search

Hebilicious / authjs-nuxt

AuthJS edge-compatible authentication Nuxt module.
https://authjs-nuxt.pages.dev/
MIT License
246 stars 30 forks source link

[bug] support custom cookie names #98

Open ghs opened 9 months ago

ghs commented 9 months ago

Describe the feature

(Adding this as a feature because this code is still labeled as "alpha", but depending of the point of view people could consider it as a bug.)

In Auth.js there is possibility to change cookie options, with the name property being one of them: https://next-auth.js.org/configuration/options#cookies.

When having a separate auth service and using authjs-nuxt to connect to it, cookies are not found because there couple of hard-coded nuxt-auth values around the code.

https://github.com/Hebilicious/authjs-nuxt/blob/main/packages/authjs-nuxt/src/runtime/composables/useAuth.ts#L13 and https://github.com/Hebilicious/authjs-nuxt/blob/main/packages/authjs-nuxt/src/runtime/utils.ts#L39

Adding an option to nuxt.config can make this work and prevent missing cookies :)

Additional information

Hebilicious commented 9 months ago

@ghs thanks for reporting, here's the auth.js relevant option https://authjs.dev/reference/core#cookies (next-auth is different) and the code.

I believe nobody should be touching that, but we should try to support it in this module. However grabbing this value in the client bundle is pretty inconvenient. One elegant way would be to introduce a new composable, such as defineAuthJsConfig(), that we could use to inject the cookies name value in the runtimeConfig.

ghs commented 9 months ago

Sorry for the mix of next-auth and authjs. But in the end both offer custom cookie setup and for this reason was my issue here.

If you with "nobody should be touching that" refer to the cookies and their names, I disagree here. Having a "next" within the cookie name could lead to a security issues because basically shows what backend is used. If you search for next/nuxt change rootId around google and github issues for the related projects, you will find a lot of opinions related to this topic.

Then, about the client side, I am not sure what you meant, but the main concern and use would be from the backend within the "server" routes/side. If not mistaken, apart from the callback cookie, all others are httponly.

markbrockhoff commented 5 months ago

Hi @ghs, I just encountered pretty much this issue.

I'm trying to use the function "getServerToken" in my nuxt apps route to get the jwt from the event. This however fails because the function makeCookiesFromCookieString filters the parsed cookies and only takes the one where the key contains next-auth. image

With the default setup of this module in a new nuxt app I get the cookie set for the key: authjs.session-token image

Maybe the key used by authjs changed between some versions. I'm currently using @auth/core@0.18.6 as that's what was automatically installed by pnpm according to the peerDependency version specified by this package. @Hebilicious looks like the file you linked with the comment "nobody should be touching that" was touched in version 0.18.1 of @auth/core where the cookie key was changed. ^^'

So it would be great to have the option to specify a custom cookie name or if this package could maybe somehow import the key used by authjs to prevent such issues in the future.

Hebilicious commented 5 months ago

I was trying to get this module merged into the official repo to avoid such issues, but from what I understand, Nuxt is not a priority and they're working on improving the docs. I'm not really interested in hacking around and I don't personally use auth.js anymore.

But I'm happy to accept a PR to have this configurable.

In the meantime you can use npm patch or downgrade auth.js I guess :/

Just to be clear, the reason I said initially that nobody should be touching that is that I'm not sure setting a custom Cookie name from this module can be applied to Auth.js. If that's possible that would be great.