fix(core): createActionURL set detectedProtocol correctly (#10421)

* fix: possible invalid url in createActionURL * fix: x-forwarded-proto goes without colon
nextauthjs · Mar 31, 2024 · 246a838 · 246a838
1 parent 11cfb0a
commit 246a838
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 3 deletions.
diff --git a/packages/core/src/lib/utils/env.ts b/packages/core/src/lib/utils/env.ts
@@ -76,8 +76,9 @@ export function createActionURL(
     const detectedHost = headers.get("x-forwarded-host") ?? headers.get("host")
     const detectedProtocol =
       headers.get("x-forwarded-proto") ?? protocol ?? "https"
-
-    url = new URL(`${detectedProtocol}://${detectedHost}`)
+    const _protocol = detectedProtocol.endsWith(":") ? detectedProtocol : detectedProtocol + ':'
+
+    url = new URL(`${_protocol}//${detectedHost}`)
   }
 
   // remove trailing slash

diff --git a/packages/core/test/env.test.ts b/packages/core/test/env.test.ts
@@ -108,7 +108,7 @@ describe("config is inferred from environment variables", () => {
 })
 
 describe("createActionURL", () => {
-  const consoleWarnSpy = vi.spyOn(console, "warn").mockImplementation(() => { })
+  const consoleWarnSpy = vi.spyOn(console, "warn").mockImplementation(() => {})
 
   afterEach(() => {
     consoleWarnSpy.mockClear()
@@ -161,6 +161,56 @@ describe("createActionURL", () => {
       },
       expected: "https://example.com/auth/signin",
     },
+    {
+      args: {
+        action: "signin",
+        protocol: "http:",
+        headers: new Headers({
+          "x-forwarded-host": "example.com",
+        }),
+        env: {},
+        basePath: "/auth",
+      },
+      expected: "http://example.com/auth/signin",
+    },
+    {
+      args: {
+        action: "signin",
+        protocol: "https:",
+        headers: new Headers({
+          "x-forwarded-host": "example.com",
+        }),
+        env: {},
+        basePath: "/auth",
+      },
+      expected: "https://example.com/auth/signin",
+    },
+    {
+      args: {
+        action: "signin",
+        protocol: undefined,
+        headers: new Headers({
+          "x-forwarded-host": "example.com",
+          "x-forwarded-proto": "https",
+        }),
+        env: {},
+        basePath: "/auth",
+      },
+      expected: "https://example.com/auth/signin",
+    },
+    {
+      args: {
+        action: "signin",
+        protocol: undefined,
+        headers: new Headers({
+          "x-forwarded-host": "example.com",
+          "x-forwarded-proto": "http",
+        }),
+        env: {},
+        basePath: "/auth",
+      },
+      expected: "http://example.com/auth/signin",
+    },
     {
       args: {
         action: "signout",