Open
Description
Environment
System:
OS: macOS 15.2
CPU: (12) arm64 Apple M2 Max
Memory: 2.47 GB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.13.1 - ~/.local/state/fnm_multishells/29413_1742935221977/bin/node
Yarn: 1.22.22 - ~/.local/state/fnm_multishells/84398_1742909607575/bin/yarn
npm: 10.9.2 - ~/.local/state/fnm_multishells/29413_1742935221977/bin/npm
pnpm: 9.15.0 - ~/Library/pnpm/pnpm
bun: 1.2.6 - /opt/homebrew/bin/bun
Watchman: 2025.03.10.00 - /opt/homebrew/bin/watchman
Browsers:
Chrome: 132.0.6834.160
Edge: 134.0.3124.85
Safari: 18.2
npmPackages:
@auth/unstorage-adapter: ^2.0.0 => 2.8.0
next: latest => 15.2.4
next-auth: beta => 5.0.0-beta.25
react: ^18.2.0 => 18.3.1
Reproduction URL
https://github.com/claudiorivera/next-auth-callbackurl
Describe the issue
When using a reverse proxy, users are redirected to https://localhost:3000 instead of https://app.example.localhost. This may be due to an invalid Set-Cookie value that points to https://localhost:3000 instead of the value in the query param callbackUrl.
Possibly related to #10928
How to reproduce
- Add
app.example.localhostto your/etc/hosts pnpm inpx auth secretcaddy runor use any tool to reverse proxyapp.example.localhostto port 3000- In a separate terminal:
pnpm dev - Visit https://app.example.localhost
- Notice the
Set-Cookieresponse header:
__Secure-authjs.callback-url=https%3A%2F%2Fapp.example.localhost; Path=/; HttpOnly; Secure; SameSite=Lax
- Click
Sign In - Notice the
callbackUrlquery param ishttps%3A%2F%2Fapp.example.localhost%2F - Notice the
Set-Cookieresponse header:
__Secure-authjs.callback-url=https%3A%2F%2Flocalhost%3A3000; Path=/; HttpOnly; Secure; SameSite=Lax
- Sign in with credentials (
usernameandpassword) - Notice we are now at
https://localhost:3000/auth/callback/credentials😕
Expected behavior
I would expect to be redirected to the callbackUrl in the query param on the sign in page (ie. https://app.example.localhost)