Set-Cookie has invalid callbackUrl when using a reverse proxy

[claudiorivera]

Environment

System:
  OS: macOS 15.2
  CPU: (12) arm64 Apple M2 Max
  Memory: 2.47 GB / 32.00 GB
  Shell: 5.9 - /bin/zsh
Binaries:
  Node: 22.13.1 - ~/.local/state/fnm_multishells/29413_1742935221977/bin/node
  Yarn: 1.22.22 - ~/.local/state/fnm_multishells/84398_1742909607575/bin/yarn
  npm: 10.9.2 - ~/.local/state/fnm_multishells/29413_1742935221977/bin/npm
  pnpm: 9.15.0 - ~/Library/pnpm/pnpm
  bun: 1.2.6 - /opt/homebrew/bin/bun
  Watchman: 2025.03.10.00 - /opt/homebrew/bin/watchman
Browsers:
  Chrome: 132.0.6834.160
  Edge: 134.0.3124.85
  Safari: 18.2
npmPackages:
  @auth/unstorage-adapter: ^2.0.0 => 2.8.0 
  next: latest => 15.2.4 
  next-auth: beta => 5.0.0-beta.25 
  react: ^18.2.0 => 18.3.1 

Reproduction URL

https://github.com/claudiorivera/next-auth-callbackurl

Describe the issue

When using a reverse proxy, users are redirected to https://localhost:3000 instead of https://app.example.localhost. This may be due to an invalid Set-Cookie value that points to https://localhost:3000 instead of the value in the query param callbackUrl.

Possibly related to #10928

How to reproduce

• Add app.example.localhost to your /etc/hosts
• pnpm i
• npx auth secret
• caddy run or use any tool to reverse proxy app.example.localhost to port 3000
• In a separate terminal: pnpm dev
• Visit https://app.example.localhost
• Notice the Set-Cookie response header:

__Secure-authjs.callback-url=https%3A%2F%2Fapp.example.localhost; Path=/; HttpOnly; Secure; SameSite=Lax

• Click Sign In
• Notice the callbackUrl query param is https%3A%2F%2Fapp.example.localhost%2F
• Notice the Set-Cookie response header:

__Secure-authjs.callback-url=https%3A%2F%2Flocalhost%3A3000; Path=/; HttpOnly; Secure; SameSite=Lax

• Sign in with credentials (username and password)
• Notice we are now at https://localhost:3000/auth/callback/credentials 😕

Expected behavior

I would expect to be redirected to the callbackUrl in the query param on the sign in page (ie. https://app.example.localhost)

[sreyemnayr]

I suspect this is due to this: vercel/next.js#36625 | vercel/next.js#37536

The request.nextUrl object for some reason defaults back to localhost even when you're using a different host (or 127.0.0.1 loopback as some services require rather than localhost). I just can't seem to find where it's happening in order to create a PR.

For my own experience, I can see that the callbackUrl cookie is being set as localhost:3000 even when I access via 127.0.0.1 and the callbackUrl being sent to the Spotify provider is being set to the same, which makes it not work. Works fine in production, as Vercel seems to be doing some kind of tomfoolery to update those parameters based on the comments to the issues above.

[justingorham-tesouro]

Also running into a similar issue for a NextJS 15 preview deployment to vercel. For some reason trustHost is not being respected.

My guess is nextauthjs needs to be updated to work with headers and cookies from next/headers in NextJS 15. Those function are synchronous in NextJS 14 but asynchronous in NextJS 15.