Why do my localhost settings protect my production deployment?
—how do I upload a screencast here?—
Following up on a previous topic on how to protect the 3 deployment URLs Vercel produces upon deployment (main, preview1, preview2) with Deployment Protection I asked about;
I am using NextAuth built-in OAuth service with GitHub and credentials.
I recorded my screen where you can see the GitHub OAuth application settings, where I designated which URL I wanted to protect:
URL to protect: localhost:3000
this was still during local development, before deploying the implementation of the authentication
Authorization Callback URL: http://localhost:3000/api/auth/callback/github
also set to my local development on the default port
I deployed the current implementation and expected to trigger an error or the authentication not showing up, because the URL-settings were still set to localhost, but the authentication still persists (see the screencast while opening one of the URLs in incognito mode).
I have also shared the URL with friends and they responded with screenshots of the login page blocking access for them, but the login works find with the credentials I set.
And beyond that; not only is just the production deployment protected - but also the other two preview deployments are behind the login page
I am not certain if this is of importance, but I implemented the recommended middleware.ts file in my project structure to apply next-auth to all subdomains of my project:
middleware.ts
// Without a defined matcher, this one line applies next-auth
// to the entire project, subdomains and all
export { default } from 'next-auth/middleware'