From 98e01f05b84f1407f7876f62e9ab47f3b1519d55 Mon Sep 17 00:00:00 2001
From: Krisztian Koller <krisztian.koller@flex.com>
Date: Tue, 9 Sep 2025 11:55:52 +0200
Subject: [PATCH 1/4] feat: set baseUrl from browser url on client side

---
 package.json                           | 2 +-
 packages/next-auth/src/react/index.tsx | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 31615efe16..96a25bea42 100644
--- a/package.json
+++ b/package.json
@@ -46,7 +46,7 @@
     ]
   },
   "engines": {
-    "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0"
+    "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0 || ^20.18.3"
   },
   "prettier": {
     "semi": false,
diff --git a/packages/next-auth/src/react/index.tsx b/packages/next-auth/src/react/index.tsx
index e0308c5c98..2d12757ae2 100644
--- a/packages/next-auth/src/react/index.tsx
+++ b/packages/next-auth/src/react/index.tsx
@@ -47,7 +47,11 @@ export * from "./types"
 // 2. When invoked server side the value is picked up from an environment
 //    variable and defaults to 'http://localhost:3000'.
 const __NEXTAUTH: AuthClientConfig = {
-  baseUrl: parseUrl(process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL).origin,
+  baseUrl: parseUrl(
+    typeof window === "undefined"
+      ? process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL
+      : window.location.origin
+  ).origin,
   basePath: parseUrl(process.env.NEXTAUTH_URL).path,
   baseUrlServer: parseUrl(
     process.env.NEXTAUTH_URL_INTERNAL ??

From 8425cdf60d440e1bac99c41cfa2178b424e83dcc Mon Sep 17 00:00:00 2001
From: Krisztian Koller <krisztian.koller@flex.com>
Date: Mon, 15 Sep 2025 16:55:00 +0200
Subject: [PATCH 2/4] feat: set origin from host header instead of NEXTAUTH_URL

---
 packages/next-auth/package.json      |  4 ++--
 packages/next-auth/src/core/index.ts | 14 +++++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/packages/next-auth/package.json b/packages/next-auth/package.json
index 7d22281052..cc2695431b 100644
--- a/packages/next-auth/package.json
+++ b/packages/next-auth/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "next-auth",
-  "version": "4.24.11",
+  "name": "@kollerdroid/next-auth",
+  "version": "4.24.11-dev.15",
   "description": "Authentication for Next.js",
   "homepage": "https://authjs.dev",
   "repository": "https://github.com/nextauthjs/next-auth.git",
diff --git a/packages/next-auth/src/core/index.ts b/packages/next-auth/src/core/index.ts
index 9d16f057ea..023bbe84b2 100644
--- a/packages/next-auth/src/core/index.ts
+++ b/packages/next-auth/src/core/index.ts
@@ -70,17 +70,21 @@ async function toInternalRequest(
       cookies: parseCookie(req.headers.get("cookie") ?? ""),
       providerId: nextauth[1],
       error: url.searchParams.get("error") ?? nextauth[1],
-      origin: detectOrigin(
-        headers["x-forwarded-host"] ?? headers.host,
-        headers["x-forwarded-proto"]
-      ),
+      origin: headers.host
+        ? "https://" + headers.host
+        : detectOrigin(
+            headers["x-forwarded-host"] ?? headers.host,
+            headers["x-forwarded-proto"]
+          ),
       query,
     }
   }
 
   const { headers } = req
   const host = headers?.["x-forwarded-host"] ?? headers?.host
-  req.origin = detectOrigin(host, headers?.["x-forwarded-proto"])
+  req.origin = host
+    ? "https://" + host
+    : detectOrigin(host, headers?.["x-forwarded-proto"])
 
   return req
 }

From 491751806dfc9b32ddca75c83b8f7d3043400dda Mon Sep 17 00:00:00 2001
From: Krisztian Koller <krisztian.koller@flex.com>
Date: Thu, 18 Sep 2025 09:43:07 +0200
Subject: [PATCH 3/4] feat: replace hardcoded protocol

---
 package.json                           | 2 +-
 packages/next-auth/package.json        | 2 +-
 packages/next-auth/src/core/index.ts   | 9 ++++++---
 packages/next-auth/src/react/index.tsx | 2 +-
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/package.json b/package.json
index 96a25bea42..31615efe16 100644
--- a/package.json
+++ b/package.json
@@ -46,7 +46,7 @@
     ]
   },
   "engines": {
-    "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0 || ^20.18.3"
+    "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0"
   },
   "prettier": {
     "semi": false,
diff --git a/packages/next-auth/package.json b/packages/next-auth/package.json
index cc2695431b..5a91559f60 100644
--- a/packages/next-auth/package.json
+++ b/packages/next-auth/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@kollerdroid/next-auth",
-  "version": "4.24.11-dev.15",
+  "version": "4.24.11-dev.38",
   "description": "Authentication for Next.js",
   "homepage": "https://authjs.dev",
   "repository": "https://github.com/nextauthjs/next-auth.git",
diff --git a/packages/next-auth/src/core/index.ts b/packages/next-auth/src/core/index.ts
index 023bbe84b2..939b718450 100644
--- a/packages/next-auth/src/core/index.ts
+++ b/packages/next-auth/src/core/index.ts
@@ -70,8 +70,8 @@ async function toInternalRequest(
       cookies: parseCookie(req.headers.get("cookie") ?? ""),
       providerId: nextauth[1],
       error: url.searchParams.get("error") ?? nextauth[1],
-      origin: headers.host
-        ? "https://" + headers.host
+      origin: headers?.host
+        ? `${url.protocol}//${headers.host}`
         : detectOrigin(
             headers["x-forwarded-host"] ?? headers.host,
             headers["x-forwarded-proto"]
@@ -82,8 +82,11 @@ async function toInternalRequest(
 
   const { headers } = req
   const host = headers?.["x-forwarded-host"] ?? headers?.host
+
   req.origin = host
-    ? "https://" + host
+    ? (process.env.NEXTAUTH_URL?.startsWith("https://") ?? !!process.env.VERCEL
+        ? "https://"
+        : "http://") + host
     : detectOrigin(host, headers?.["x-forwarded-proto"])
 
   return req
diff --git a/packages/next-auth/src/react/index.tsx b/packages/next-auth/src/react/index.tsx
index 2d12757ae2..ad877ff032 100644
--- a/packages/next-auth/src/react/index.tsx
+++ b/packages/next-auth/src/react/index.tsx
@@ -50,7 +50,7 @@ const __NEXTAUTH: AuthClientConfig = {
   baseUrl: parseUrl(
     typeof window === "undefined"
       ? process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL
-      : window.location.origin
+      : window.origin
   ).origin,
   basePath: parseUrl(process.env.NEXTAUTH_URL).path,
   baseUrlServer: parseUrl(

From 4469998217b88250eaacb1de15a7e6c3efdf586a Mon Sep 17 00:00:00 2001
From: Krisztian Koller <krisztian.koller@flex.com>
Date: Thu, 18 Sep 2025 10:24:59 +0200
Subject: [PATCH 4/4] feat: set package name and version

---
 packages/next-auth/package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/next-auth/package.json b/packages/next-auth/package.json
index 5a91559f60..08df9acf0d 100644
--- a/packages/next-auth/package.json
+++ b/packages/next-auth/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "@kollerdroid/next-auth",
-  "version": "4.24.11-dev.38",
+  "name": "next-auth",
+  "version": "4.25.0",
   "description": "Authentication for Next.js",
   "homepage": "https://authjs.dev",
   "repository": "https://github.com/nextauthjs/next-auth.git",