Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh logic with local strategy #950

Open
julienguillot77 opened this issue Nov 30, 2024 · 3 comments
Open

Refresh logic with local strategy #950

julienguillot77 opened this issue Nov 30, 2024 · 3 comments
Labels
bug A bug that needs to be resolved pending An issue waiting for triage

Comments

@julienguillot77
Copy link

Environment

Reproduction

Set your nuxt.config.ts auth options :

auth: {
    originEnvKey: "NUXT_AUTH_ORIGIN",
    globalAppMiddleware: true,
    baseURL: process.env.NUXT_MANAGEMENT_API_URL,
    sessionRefresh: {
      enablePeriodically: 10000, // 10 seconds
      enableOnWindowFocus: false,
    },
    provider: {
      type: "local",
      session: {
        dataType: {
          id: "number",
          email: "string",
          username: "string",
          first_name: "string",
          last_name: "string",
          role: "string",
        },
      },
      pages: {
        login: "/auth/login",
      },
      endpoints: {
        signIn: { path: "management/login", method: "post" },
        signOut: { path: "management/logout", method: "delete" },
        signUp: { path: "management/signup", method: "post" },
        getSession: { path: "management/session", method: "get" },
      },
      token: {
        signInResponseTokenPointer: "/data/access_token",
        type: "Bearer",
        cookieName: "my-app.access_token",
        headerName: "Authorization",
        maxAgeInSeconds: 1800, // 30 minutes
        sameSiteAttribute: "lax",
        secureCookieAttribute: false,
        httpOnlyCookieAttribute: false,
      },
      refresh: {
        isEnabled: true,
        endpoint: { path: "management/refresh", method: "post" },
        refreshOnlyToken: false,
        token: {
          signInResponseRefreshTokenPointer: "/data/refresh_token",
          refreshRequestTokenPointer: "/admin/refresh_token",
          cookieName: "my-app.refresh_token",
          maxAgeInSeconds: 14 * 24 * 60 * 60, // 2 weeks
          sameSiteAttribute: "lax",
          secureCookieAttribute: false,
          httpOnlyCookieAttribute: false,
        },
      },
    },
  }

signIn to your app

Describe the bug

I can't say it's a bug or it's volountary but this, I think, a strange behaviour.

The refresh token API endpoint is called at the same time as session refresh.

A first attempt of session refresh is done right after the signIn process. The returned access_token and refresh_token are rightly set to auth state and cookies but the next refresh tentative is still using the previous refresh_token...

Am I missing something or an issue really occurs ?

Is refreshing tokens in same time as session refresh a normal behaviour ?

Additional context

No response

Logs

No response

@julienguillot77 julienguillot77 added bug A bug that needs to be resolved pending An issue waiting for triage labels Nov 30, 2024
@julienguillot77
Copy link
Author

julienguillot77 commented Dec 2, 2024

After some debugging, I realized that the access_token and refresh_token stored in the app state are the old one, and those in the cookie are the valid one. But the tokens that are used during the refresh are those of the app state, right?
Is is intentional or something needs to be done on my side (or package side ?)

@julienguillot77
Copy link
Author

Additional info :

If I disable SSR from nuxt.config.ts, the tokens stored in cookie and state are now the same.

@phoenix-ru
Copy link
Collaborator

Hi @julienguillot77 , there has been several reports of state mismatch between cookies and useState and a whole issue about Nuxt's useCookie.

As I am going on a quite long vacation due to some state holidays, etc., I would be able to properly check your issue end of January 2025 earliest. Apologies for a long wait! In the meantime, NuxtAuth always welcomes contributors and detailed investigations :)

There is a similar issue but for static websites: #785. I believe that we need to fix the whole cookie/state situation for both SSR/static.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug A bug that needs to be resolved pending An issue waiting for triage
Projects
None yet
Development

No branches or pull requests

2 participants