trustHost = false causes odd session object containing only a message property #13342
Description
Environment
% pnpm dlx envinfo --system --binaries --browsers --npmPackages "{next,react,next-auth,@auth/*}"
Packages: +1
+
Progress: resolved 1, reused 0, downloaded 1, added 1, done
System:
OS: macOS 15.6.1
CPU: (10) arm64 Apple M4
Memory: 73.69 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.15.1 - /Users/stevenlybeck/.nvm/versions/node/v22.15.1/bin/node
npm: 10.9.2 - /Users/stevenlybeck/.nvm/versions/node/v22.15.1/bin/npm
pnpm: 10.24.0 - /Users/stevenlybeck/Library/pnpm/pnpm
Browsers:
Chrome: 143.0.7499.41
Firefox: 145.0.2
Safari: 18.6
npmPackages:
next: ^16.0.9 => 16.0.9
next-auth: 5.0.0-beta.30 => 5.0.0-beta.30
react: ^19.2.2 => 19.2.2
Reproduction URL
https://github.com/stevenlybeck/psychic-octo-giggle/tree/main
Describe the issue
I had a problem where when I moved to NODE_ENV=production I started getting "Host must be trusted." error logs - and more significantly, my app was skipping any login flow and attempting to render the logged-in version.
The page code is below - and in spite of the "Host must be trusted." config error, the session object returned as truthy and my app tried to render.
export default async function Home() {
const session = await auth()
if (!session) {
redirect('/login')
}
return <App />
}I eventually tracked this down and I'm resolving it by just using the AUTH_URL env var which will implicitly set trustHost
But it seems off for auth() to return an object like {message: "There was a problem with the server configuration. Check the server logs for more information."} - it doesn't conform to Session interface the auth() function is intended to return, and breaks null checks on the returned session object.
How to reproduce
- Set up config that doesn't automatically turn on config.trustHost
- There's multiple ways to end up here, but just don't trigger one of these: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/utils/env.ts#L44
- Create a server component like the above that only does a truthiness-check on the response from
auth():
export default async function Home() {
const session = await auth()
if (!session) {
redirect('/login')
}
return <App />
}- Notice that as result of the UntrustedHost error,
auth()returns an object with an unexpected 'message' property.
Code debugging:
- When @core/auth Auth calls assertConfig()
- It gets back an UntrustedHost object.
- Then @core/auth/Auth returns a JSON containing only a 'message' property. that gets logged as an error.
- Then this file returns a generic error message
- Which wraps back up to our auth() function
At the very least this seems to break type checking because the auth function is supposed to return an object conforming to the Session interface
Expected behavior
auth() function returns a value compliant with the type definitions in NextAuthResult.