Environment
% pnpm dlx envinfo --system --binaries --browsers --npmPackages "{next,react,next-auth,@auth/*}"
Packages: +1
+
Progress: resolved 1, reused 0, downloaded 1, added 1, done
System:
OS: macOS 15.6.1
CPU: (10) arm64 Apple M4
Memory: 73.69 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.15.1 - /Users/stevenlybeck/.nvm/versions/node/v22.15.1/bin/node
npm: 10.9.2 - /Users/stevenlybeck/.nvm/versions/node/v22.15.1/bin/npm
pnpm: 10.24.0 - /Users/stevenlybeck/Library/pnpm/pnpm
Browsers:
Chrome: 143.0.7499.41
Firefox: 145.0.2
Safari: 18.6
npmPackages:
next: ^16.0.9 => 16.0.9
next-auth: 5.0.0-beta.30 => 5.0.0-beta.30
react: ^19.2.2 => 19.2.2
Reproduction URL
https://github.com/stevenlybeck/psychic-octo-giggle/tree/main
Describe the issue
I had a problem where when I moved to NODE_ENV=production I started getting "Host must be trusted." error logs - and more significantly, my app was skipping any login flow and attempting to render the logged-in version.
The page code is below - and in spite of the "Host must be trusted." config error, the session object returned as truthy and my app tried to render.
export default async function Home() {
const session = await auth()
if (!session) {
redirect('/login')
}
return <App />
}I eventually tracked this down and I'm resolving it by just using the AUTH_URL env var which will implicitly set trustHost
But it seems off for auth() to return an object like {message: "There was a problem with the server configuration. Check the server logs for more information."} - it doesn't conform to Session interface the auth() function is intended to return, and breaks null checks on the returned session object.
How to reproduce
- Set up config that doesn't automatically turn on config.trustHost
- Create a server component like the above that only does a truthiness-check on the response from
auth():
export default async function Home() {
const session = await auth()
if (!session) {
redirect('/login')
}
return <App />
}
- Notice that as result of the UntrustedHost error,
auth() returns an object with an unexpected 'message' property.
Code debugging:
At the very least this seems to break type checking because the auth function is supposed to return an object conforming to the Session interface
Expected behavior
auth() function returns a value compliant with the type definitions in NextAuthResult.
Environment
Reproduction URL
https://github.com/stevenlybeck/psychic-octo-giggle/tree/main
Describe the issue
I had a problem where when I moved to NODE_ENV=production I started getting "Host must be trusted." error logs - and more significantly, my app was skipping any login flow and attempting to render the logged-in version.
The page code is below - and in spite of the "Host must be trusted." config error, the session object returned as truthy and my app tried to render.
I eventually tracked this down and I'm resolving it by just using the AUTH_URL env var which will implicitly set trustHost
But it seems off for auth() to return an object like
{message: "There was a problem with the server configuration. Check the server logs for more information."}- it doesn't conform to Session interface the auth() function is intended to return, and breaks null checks on the returned session object.How to reproduce
auth():auth()returns an object with an unexpected 'message' property.Code debugging:
At the very least this seems to break type checking because the auth function is supposed to return an object conforming to the Session interface
Expected behavior
auth() function returns a value compliant with the type definitions in NextAuthResult.