fix(auth-next-server): resolve redirectUri from env vars in zero-config

rodrigo-fournier-immutable · rodrigo-fournier-immutable · commit f3d7e7868d38 · 2026-02-17T11:32:06.000+11:00
- Add resolveDefaultRedirectUri: NEXT_PUBLIC_REDIRECT_URI &gt; NEXTAUTH_URL + path &gt; AUTH_URL + path &gt; path-only
- Fix sample app getAuthConfig to use POPUP_REDIRECT_URI for Auth NextJS (fixes callback URL mismatch in production)
diff --git a/packages/auth-next-server/src/config.ts b/packages/auth-next-server/src/config.ts
@@ -56,6 +56,20 @@ async function validateTokens(
   }
 }
 
+/**
+ * Resolve redirect URI for zero-config mode.
+ * Priority: NEXT_PUBLIC_REDIRECT_URI > NEXTAUTH_URL + path > AUTH_URL + path > path-only.
+ */
+function resolveDefaultRedirectUri(): string {
+  const fromEnv = process.env.NEXT_PUBLIC_REDIRECT_URI;
+  if (fromEnv) return fromEnv;
+  const nextAuthUrl = process.env.NEXTAUTH_URL;
+  if (nextAuthUrl) return new URL(DEFAULT_REDIRECT_URI_PATH, nextAuthUrl).href;
+  const authUrl = process.env.AUTH_URL;
+  if (authUrl) return new URL(DEFAULT_REDIRECT_URI_PATH, authUrl).href;
+  return DEFAULT_REDIRECT_URI_PATH;
+}
+
 /**
  * Create Auth.js v5 configuration for Immutable authentication.
  *
@@ -87,10 +101,12 @@ async function validateTokens(
  * ```
  */
 export function createAuthConfig(config?: ImmutableAuthConfig): NextAuthConfig {
-  const resolvedConfig: ImmutableAuthConfig = config ?? {
-    clientId: DEFAULT_SANDBOX_CLIENT_ID,
-    redirectUri: DEFAULT_REDIRECT_URI_PATH,
-  };
+  const resolvedConfig: ImmutableAuthConfig = config
+    ? { ...config }
+    : {
+      clientId: DEFAULT_SANDBOX_CLIENT_ID,
+      redirectUri: resolveDefaultRedirectUri(),
+    };
   const authDomain = resolvedConfig.authenticationDomain || DEFAULT_AUTH_DOMAIN;
 
   return {
diff --git a/packages/passport/sdk-sample-app/src/lib/immutable-auth.ts b/packages/passport/sdk-sample-app/src/lib/immutable-auth.ts
@@ -7,7 +7,7 @@
 import type { ImmutableAuthConfig } from "@imtbl/auth-next-server";
 import { DEFAULT_SANDBOX_CLIENT_ID } from "@imtbl/auth-next-server";
 import { EnvironmentNames } from "@/types";
-import { BASE_PATH } from "@/config";
+import { BASE_PATH, POPUP_REDIRECT_URI } from "@/config";
 
 // Client IDs for each environment (same as ImmutableProvider)
 const CLIENT_IDS: Partial<Record<EnvironmentNames, string>> = {
@@ -28,10 +28,9 @@ const AUTH_DOMAINS: Record<EnvironmentNames, string> = {
 // Get auth config for a specific environment
 export function getAuthConfig(environment: EnvironmentNames): ImmutableAuthConfig {
   const baseUrl = typeof window !== "undefined" ? window.location.origin : "http://localhost:3000";
-
   return {
     clientId: environment === EnvironmentNames.DEFAULT ? DEFAULT_SANDBOX_CLIENT_ID : CLIENT_IDS[environment]!,
-    redirectUri: `${baseUrl}${BASE_PATH}/callback`,
+    redirectUri: POPUP_REDIRECT_URI || `${baseUrl}${BASE_PATH}/callback`,
     audience: "platform_api",
     scope: "openid profile email offline_access transact",
     authenticationDomain: AUTH_DOMAINS[environment],
