VERCEL env causes signinUrl and others to be prefixed with https in local development

[dferber90]

Environment

System:
OS: macOS 13.3
CPU: (10) arm64 Apple M1 Pro
Memory: 5.52 GB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 17.4.0 - ~/Library/Caches/fnm_multishells/16656_1681032588306/bin/node
Yarn: 1.22.15 - ~/Library/Caches/fnm_multishells/16656_1681032588306/bin/yarn
npm: 8.3.1 - ~/Library/Caches/fnm_multishells/16656_1681032588306/bin/npm
Browsers:
Chrome: 112.0.5615.49
Firefox: 111.0.1
Safari: 16.4

Reproduction URL

can be reproduced with next-auth-example by adding VERCEL="1" env var

Describe the issue

next-auth fails if an VERCEL="1" env var is present - even if it's set to VERCEL="0".

I use vc env pull .env.local to pull the Vercel defined env vars to my machine.

This creates a VERCEL="1" env var. But as soon as this is present the sign in no longer works as
I get redirected to https://localhost:3000/api/auth/signin?csrf=true (notice the https) when trying to sign in.

I debugged this and noticed the following: If you open http://localhost:3000/api/auth/providers you will see this

{
  "github": {
    "id": "github",
    "name": "GitHub",
    "type": "oauth",
    "signinUrl": "https://localhost:3000/api/auth/signin/github",
    "callbackUrl": "https://localhost:3000/api/auth/callback/github"
  }
}

Note that signinUrl and callbackUrl are prefixed with https. This prefix goes away as soon as you remove the VERCEL="1" env var.

How to reproduce

Create a VERCEL="1" env var and try to sign in.

Next.js version 13.3.0
next-auth version 4.21.1

Expected behavior

Sign in should work. It should not redirect to https locally.

This slightly relates to #4363

[Crazypersonalph]

I have had this issue before.
This is because the cookies you are creating for authentication/session stuff are HTTPS only, so they are not allowed to be used with HTTP only, therefore causing the redirect.

[Crazypersonalph]

I know in SvelteKitAuth, which is just this project being wrapped for sveltekit, there is an option called useSecureCookies, which by default it is on in production, to protect the cookie information. You can manually disable it.

[Crazypersonalph]

It may also be that Vercel is changing around the links by itself without your knowledge, keep an eye out for that.

[dferber90]

Thanks for your hints! However I don't think it's related to useSecureCookies as it can be reproduced in an incognito window. This is specifically about the VERCEL env var being present.

As soon as this is set, the /api/auth/providers endpoint returns https for the signinUrl instead of http.

It doesn't even matter which value VERCEL holds, it can even be Vercel="0" and it will still start using https.

[Crazypersonalph]

Looks like this may hold an answer:
vercel/vercel#1745

[dferber90]

It's not related. This is really about the use of process.env.VERCEL within the next-auth code base itself. It is even reproducible locally, so it's not an issue of being hosted on Vercel

Sorry if it wasn't clear earlier: I work at Vercel and I'll get this sorted internally too :)

[Crazypersonalph]

It's not related. This is really about the use of process.env.VERCEL within the next-auth code base itself. It is even reproducible locally, so it's not an issue of being hosted on Vercel

Sorry if it wasn't clear earlier: I work at Vercel and I'll get this sorted internally too :)

I know this isn't related, but that is really cool! I am a student just playing around in the web dev space, and normally I use C++. Thank you for your contribution!

[fsa317]

I am having the same issue @dferber90 . Is there a workaround?

[fsa317]

From what I can see it looks like this code uses that env variable to determine if to use secure cookies:

next-auth/packages/next-auth/src/jwt/index.ts

Line 73 in 62f672a

secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??

[Crazypersonalph]

From what I can see it looks like this code uses that env variable to determine if to use secure cookies:

next-auth/packages/next-auth/src/jwt/index.ts

Line 73 in 62f672a

secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??

That is what I was thinking about before when I looked through the code, but @dferber90 said that it wasn't related to secureCookies, so the issue is probably not a result of that code.

[dferber90]

I am having the same issue @dferber90 . Is there a workaround?

The workaround I used was to comment out the VERCEL env var in my .env.local file manually. It's not a great workaround but at least it unblocked me.

@Crazypersonalph I was trying to say that it's not related to any cookies I already have, but the error is definitely somewhere in the logic of how next-auth detects whether to use https or not.

