Potential Security Vulnerability in X-Forwarded-* Headers for auth-js Introduced in #549

[catnaut]

A potential security risk may have been introduced in #549 while addressing #537. Specifically, using X-Forwarded-* headers in @auth/core could enable spoofing if the headers are tampered with.

I reviewed the implementation of @auth/core for the /api/auth/signin page. The render function in src/lib/pages/index.ts uses the signin method to generate the form, setting the callbackUrl from request.url.origin.

(Additionally, this could indicate an internal issue in @auth/core itself: params.callbackUrl ?? "/" defaults to /, even though callbackUrl is already set as request.url.origin.)

Although beorn’s solution is technically correct, it introduces potential security risks. This approach could be exploited if users spoof the HTTP X-Forwarded-For header, potentially creating security vulnerabilities. I think handling the actual request data is better managed through a transparent middleware, such as honojs/hono#3646.

By the way, Hono team are working on discussion the Proxy Helper for the proxy use case to avoid the user writing code for copying headers: honojs/hono#3589