hazo_auth 5.1.30 → 5.1.31

package/cli-src/lib/utils/get_origin_url.ts

@@ -0,0 +1,61 @@
+// file_description: Resolves the public-facing origin URL for constructing redirects
+// When running behind a reverse proxy (Cloudflare, nginx), request.url resolves to
+// the internal address (e.g. http://localhost:3000). This utility returns the correct
+// public origin using NEXTAUTH_URL, falling back to request.url.
+
+/**
+ * Gets the public-facing origin URL for redirect construction.
+ *
+ * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
+ * internal address (e.g. `http://localhost:3000`), not the public domain.
+ * This function returns the correct origin from environment variables.
+ *
+ * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
+ *
+ * @param request_url - The request.url to use as fallback
+ * @returns The origin URL (e.g. "https://gotimer.org")
+ */
+export function get_origin_url(request_url: string): string {
+  // NEXTAUTH_URL is the standard for NextAuth.js apps
+  const nextauth_url = process.env.NEXTAUTH_URL;
+  if (nextauth_url) {
+    return nextauth_url.replace(/\/$/, "");
+  }
+
+  // APP_DOMAIN_NAME (with protocol handling)
+  const app_domain = process.env.APP_DOMAIN_NAME;
+  if (app_domain) {
+    const domain = app_domain.trim();
+    if (domain.startsWith("http://") || domain.startsWith("https://")) {
+      return domain.replace(/\/$/, "");
+    }
+    return `https://${domain}`;
+  }
+
+  // Other common env vars
+  const env_url = process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL;
+  if (env_url) {
+    return env_url.replace(/\/$/, "");
+  }
+
+  // Fallback to request.url (works in development without a proxy)
+  try {
+    const url = new URL(request_url);
+    return url.origin;
+  } catch {
+    return request_url;
+  }
+}
+
+/**
+ * Creates a URL using the public-facing origin instead of request.url.
+ * Drop-in replacement for `new URL(path, request.url)` in route handlers.
+ *
+ * @param path - The path or relative URL (e.g. "/hazo_auth/login")
+ * @param request_url - The request.url (used as fallback only)
+ * @returns A URL object with the correct public origin
+ */
+export function create_redirect_url(path: string, request_url: string): URL {
+  const origin = get_origin_url(request_url);
+  return new URL(path, origin);
+}

package/dist/lib/utils/get_origin_url.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Gets the public-facing origin URL for redirect construction.
+ *
+ * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
+ * internal address (e.g. `http://localhost:3000`), not the public domain.
+ * This function returns the correct origin from environment variables.
+ *
+ * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
+ *
+ * @param request_url - The request.url to use as fallback
+ * @returns The origin URL (e.g. "https://gotimer.org")
+ */
+export declare function get_origin_url(request_url: string): string;
+/**
+ * Creates a URL using the public-facing origin instead of request.url.
+ * Drop-in replacement for `new URL(path, request.url)` in route handlers.
+ *
+ * @param path - The path or relative URL (e.g. "/hazo_auth/login")
+ * @param request_url - The request.url (used as fallback only)
+ * @returns A URL object with the correct public origin
+ */
+export declare function create_redirect_url(path: string, request_url: string): URL;
+//# sourceMappingURL=get_origin_url.d.ts.map

package/dist/lib/utils/get_origin_url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_origin_url.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/get_origin_url.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CA8B1D;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,GAAG,CAG1E"}

