search

atinux / nuxt-auth-utils

Add Authentication to Nuxt applications with secured & sealed cookies sessions.
MIT License
973 stars 91 forks source link

feat: add server side session storage #265

Open patrick-hofmann opened 3 weeks ago

patrick-hofmann commented 3 weeks ago

This PR adds a server side storage option for sessions using useStorage.

The default behavior after this PR is still the same as before (using cookie as storageType which is the default)

export default defineNuxtConfig({
  modules: ['nuxt-auth-utils'],
  auth: {
    storageType: 'cookie', // 'memory', 'cache', 'nuxt-session'
  }
})

but now the storageType can be memory, cache or nuxt-session as well, where nuxt-session is a nitro storage mount point that can be defined in the nuxt.config.ts.

The 'non-cookie' storageTypes allow two more configs:

  auth: {
    sessionInactivityMaxAge: 60 * 60 * 24 * 30, // Session timeout after inactivity (30 days)
    autoExtendSession: true // Extend session on each request
  },

The sessionInactivityMaxAge is used to determine orphaned sessions that can be deleted with cleanupOrphanedUserSessions, which can run in a scheduled nitro task (unfortunately not on the edge) or in a server middleware or a specific route.

The session data is not encrypted to the server which can be discussed as the stored data is obvious at least in transfer to the server side anyway.

What this PR can not do, is determining multiple sessions of one user as this would need a server side user id, independent from the auth provider used (since one user could have multiple different providers).

atinux commented 10 hours ago

I did not forget, will have a deeper look next week as I want to be confident with the API changes.