Use host and proto headers to determine request origin if AUTH_URL is not set

[bfichter]

☕️ Reasoning

The v5 docs state that AUTH_URL "is mostly unnecessary with v5 as the host is inferred from the request headers," but this is only the case in some areas of @auth/core, and the url of the request is often the fallback for determining URLs in the framework. But in the case that the app is running behind a reverse proxy or in a number of other networking setups, requests to @auth/core from next-auth won't have a relevant url (0.0.0.0 observed in our use case) and authentication will fail in a number of ways without AUTH_URL set.

This change checks request headers (if they're set) to determine the url to send to @auth/core, in the case that AUTH_URL or NEXTAUTH_URL are not set. This properly cuts reliance on AUTH_URL (in our use case) and also as a bonus enables multiple authentication urls to be used in a given system.

Possibly this behavior should be behind some config if we want to make it opt in. If so I'm happy to add that.

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Dec 25, 2024 11:07pm

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Dec 25, 2024 11:07pm

[vercel]

@bfichter is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.