fix: credentials login behind proxy no longer works (#2177)

src/server/auth.ts

@@ -7,6 +7,7 @@ import { decode, encode } from 'next-auth/jwt';
 import { env } from '~/env';
 import { secondsFromTimeString } from '~/tools/client/parseDuration';
 import { adapter, getProviders, onCreateUser } from '~/utils/auth';
+import { createCookiesWithDefaultOptions } from '~/utils/auth/cookies';
 import { createRedirectUri } from '~/utils/auth/oidc';
 import EmptyNextAuthProvider from '~/utils/empty-provider';
 import { fromDate, generateSessionToken } from '~/utils/session';
@@ -106,17 +107,7 @@ export const constructAuthOptions = async (
   },
   adapter: adapter as Adapter,
   providers: [...(await getProviders(req.headers)), EmptyNextAuthProvider()],
-  cookies: {
-    sessionToken: {
-      name: 'next-auth.session-token',
-      options: {
-        httpOnly: true,
-        sameSite: 'lax',
-        path: '/',
-        secure: true,
-      },
-    },
-  },
+  cookies: createCookiesWithDefaultOptions(req.url?.startsWith('https:') ?? false),
   jwt: {
     async encode(params) {
       if (!isCredentialsRequest(req)) {

src/utils/auth/cookies.ts

@@ -0,0 +1,66 @@
+export const createCookiesWithDefaultOptions = (useSecureCookies: boolean) => {
+  const cookiePrefix = useSecureCookies ? '__Secure-' : '';
+
+  return {
+    // default cookie options
+    sessionToken: {
+      // We don't use __Secure prefix as the cookie is used in the code
+      name: `next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    callbackUrl: {
+      name: `${cookiePrefix}next-auth.callback-url`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    csrfToken: {
+      // Default to __Host- for CSRF token for additional protection if using useSecureCookies
+      // NB: The `__Host-` prefix is stricter than the `__Secure-` prefix.
+      name: `${useSecureCookies ? '__Host-' : ''}next-auth.csrf-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    pkceCodeVerifier: {
+      name: `${cookiePrefix}next-auth.pkce.code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
+      },
+    },
+    state: {
+      name: `${cookiePrefix}next-auth.state`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
+      },
+    },
+    nonce: {
+      name: `${cookiePrefix}next-auth.nonce`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+  } as const;
+};