chore: bump versions

[skip ci]
fix: don't show error on relative callbackUrl
2026-05-01 10:55:20 +00:00 · 2022-06-14 00:10:16 +02:00 · 2022-06-12 14:37:04 +02:00 · 2022-06-10 14:52:05 +02:00
3 changed files with 11 additions and 8 deletions
--- a/packages/adapter-sequelize/package.json
+++ b/packages/adapter-sequelize/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@next-auth/sequelize-adapter",
-  "version": "1.0.2",
+  "version": "1.0.4",
  "description": "Sequelize adapter for next-auth.",
  "homepage": "https://next-auth.js.org",
  "repository": "https://github.com/nextauthjs/adapters",
--- a/packages/next-auth/package.json
+++ b/packages/next-auth/package.json
@@ -1,6 +1,6 @@
 {
  "name": "next-auth",
-  "version": "4.3.4",
+  "version": "4.5.0",
  "description": "Authentication for Next.js",
  "homepage": "https://next-auth.js.org",
  "repository": "https://github.com/nextauthjs/next-auth.git",
--- a/packages/next-auth/src/core/lib/assert.ts
+++ b/packages/next-auth/src/core/lib/assert.ts
@@ -21,9 +21,11 @@ type ConfigError =

 let twitterWarned = false

-function isValidHttpUrl(url: string) {
+function isValidHttpUrl(url: string, baseUrl: string) {
  try {
-    return /^https?:/.test(new URL(url).protocol)
+    return /^https?:/.test(
+      new URL(url, url.startsWith("/") ? baseUrl : undefined).protocol
+    )
  } catch {
    return false
  }
@@ -57,23 +59,24 @@ export function assertConfig(

  const callbackUrlParam = req.query?.callbackUrl as string | undefined

-  if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam)) {
+  const url = parseUrl(req.host)
+
+  if (callbackUrlParam && !isValidHttpUrl(callbackUrlParam, url.base)) {
    return new InvalidCallbackUrl(
      `Invalid callback URL. Received: ${callbackUrlParam}`
    )
  }

+  // This is below the callbackUrlParam check because it would obscure the error
  if (!req.host) return "NEXTAUTH_URL"

-  const url = parseUrl(req.host)
-
  const { callbackUrl: defaultCallbackUrl } = defaultCookies(
    options.useSecureCookies ?? url.base.startsWith("https://")
  )
  const callbackUrlCookie =
    req.cookies?.[options.cookies?.callbackUrl?.name ?? defaultCallbackUrl.name]

-  if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie)) {
+  if (callbackUrlCookie && !isValidHttpUrl(callbackUrlCookie, url.base)) {
    return new InvalidCallbackUrl(
      `Invalid callback URL. Received: ${callbackUrlCookie}`
    )
Author	SHA1	Message	Date
Balázs Orbán	8c5d9faad6	chore: bump versions [skip ci]	2022-06-14 00:10:16 +02:00
Balázs Orbán	49a8d51f79	fix: don't show error on relative callbackUrl fixes #4700	2022-06-12 14:37:04 +02:00
Balázs Orbán	c0d251731d	chore: bump version	2022-06-10 14:52:05 +02:00