[Crazypersonalph]

I am having the same issue @dferber90 . Is there a workaround?

The workaround I used was to comment out the VERCEL env var in my .env.local file manually. It's not a great workaround but at least it unblocked me.

@Crazypersonalph I was trying to say that it's not related to any cookies I already have, but the error is definitely somewhere in the logic of how next-auth detects whether to use https or not.

I have an idea.
What if that because of the VERCEL env var being there in the command line, it overrides the env var in your file? This would mean that in that line of code the NEXTAUTH_URL would be the Vercel appointed URL, and so Vercel is upgrading the connection to HTTPS to fit the requirement of the secureCookie to be HTTPS.

[balazsorban44]

I found the issue and created an experimental release with a fix, if anyone wants to test #7214 (comment)

TLDR; we need to respect the x-forwarded-proto header if present when trusting the host. (In this case when VERCEL environment variable is set).

VERCEL=0 did not help BTW because env variables are always read as strings, and we do not parse the variable to int, so only removing/commenting out would have worked.

[Crazypersonalph]

It is safe to say that this issue can now be closed.

[balazsorban44]

This should be released in 4.22.1!

[MarcinCebula]

Hey @balazsorban44

There is a case where respecting x-forwarded-proto it not true. When using Zones the url returned would be wrong and would cause multiple issue.

1. you would get the wrong domian
2. you would get the wrong basePath

For example
https://github.com/nextauthjs/next-auth/blob/c7dec376a1272a0877c7e6fb2fc4173f08369f9f/packages/next-auth/src/utils/detect-origin.ts#LL5C1-L6C1

The desired url might be https://mydomain/app2/auth/....
btw when doing SignIn from App2 using Zones on Vercel you would get https://app2.mydomain/auth/...

Please notice the subdomain and basePath

NOTES:

1. Things to note. For zones to work correctly most people extract x-forwarded-proto in middleware and set it to some other header like x-app-root-url
2. A hackey solution to quickly solve this issue is to set VERCEL="" in ENV

Would love to discuss a solution for this issue and maybe create a example project to showcase the issue

[montnyc]

I am having the same issue @dferber90 . Is there a workaround?

The workaround I used was to comment out the VERCEL env var in my .env.local file manually. It's not a great workaround but at least it unblocked me.

@Crazypersonalph I was trying to say that it's not related to any cookies I already have, but the error is definitely somewhere in the logic of how next-auth detects whether to use https or not.

This is the only thing that worked for me... Was banging my head against the wall. Thanks! Would love an actual fix tho

[leogilmour]

We are still having this issue. Finally figured it out and commented VERCEL="1" out

"next": "^13.4.19",
"next-auth": "^4.23.1",

[toniopelo]

@dferber90 @balazsorban44 @leogilmour There is a more convenient workaround I just tested, to be able to still use vercel env pull without having to comment out VERCEL="1" every time. Just add an env var for development only on vercel platform, name this env var VERCEL and leave the value blank. This is pretty dumb but it works without breaking vercel env updating flow.

A fix on nextauth side is still needed IMO because this shouldn't be needed.

[fsa317]

I seem to still be having this issue on the latest NEXT_AUTH

[dipsor]

I am having same issue

[piersolenski]

I too, am a haver of this issue

[gloriliale]

Same here!

[pktaki]

I'm also having the same issue, even after removing VERCEL="1" from .env, on version 4.23.1.

Does anyone know a fix for this issue?

[reginpv]

I am having the same issue @dferber90 . Is there a workaround?

The workaround I used was to comment out the VERCEL env var in my .env.local file manually. It's not a great workaround but at least it unblocked me.

@Crazypersonalph I was trying to say that it's not related to any cookies I already have, but the error is definitely somewhere in the logic of how next-auth detects whether to use https or not.

This is what I do currently, but is there a permanent fix? If I vercel env pull it will change again to 1

[reginpv]

@dferber90 @balazsorban44 @leogilmour There is a more convenient workaround I just tested, to be able to still use vercel env pull without having to comment out VERCEL="1" every time. Just add an env var for development only on vercel platform, name this env var VERCEL and leave the value blank. This is pretty dumb but it works without breaking vercel env updating flow.

A fix on nextauth side is still needed IMO because this shouldn't be needed.

This is the one that works for me! Thank you!