did not provide a link or the link you provided is not valid, we will close the issue.
If you provide a link to a private repository, we will close the issue.
If you provide a link to a repository but not in the correct section, we will close the issue.

What should I do?

Depending on the reason the issue was closed, you can do the following:

If you did not provide a link, please open a new issue with a link to a reproduction.
If you provided a link to a private repository, please open a new issue with a link to a public repository.
If you provided a link to a repository but not in the correct section, please open a new issue with a link to a reproduction in the correct section.

In general, assume that we should not go through a lengthy onboarding process at your company code only to be able to verify an issue.

My repository is private and cannot make it public

In most cases, a private repo will not be a sufficient minimal reproduction, as this codebase might contain a lot of unrelated parts that would make our investigation take longer. Please do not make it public. Instead, create a new repository using the templates above, adding the relevant code to reproduce the issue. Common things to look out for:

Remove any code that is not related to the issue. (pages, API Routes, components, etc.)
Remove any dependencies that are not related to the issue.
Remove any third-party service that would require us to sign up for an account to reproduce the issue.
Remove any environment variables that are not related to the issue.
Remove private packages that we do not have access to.
If the issue is not related to a monorepo specifically, try to reproduce the issue without a complex monorepo setup

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps by opening a new issue.

I think my reproduction is good enough, why aren't you looking into it quickly?

We look into every issue and monitor open issues for new comments.

However, sometimes we might miss a few due to the popularity/high traffic of the repository. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

nextauthjs / next-auth