Specifying a default callbackUrl on the server

[kripod]

Summary of proposed feature

The default value of callbackUrl should be specifiable securely as an option on the server.

Purpose of proposed feature

While the client-side signIn function provides a dynamic, location-based fallback for callbackUrl, an API call to /api/auth/signin/* has process.env.NEXTAUTH_URL hardcoded as the fallback value.

Detail about proposed feature

import type { NextApiRequest, NextApiResponse } from "next";
import NextAuth, { InitOptions } from "next-auth";

const options: InitOptions = {
  pages: {
    // `process.env.NEXTAUTH_URL` could be prepended automatically
    defaultCallback: "/auth/callback",
  },
};

export default (req: NextApiRequest, res: NextApiResponse) =>
  NextAuth(req, res, options);

Potential problems

There could be a mismatch between the client and the server by introducing a new defaultCallback URL on the server. The client shouldn’t infer a callbackUrl (based on window.location) after this feature is implemented.

[jasonkuhrt]

This looks like a duplicate of #969

[kripod]

@jasonkuhrt Thanks for pointing this out, I’m closing this in favor of that issue.