fix: detectHost should respect env NEXTAUTH_URL_INTERNAL

[STRRL]

Signed-off-by: STRRL im@strrl.dev

NOTE:

• It's a good idea to open an issue first to discuss potential changes.
• Please make sure that you are NOT opening a PR to fix a potential security vulnerability. Instead, please follow the Security guidelines to disclose the issue to us confidentially.

☕️ Reasoning

close #5676

vercel dev would always lead me to https://localhost:3000/api/auth/**** not http://localhost:3000/api/auth/***, because:

• when it initializes the next auth, it uses detectHost to pretend the URL for the server
• with vercel, detectHost extract x-forwarded-host from the HTTP request header, which is always locahost:3000(without none of http or https prefix) in my scenario
• because the return value of detectHost do not contains the http/https schema, it automatic append https for it, which is not expected in development environment

next-auth/packages/next-auth/src/utils/parse-url.ts

Lines 18 to 20 in 733fd5f

	if (url && !url.startsWith("http")) {
	url = `https://${url}`
	}

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

Please scout and link issues that might be solved by this PR.

Fixes: INSERT_ISSUE_LINK_HERE

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Updated
next-auth	⬜️ Ignored (Inspect)		Oct 30, 2022 at 11:12AM (UTC)

[ThangHuuVu]

Unfortunately, this is not acceptable because it would break the docker deployments. See: #6949