feat: Add dynamic app base URL handling

[nandan-bhat]

This PR refines dynamic base URL handling for preview environments such as Vercel and Netlify. The SDK now clearly documents allow‑list recommendations, enforces secure cookies in production when appBaseUrl is omitted, and includes full unit coverage for the base‑URL helper logic.

Changes

• appBaseUrl now supports list of base urls.
• appBaseUrl is now optional.
• onCallBackContext now has appBaseUrl property.

Usage example

Allow‑list (recommended for preview deployments):

import { Auth0Client } from "@auth0/nextjs-auth0/server";

export const auth0 = new Auth0Client({
  appBaseUrl: [
    "https://app.example.com",
    process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : undefined
  ].filter(Boolean)
});

Zero‑config host inference (optional):

import { Auth0Client } from "@auth0/nextjs-auth0/server";

export const auth0 = new Auth0Client();
// APP_BASE_URL omitted; host inferred per request

Note

• Secure cookies enforced in production when appBaseUrl is omitted
  • If appBaseUrl is omitted in production, cookies are forced secure
  • Explicit secure=false will throw InvalidConfigurationError.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.53%. Comparing base (bc63577) to head (fa093f5).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2528      +/-   ##
==========================================
+ Coverage   90.15%   90.53%   +0.38%     
==========================================
  Files          51       52       +1     
  Lines        6439     6638     +199     
  Branches     1292     1387      +95     
==========================================
+ Hits         5805     6010     +205     
+ Misses        623      617       -6     
  Partials       11       11              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[frederikprijck]

Suggested change

	* When using multiple dynamic environments, pass an array or a comma-separated list.
	* When you have the need to support multiple base URL's, and you know the values on start-up (e.g. environment variables), we do recommend configuring all the allowed base URL's in `appBaseUrl`. Doing this ensures we do not unnecessarily redirect the user to Auth0 when the host is not an allowed value.

[frederikprijck]

Can we rename this to something more descriptive (e.g. allBaseUrlsUseHttps)

[frederikprijck]

Can we add a comment on why we do this:

Only when all APP_BASE_URLS provided are using https, we will default ensure the cookies are secure. In all other cases we rely on what the user has set.

[frederikprijck]

Let's add some comment to clearly say that when we do not have an appBaseUrl provided, and we are relying on the dynamic request url resolution, we require secure flag to be set.