You say - We check the origin so CSRF check is un-necessary

[imcm7]

authjs-nuxt/packages/authjs-nuxt/src/runtime/lib/client.ts

Line 81 in 2100f25

// We check the origin so CSRF check is un-necessary

When, I can add that path to excludedUrls option of nuxt csrf module?

[imcm7]

May be to check if module nuxt-csurf or nuxt-security is installed and add that token, or remove that option completely and not to pass null.

[joebailey26]

It would be good to have some discussion around this or documentation on why the CSRF check is not necessary. I'm pretty sure you could spoof an origin header.

[woldtwerk]

how exactly do we get the host?
My project works fine locally, but in a docker container on preview server, the /api/auth/callback and redirect url point to localhost:dockerport instead of the baseurl of the app.
I tried adding:

nuxt.config.ts:
authJs: { baseUrl: 'my url' }

.env
NUXT_NEXTAUTH_URL=myurl
NEXTAUTH_URL=myurl

dockerfile:
ENV HOSTNAME 0.0.0.0

nothing is working

[beeGiaLe]

I've got the same issue. Tried NUXT_NEXTAUTH_URL, BASE_URL, NUXT_BASE_URL, NEXTAUTH_URL, and it always throws 500: CSRF protected

[Panca6]

oh god anyone figure this out yet?