fix: use forwarded host for auth redirects

middleware.ts

@@ -2,6 +2,7 @@ import { NextResponse, type NextRequest } from "next/server";
 
 import { canAccessPath, getDefaultPathForRole, parseSessionCookie, SESSION_COOKIE, type UserRole } from "@/lib/auth";
 import { DEFAULT_LOCALE, isLocale, LOCALE_COOKIE } from "@/lib/i18n";
+import { getRequestBaseUrl } from "@/lib/request-url";
 
 const publicPaths = ["/login", "/forgot-password", "/reset-password", "/unauthorized", "/invite", "/auth"];
 
@@ -15,6 +16,7 @@ async function decodeSessionCookie(value: string) {
 
 export async function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl;
+  const baseUrl = getRequestBaseUrl(request);
   const response = NextResponse.next();
 
   if (pathname.startsWith("/_next") || pathname.includes(".")) {
@@ -44,17 +46,17 @@ export async function middleware(request: NextRequest) {
   }
 
   if (!session && !isPublicPath(pathname) && pathname !== "/") {
-    const loginUrl = new URL("/login", request.url);
+    const loginUrl = new URL("/login", baseUrl);
     loginUrl.searchParams.set("next", pathname);
     return NextResponse.redirect(loginUrl);
   }
 
   if (session && (pathname === "/" || pathname === "/login")) {
-    return NextResponse.redirect(new URL(getDefaultPathForRole(session.role), request.url));
+    return NextResponse.redirect(new URL(getDefaultPathForRole(session.role), baseUrl));
   }
 
   if (session && !isPublicPath(pathname) && !canAccessPath(session.role, pathname)) {
-    return NextResponse.redirect(new URL("/unauthorized", request.url));
+    return NextResponse.redirect(new URL("/unauthorized", baseUrl));
   }
 
   return response;