NextAuth built-in Provider protecting unintended URLs with localhost settings

Why do my localhost settings protect my production deployment?

—how do I upload a screencast here?—

Following up on a previous topic on how to protect the 3 deployment URLs Vercel produces upon deployment (main, preview1, preview2) with Deployment Protection I asked about;

I am using NextAuth built-in OAuth service with GitHub and credentials.
I recorded my screen where you can see the GitHub OAuth application settings, where I designated which URL I wanted to protect:

URL to protect: localhost:3000 this was still during local development, before deploying the implementation of the authentication
Authorization Callback URL: http://localhost:3000/api/auth/callback/github also set to my local development on the default port

I deployed the current implementation and expected to trigger an error or the authentication not showing up, because the URL-settings were still set to localhost, but the authentication still persists (see the screencast while opening one of the URLs in incognito mode).
I have also shared the URL with friends and they responded with screenshots of the login page blocking access for them, but the login works find with the credentials I set.

And beyond that; not only is just the production deployment protected - but also the other two preview deployments are behind the login page

I am not certain if this is of importance, but I implemented the recommended middleware.ts file in my project structure to apply next-auth to all subdomains of my project:

middleware.ts

// Without a defined matcher, this one line applies next-auth
// to the entire project, subdomains and all
export { default } from 'next-auth/middleware'

Hi, @mesapholis!

Thanks for being patient with us. Are you still seeing this issue? You can also send a Loom if you’d prefer or upload your video to a cloud storage to share with us to view.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.