Fix auth redirect to 0.0.0.0 and credentials sign-in error

- Add AUTH_URL env var to docker-compose.yml and .env/.env.example so
  NextAuth builds correct redirect URLs instead of falling back to the
  Docker bind address (0.0.0.0:3000)
- Normalize email to lowercase in authorize() to match how the register
  route stores emails, preventing case-sensitive lookup mismatches

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.example

@@ -21,6 +21,9 @@ AUTH_SECRET=change_me_to_a_strong_random_secret
 AUTH_GOOGLE_ID=your_google_oauth_client_id
 AUTH_GOOGLE_SECRET=your_google_oauth_client_secret
 
+# Auth.js base URL - set to the public URL of your app
+AUTH_URL=http://localhost:3000
+
 # Auth.js trust host configuration
 # Set to true when using HTTP (e.g., localhost), should be false in production with HTTPS
 AUTH_TRUST_HOST=true

docker-compose.yml

@@ -14,6 +14,7 @@ services:
       - NEXT_PUBLIC_PREDICTIONS_ENABLED=true
       - API_KEY=${API_KEY}
       - AUTH_SECRET=${AUTH_SECRET}
+      - AUTH_URL=${AUTH_URL}
       - AUTH_GOOGLE_ID=${AUTH_GOOGLE_ID}
       - AUTH_GOOGLE_SECRET=${AUTH_GOOGLE_SECRET}
       - AUTH_TRUST_HOST=${AUTH_TRUST_HOST}

src/auth.ts

@@ -21,7 +21,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
         password: { label: "Password", type: "password" },
       },
       async authorize(credentials) {
-        const email = credentials?.email as string | undefined;
+        const email = (credentials?.email as string | undefined)?.trim().toLowerCase();
         const password = credentials?.password as string | undefined;
 
         if (!email || !password) {