Keep getting http for redirect_uri instead of https

[setoelkahfi]

I'm using pm2 with ecosystem config to deploy a NextJS app in a multi-tenancy setup:

module.exports = {
  apps: [
    {
      // Application name (unique identifier for PM2)
      name: "aircraftshub-web",
     // more
      // Production Environment Variables - ISOLATED
      env_production: {
        // Node environment
        NODE_ENV: "production",
        PORT: 3022,

        // Apple OAuth Configuration
        APPLE_OAUTH_CLIENT_ID_AIRCRAFTHUB_APP: "appid-auth",
        APPLE_OAUTH_CLIENT_SECRET_AIRCRAFTHUB_APP:
          "esecret",

        // Auth.js Configuration
        AUTH_URL: "https://aircraftshub.5mb.app",
        AUTH_SECRET: "Secrettt",
        AUTH_TRUST_HOST: "true",

        // Next.js Configuration
        NEXT_TELEMETRY_DISABLED: "1",

        // App metadata (for monitoring and debugging)
        APP_NAME: "aircraftshub-web",
        APP_ID: "aircraftshub-web-prod",
      },
    },
  ],
};

But I keep getting http for the redirect_uri for Apple OAuth. Any clue?

My auth.ts snippet:

export const { handlers, signIn, signOut, auth } = NextAuth({
  debug: process.env.NODE_ENV === "development", // Enable debug logging in development
  trustHost: true,
  cookies: {
    callbackUrl: {
      name: `__Secure-next-auth.callback-url`,
      options: {
        httpOnly: false,
        sameSite: "none",
        path: "/",
        secure: true,
      },
    },
  },
  providers: [
    Apple({
      authorization: {
        params: {
          scope: "name email",
          response_mode: "form_post",
          response_type: "code",
        },
      },
      clientId: process.env.APPLE_OAUTH_CLIENT_ID_AIRCRAFTHUB_APP,
      clientSecret: process.env.APPLE_OAUTH_CLIENT_SECRET_AIRCRAFTHUB_APP,
      checks: ["state"], // Add state check for security
    }),
  ],

[sunnypatell]

@setoelkahfi this is a reverse proxy + Auth.js v5 protocol detection issue. auth.js constructs the redirect_uri from the request URL's origin. behind PM2/nginx, Next.js sees http://localhost:3022 as the origin, and if AUTH_URL doesn't properly override it, Apple gets http:// in the redirect.

two things to check:

1. make sure nginx forwards the protocol header:

location / {
    proxy_pass http://localhost:3022;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

X-Forwarded-Proto is the critical one. without it, auth.js falls back to the raw request protocol which is http since nginx proxies to localhost.

2. verify AUTH_URL is actually reaching the process:

PM2's env_production only applies when you start with --env production. run pm2 env <id> and confirm AUTH_URL is set. also make sure it's exactly https://aircraftshub.5mb.app with no trailing slash.

if both of those are correct and it still gives http://, auth.js v5 has a known edge case where the reqWithEnvURL() origin replacement can fail. force it via middleware:

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const headers = new Headers(request.headers)
  headers.set('x-forwarded-proto', 'https')
  headers.set('x-forwarded-host', 'aircraftshub.5mb.app')
  return NextResponse.next({ request: { headers } })
}

ref: auth.js deployment docs | related issue #9562 | next.js proxy origin issue

[setoelkahfi]

Thank you @sunnypatell
It was indeed an issue with my nginx config.