Skip to content

feat(auth0-fastify): Add MCD support#43

Merged
nandan-bhat merged 8 commits intomainfrom
feature/mcd-fastify
Apr 9, 2026
Merged

feat(auth0-fastify): Add MCD support#43
nandan-bhat merged 8 commits intomainfrom
feature/mcd-fastify

Conversation

@nandan-bhat
Copy link
Copy Markdown
Contributor

@nandan-bhat nandan-bhat commented Feb 4, 2026
edited
Loading

Adds Multiple Custom Domains (MCD) support to @auth0/auth0-fastify by delegating issuer/domain resolution and validation to @auth0/auth0-server-js and enabling request‑inferred appBaseUrl when using a resolver. Updates documentation and tests to cover inference behavior and risk guidance.

Changes

  • domain can now be a DomainResolver (from @auth0/auth0-server-js). Exposes DomainResolver and DomainResolverContext from this SDK for consumers.
  • appBaseUrl behavior:
    • Static domain (non‑MCD): appBaseUrl remains required (same as main).
    • Resolver (MCD): appBaseUrl is optional; if omitted, it’s inferred from Host / x-forwarded-*.
  • Redirect handling: When appBaseUrl is inferred, redirect_uri is passed per request; when static, a single redirect URI is precomputed.
  • Discovery cache: Documented defaults and MCD relevance.

Usage example

import Fastify from 'fastify';
import auth0, {
  DomainResolver,
  DomainResolverContext,
  StoreOptions,
} from '@auth0/auth0-fastify';

const domainByHost: Record<string, string> = {
  'app-a.example.com': 'custom-a.auth0.com',
  'app-b.example.com': 'custom-b.auth0.com',
};

const domainResolver: DomainResolver<StoreOptions> = async (
  { storeOptions }: DomainResolverContext<StoreOptions>
) => {
  const hostHeader = storeOptions?.request?.headers['x-forwarded-host']
    ?? storeOptions?.request?.headers.host;
  if (!hostHeader) return null;

  const host = Array.isArray(hostHeader) ? hostHeader[0] : hostHeader;
  return domainByHost[host.toLowerCase()] ?? null;
};

const fastify = Fastify({ logger: true });

fastify.register(auth0, {
  domain: domainResolver,
  clientId: process.env.AUTH0_CLIENT_ID!,
  clientSecret: process.env.AUTH0_CLIENT_SECRET!,
  sessionSecret: process.env.AUTH0_SESSION_SECRET!,
});

fastify.get('/', async (request, reply) => {
  const user = await fastify.auth0Client?.getUser({ request, reply });
  reply.send(user ?? { message: 'Not logged in' });
});

fastify.listen({ port: 3000 });

Risks

  • Inferred appBaseUrl relies on trusted proxy headers. If Host / x-forwarded-* are not validated at the edge, redirects/logouts can be influenced. Mitigate by providing a static appBaseUrl or enforcing header validation in the proxy.
  • No breaking change vs main for static domain usage; resolver mode is additive.

Expecting pipeline failure

  • CI will fail until @auth0/auth0-server-js is published, because this branch currently depends on a local path (or a version not yet available on npm).

kishore7snehil
kishore7snehil reviewed Feb 25, 2026
View reviewed changes
@nandan-bhat nandan-bhat force-pushed the feature/mcd-fastify branch from 336f3c6 to 1726b95 Compare April 9, 2026 15:16
kishore7snehil
kishore7snehil approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@kishore7snehil kishore7snehil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@nandan-bhat nandan-bhat merged commit c1bb7df into main Apr 9, 2026
6 checks passed
This was referenced Apr 9, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kishore7snehil kishore7snehil kishore7snehil approved these changes

@ankita10119 ankita10119 ankita10119 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nandan-bhat @kishore7snehil @ankita10119