Using Next-Auth with wildcard domains

[junaid33]

Your question
I'm using Next-Auth with Prisma and everything is working smoothly. My question is how can I implement Auth using wildcard domains. Each user will have their own subdomain host like junaid.myapp.com. Their login and JWT should only work on that domain. Is this possible with Next-Auth?

What are you trying to do
Each signed up user will have their own subdomain to sign-in to. Their login should not work on other subdomains.

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[SharadKumar]

Related #600

[kripod]

@junaid33 May I ask how you've implemented user-created wildcard domains with Next.js? I found no official documentation for that and would be highly curious about your approach.

[junaid33]

@kripod Here is what I used for reference:

https://vercel.com/blog/wildcard-domains
https://github.com/vercel/static-fun - uses faunaDB as backend
https://github.com/leerob/nextjs-multiple-domains

From what I understand, in the index page, we include this code:

export async function getServerSideProps({ req, res }) {
  res.setHeader(
    'Cache-Control',
    'public, s-maxage=1, stale-while-revalidate=59'
  );

  return {
    props: {
      host: req.headers.host
    }
  };

We can get the host here from the URL and fetch data using the host name from Prisma or any API.

[kripod]

@junaid33 Awesome, I’ve missed that blog post. Thank you for the tip, I appreciate it!

Also, I’m eagerly looking forward for authentication support over subdomains.

[skilesare]

I've tried to address this here: skilesare@86ea3de

It may need some changes....and I only really focused on the session call back because I needed to get some data based on the domain in the session, but the pattern should be easy to follow for the other callbacks. Basically the request (req) just needs to be passed to these callbacks so that you can key in on the domain/sub domain. The other potential gotcha is the http vs https so if anyone has a suggestion for that, let me know.

If any one wants to walk me through how to get this set up so that it can eventually be pulled in, let me know as well...haven't contributed to projects this big before and don't want to step on any toes.

[iaincollins]

We used to support multiple domains v1 but the host header is problematic as it can be spoofed by a client, which is why we explicitly require configuring NEXTAUTH_URL now. I don't recommend using the host header in this way, at least without checking it against a whitelist of some kind.

Improving out of the box support for wildcards and silent login across multiple domains is definitely something that's planned (and discussed in issues in the past) but requires a fair bit of work to support securely and there are other bits of work that probably needs to happen first.

It is possible to set a custom cookie policy to allow cookies to work across subdomains; work to make that easier will likely come sooner (unsure but I think it might even be in canary already).

Each signed up user will have their own subdomain to sign-in to. Their login should not work on other subdomains.

This seems very use case specific. Although possible (and have designed and built products this way in the past) it's probably not a scenario are going to be able explicitly support out of the box as there are going to be a few caveats.

[skilesare]

Thanks for the reply. I am checking against a whitelist. For now I have this working in production. https://littlehen.red and https://tacos.red are running off the same server and if you log into one, you have an account for that domain only. I don't want accounts working across subdomains as each subdomain is theoretically a different store.

For integration purposes it would be great for nextauth_url to be a call back function where one could return back a true/user domain that the user is supposed to be a part of.

Thanks for an amazing library.

[iaincollins]

For integration purposes it would be great for nextauth_url to be a call back function where one could return back a true/user domain that the user is supposed to be a part of.

Hmm thanks, that's an interesting way to put it - supporting some sort of authorisation callback function (maybe extending how the signIn callback is used?) that has enough information to make this call seems very reasonable and achievable!

[kripod]

Yeah, that seems to be a great idea! It would also possibly solve #969 😊

[Utkarshbhimte]

Any updates on this? Struggling with a similar problem.