package/dist/lib/utils/get_origin_url.js

@@ -0,0 +1,57 @@
+// file_description: Resolves the public-facing origin URL for constructing redirects
+// When running behind a reverse proxy (Cloudflare, nginx), request.url resolves to
+// the internal address (e.g. http://localhost:3000). This utility returns the correct
+// public origin using NEXTAUTH_URL, falling back to request.url.
+/**
+ * Gets the public-facing origin URL for redirect construction.
+ *
+ * Behind reverse proxies (Cloudflare, nginx, etc.), `request.url` contains the
+ * internal address (e.g. `http://localhost:3000`), not the public domain.
+ * This function returns the correct origin from environment variables.
+ *
+ * Priority: NEXTAUTH_URL > APP_DOMAIN_NAME > NEXT_PUBLIC_APP_URL > APP_URL > request.url
+ *
+ * @param request_url - The request.url to use as fallback
+ * @returns The origin URL (e.g. "https://gotimer.org")
+ */
+export function get_origin_url(request_url) {
+    // NEXTAUTH_URL is the standard for NextAuth.js apps
+    const nextauth_url = process.env.NEXTAUTH_URL;
+    if (nextauth_url) {
+        return nextauth_url.replace(/\/$/, "");
+    }
+    // APP_DOMAIN_NAME (with protocol handling)
+    const app_domain = process.env.APP_DOMAIN_NAME;
+    if (app_domain) {
+        const domain = app_domain.trim();
+        if (domain.startsWith("http://") || domain.startsWith("https://")) {
+            return domain.replace(/\/$/, "");
+        }
+        return `https://${domain}`;
+    }
+    // Other common env vars
+    const env_url = process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL;
+    if (env_url) {
+        return env_url.replace(/\/$/, "");
+    }
+    // Fallback to request.url (works in development without a proxy)
+    try {
+        const url = new URL(request_url);
+        return url.origin;
+    }
+    catch (_a) {
+        return request_url;
+    }
+}
+/**
+ * Creates a URL using the public-facing origin instead of request.url.
+ * Drop-in replacement for `new URL(path, request.url)` in route handlers.
+ *
+ * @param path - The path or relative URL (e.g. "/hazo_auth/login")
+ * @param request_url - The request.url (used as fallback only)
+ * @returns A URL object with the correct public origin
+ */
+export function create_redirect_url(path, request_url) {
+    const origin = get_origin_url(request_url);
+    return new URL(path, origin);
+}

package/dist/server/routes/oauth_google_callback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCAgJ7C"}
+{"version":3,"file":"oauth_google_callback.d.ts","sourceRoot":"","sources":["../../../src/server/routes/oauth_google_callback.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwBxD;;;;GAIG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,WAAW,kCAgJ7C"}

package/dist/server/routes/oauth_google_callback.js

@@ -10,6 +10,7 @@ import { get_cookie_name, get_cookie_options, BASE_COOKIE_NAMES } from "../../li
 import { get_hazo_connect_instance } from "../../lib/hazo_connect_instance.server.js";
 import { get_post_login_redirect } from "../../lib/services/post_verification_service.js";
 import { get_oauth_config } from "../../lib/oauth_config.server.js";
+import { create_redirect_url } from "../../lib/utils/get_origin_url.js";
 // section: api_handler
 /**
  * Handles the OAuth callback after Google sign-in
@@ -36,7 +37,7 @@ export async function GET(request) {
                 note: "No NextAuth token found - user may not have completed Google sign-in",
             });
             // Redirect to login with error
-            const login_url = new URL("/hazo_auth/login", request.url);
+            const login_url = create_redirect_url("/hazo_auth/login", request.url);
             login_url.searchParams.set("error", "oauth_failed");
             return NextResponse.redirect(login_url);
         }
@@ -49,7 +50,7 @@ export async function GET(request) {
                 has_hazo_user_id: !!token.hazo_user_id,
                 has_google_id: !!token.google_id,
             });
-            const login_url = new URL("/hazo_auth/login", request.url);
+            const login_url = create_redirect_url("/hazo_auth/login", request.url);
             login_url.searchParams.set("error", "oauth_incomplete");
             return NextResponse.redirect(login_url);
         }
@@ -93,7 +94,7 @@ export async function GET(request) {
             invitation_table_error,
         });
         // Create redirect response
-        const redirect_url = new URL(determined_redirect, request.url);
+        const redirect_url = create_redirect_url(determined_redirect, request.url);
         const response = NextResponse.redirect(redirect_url);
         // Set authentication cookies (same as login route, with configurable prefix and domain)
         const base_cookie_options = {
@@ -133,7 +134,7 @@ export async function GET(request) {
             error_message,
             error_stack,
         });
-        const login_url = new URL("/hazo_auth/login", request.url);
+        const login_url = create_redirect_url("/hazo_auth/login", request.url);
         login_url.searchParams.set("error", "oauth_error");
         return NextResponse.redirect(login_url);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hazo_auth",
-  "version": "5.1.30",
+  "version": "5.1.31",
   "description": "Zero-config authentication UI components for Next.js with RBAC, OAuth, scope-based multi-tenancy, and invitations",
   "keywords": [
     "authentication",