fix: support X-Forwarded-* headers in proxy environments (#10928)

UNILORN · UNILORN · commit 24e73ffe839e · 2025-11-13T11:34:38.000+09:00
diff --git a/packages/core/src/lib/utils/detect-origin.ts b/packages/core/src/lib/utils/detect-origin.ts
@@ -0,0 +1,35 @@
+/**
+ * Extract the origin from request headers and environment variables.
+ *
+ * This function prioritizes X-Forwarded-* headers when AUTH_TRUST_HOST or
+ * platform-specific environment variables (VERCEL, CF_PAGES) are set.
+ * https://authjs.dev/getting-started/deployment#auth_trust_host
+ *
+ * @param forwardedHost - The value of X-Forwarded-Host or Host header
+ * @param protocol - The value of X-Forwarded-Proto header
+ * @returns The detected origin URL string, or undefined to use the default
+ */
+export function detectOrigin(
+  forwardedHost: string | undefined,
+  protocol: string | undefined
+): string | undefined {
+  // If AUTH_URL is set, always use it (highest priority)
+  if (process.env.AUTH_URL) {
+    return process.env.AUTH_URL
+  }
+
+  // If we detect a trusted environment, use the forwarded headers
+  if (
+    process.env.VERCEL ||
+    process.env.CF_PAGES ||
+    process.env.AUTH_TRUST_HOST
+  ) {
+    if (forwardedHost?.trim()) {
+      const detectedProtocol = protocol === "http" ? "http" : "https"
+      return `${detectedProtocol}://${forwardedHost}`
+    }
+  }
+
+  // Fall back to undefined (will use request URL as-is)
+  return undefined
+}
diff --git a/packages/core/src/lib/utils/web.ts b/packages/core/src/lib/utils/web.ts
@@ -1,6 +1,7 @@
 import * as cookie from "../vendored/cookie.js"
 import { UnknownAction } from "../../errors.js"
 import { setLogger } from "./logger.js"
+import { detectOrigin } from "./detect-origin.js"
 
 import type {
   AuthAction,
@@ -37,6 +38,20 @@ export async function toInternalRequest(
 
     const url = new URL(req.url)
 
+    // Detect origin from X-Forwarded-* headers when in a trusted environment
+    const headers = Object.fromEntries(req.headers)
+    const forwardedHost = headers["x-forwarded-host"] ?? headers.host
+    const forwardedProto = headers["x-forwarded-proto"]
+    const detectedOrigin = detectOrigin(forwardedHost, forwardedProto)
+
+    // Update URL with detected origin if available
+    if (detectedOrigin) {
+      const trustedUrl = new URL(detectedOrigin)
+      url.protocol = trustedUrl.protocol
+      url.host = trustedUrl.host
+      url.port = trustedUrl.port
+    }
+
     const { action, providerId } = parseActionAndProviderId(
       url.pathname,
       config.basePath
@@ -47,7 +62,7 @@ export async function toInternalRequest(
       action,
       providerId,
       method: req.method,
-      headers: Object.fromEntries(req.headers),
+      headers,
       body: req.body ? await getBody(req) : undefined,
       cookies: parseCookie(req.headers.get("cookie") ?? "") ?? {},
       error: url.searchParams.get("error") ?? undefined,
diff --git a/packages/core/test/detect-origin.test.ts b/packages/core/test/detect-origin.test.ts
@@ -0,0 +1,99 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest"
+import { detectOrigin } from "../src/lib/utils/detect-origin.js"
+
+describe("detectOrigin", () => {
+  const originalEnv = process.env
+
+  beforeEach(() => {
+    // Reset process.env before each test
+    process.env = { ...originalEnv }
+    delete process.env.AUTH_URL
+    delete process.env.AUTH_TRUST_HOST
+    delete process.env.VERCEL
+    delete process.env.CF_PAGES
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe("AUTH_URL has highest priority", () => {
+    it("should return AUTH_URL when set, ignoring forwarded headers", () => {
+      process.env.AUTH_URL = "https://from-env.com"
+      const result = detectOrigin("forwarded.com", "http")
+      expect(result).toBe("https://from-env.com")
+    })
+
+    it("should return AUTH_URL even when AUTH_TRUST_HOST is set", () => {
+      process.env.AUTH_URL = "https://from-env.com"
+      process.env.AUTH_TRUST_HOST = "true"
+      const result = detectOrigin("forwarded.com", "https")
+      expect(result).toBe("https://from-env.com")
+    })
+  })
+
+  describe("Trusted environments (AUTH_TRUST_HOST, VERCEL, CF_PAGES)", () => {
+    it("should use forwarded headers when AUTH_TRUST_HOST is set", () => {
+      process.env.AUTH_TRUST_HOST = "true"
+      const result = detectOrigin("example.com", "https")
+      expect(result).toBe("https://example.com")
+    })
+
+    it("should use forwarded headers when VERCEL is set", () => {
+      process.env.VERCEL = "1"
+      const result = detectOrigin("vercel-app.com", "https")
+      expect(result).toBe("https://vercel-app.com")
+    })
+
+    it("should use forwarded headers when CF_PAGES is set", () => {
+      process.env.CF_PAGES = "1"
+      const result = detectOrigin("cloudflare.com", "https")
+      expect(result).toBe("https://cloudflare.com")
+    })
+
+    it("should default to https when protocol is not 'http'", () => {
+      process.env.AUTH_TRUST_HOST = "true"
+      const result = detectOrigin("example.com", undefined)
+      expect(result).toBe("https://example.com")
+    })
+
+    it("should use http when protocol is explicitly 'http'", () => {
+      process.env.AUTH_TRUST_HOST = "true"
+      const result = detectOrigin("example.com", "http")
+      expect(result).toBe("http://example.com")
+    })
+
+    it("should return undefined when no forwardedHost is provided in trusted environment", () => {
+      process.env.AUTH_TRUST_HOST = "true"
+      const result = detectOrigin(undefined, "https")
+      expect(result).toBeUndefined()
+    })
+  })
+
+  describe("Untrusted environment (no environment variables)", () => {
+    it("should return undefined when no trust indicators are set", () => {
+      const result = detectOrigin("example.com", "https")
+      expect(result).toBeUndefined()
+    })
+
+    it("should return undefined even with forwarded headers", () => {
+      const result = detectOrigin("malicious.com", "https")
+      expect(result).toBeUndefined()
+    })
+  })
+
+  describe("Edge cases", () => {
+    it("should return undefined for empty forwardedHost", () => {
+      process.env.AUTH_TRUST_HOST = "true"
+      const result = detectOrigin("", "https")
+      // Empty string should be treated as invalid
+      expect(result).toBeUndefined()
+    })
+
+    it("should handle forwardedHost with port", () => {
+      process.env.VERCEL = "1"
+      const result = detectOrigin("example.com:3000", "http")
+      expect(result).toBe("http://example.com:3000")
+    })
+  })
+})
