refactor(core): allow trusting the forwarded host header

[revmischa]

NOTE:

• It's a good idea to open an issue first to discuss potential changes.
• Please make sure that you are NOT opening a PR to fix a potential security vulnerability. Instead, please follow the Security guidelines to disclose the issue to us confidentially.

☕️ Reasoning

I want to forward a host header in CloudFront, I'm not using Vercel. It's needed for requests to a lambda function URL.

Source: https://github.com/jetbridge/cdk-nextjs

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

Please scout and link issues that might be solved by this PR.

Fixes: INSERT_ISSUE_LINK_HERE

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Updated
next-auth	⬜️ Ignored (Inspect)		Oct 12, 2022 at 8:20PM (UTC)

[balazsorban44]

Thanks, I was actually going to do this in https://github.com/nextauthjs/next-auth/pull/5536/files#diff-3cc6ded936a2c02c746c1d933414fb001e90fc06df7792e24b725a66e354d951R1

But we can probably land this faster. Would you mind renaming it to AUTH_TRUST_HOST?

For now, I am OK if we don't document this, so if needed, we can iterate on the approach (most likely won't have to, but unless documented, we can just say something is not intended to be used 👍)