it doesn't fetch user even if I'm ogged in - auth-next

ghost commented 3 years ago

Version

v4.9.1

Reproduction link

[https://www .none.com](https://www .none.com)

Steps to reproduce

none

What is expected ?

it should fetch user

What is actually happening?

In my backend I did set my session's lifetime to 120 mins, but in nuxtjs it lasts only 10/20 mins. It doesn't seem to be a problem on backend side, cause I have a global middleware that updates user's last activity and it gets fired (I can see my last activity updating event though in nuxtjs I'm "offline"

Additional comments?

auth configuration

    strategies: {
        'laravelSanctum': {
            provider: 'laravel/sanctum',
            url: 'url',
            endpoints: {
                login: { url: '/signin', method: 'post' },
                user: { url: '/me', method: 'get', propertyName: 'data' },
                logout: { url: '/signout', method: 'post' }
            }
        }
    },
    cookie: {
        options: {
            expires: 365
        }
    }

_{This bug report is available on Nuxt community (#c707)}

ghost commented 3 years ago

When I try to log in, I get this error https://imgur.com/a/lh67pEc because I'm already logged in. Am I the only one who has this problem?

dvlden commented 3 years ago

No you are not. Having same issue. Tried it on fresh project as well, to make sure that some other dependencies are not interfering.

JoaoPedroAS51 commented 3 years ago

Hi @s8v! This issue seems to be misconfiguration. Can you show me more of your config, like axios and proxy? The url property should be the proxy path. Also, propertyName is deprecated. Use user.property instead. Example below :)

strategies: {
  laravelSanctum: {
    provider: 'laravel/sanctum',
    url: 'url', // <- Your proxy path
    endpoints: {
      login: { url: '/signin', method: 'post' },
      user: { url: '/me', method: 'get' },
      logout: { url: '/signout', method: 'post' }
    },
    user: {
      property: 'data' // <- User property now goes here
    }
  }
},
cookie: {
  options: {
    expires: 365
  }
}

Docs can be found here: https://auth.nuxtjs.org/providers/laravel-sanctum

Note: If you update to latest version of v5, then you need to change the provider to laravelSanctum

steklopod commented 3 years ago

Same issue in version 5.0.0-1608568767.2fe2217

@JoaoPedroAS51 Commit #950 broke this logic. https://github.com/nuxt-community/auth-module/issues/945#issuecomment-748822560

Version "@nuxtjs/auth-next": "5.0.0-1607693598.34d83ea" works well.

I have no laravel and proxy.

My config:

auth: {
        scopeKey: 'scope',
        resetOnError: true,
        redirect: {login: '/login', logout: '/', callback: '/', home: '/'},
        strategies: {
            cookie: {
                scheme: 'refresh',
                user: {property: false},
                token: {required: false, type: false/*, maxAge: 60 * 60*/},
                refreshToken: {property: 'refresh_token'/*, maxAge: 20160 * 60*/},
                endpoints: {
                    login: {url: '/auth/login', method: 'post'},
                    user: {url: '/auth/user', method: 'post'},
                    refresh: {url: '/auth/refresh', method: 'post'},
                    logout: {url: '/auth/logout', method: 'post'}
                }
            }
        }
    },

JoaoPedroAS51 commented 3 years ago

Hi @steklopod! Can you send me a screenshot of the user request, showing the authorization header? (Using the working version) I want to understand what authorization was sent :)

Also, if you could tell me more about what your backend expects to receive and what is the response of login, would help me to understand better the problem.

steklopod commented 3 years ago

@JoaoPedroAS51

with version 5.0.0-1607693598.34d83ea (which work fine):

with version 5.0.0-1608568767.2fe2217 (which not working) in this version my Cookies = false (auth._token.cookie and others):

My backend expects:

Authorization header or cookie, if not found then -->
or auth._token.cookie cookie, if not found then -->
or access_token header or cookie

My js-code is:

this.$auth.loginWith('cookie', {data: this.userPrincipal})

JoaoPedroAS51 commented 3 years ago

@steklopod And what is the response of login request?

steklopod commented 3 years ago

@JoaoPedroAS51 the response of login request:

Body:

{
  "access_token": "eyJhbGciOiJIUzUxMi-bla-bla-bla...",
  "response_type": "token",
  "redirect_uri": "/login",
  "client_id": 1,
  "scope": [
    "USER"
  ],
  "token_type": "Bearer",
  "authorization_endpoint": "https://domain.com/api/auth/login",
  "userinfo_endpoint": "https://domain.com/api/auth/user",
  "expires_in": 86400,
  "refresh_token_expires_in": 1209600,
  "token_key": "access_token",
  "refresh_token_key": "refresh_token",
  "state": "eOMtThyhVNLWUZNRcBaQKxI"
}

JoaoPedroAS51 commented 3 years ago

@steklopod Then, we need to update your token config:

token: {
  property: 'access_token', // <- the token property
  required: true, // <- required must be true, otherwise it will not use token and will not add authorization header 
  type: 'Bearer', // <- the token type 
  /*maxAge: 60 * 60*/ // <- I also recommend setting the maxAge of your token, which should be the same value as `expires_in`, as this value will be used in case the expiration couldn't be decoded. If you let it "commented", the default value will be used (1800)
},

And what your backend expect to refresh the token? I see that there is no refresh_token included in response body.

steklopod commented 3 years ago

@JoaoPedroAS51 thanks a lot ! This config helped.

auth: {
        strategies: {
            cookie: {
                token: {property: 'access_token', required: true, type: 'Bearer'}
}}}

And what your backend expect to refresh the token? I see that there is no refresh_token included in response body.

refresh_token is setting into "auth._refresh_token.cookie" Cookie by backend /login endpoint :

and duplicate into the body response too:
```
{
refresh_token: "eyJhbGciOiJIUzUxMiJ9.eyJhdWQiOiIzMDExNmU4N..."
}
```
My backend expects for refresh token:
token as body, if not found then -->
or auth._refresh_token.cookie cookie, if not found then -->
or refresh_token cookie or header

Is there a mistake in my `nuxt.config.js` or with cookie strategy I don't need it:

refreshToken: {property: 'refresh_token'},

JoaoPedroAS51 commented 3 years ago

@steklopod I'm happy to know it helped! :)

If the refresh token is included in the response body, then it's all ok. Just would recommend setting the maxAge of refresh token as well.

Is it all working as expected now? You can add me on discord, so we can talk easier Joao Pedro AS51#1284

Just a note: As your backend needs an authorization header, we are not using "cookie flow". The cookie scheme would disable the token/authorization header and would not have refresh feature. So for your case, I believe the correct setup is the refresh scheme, which is the one you're currently using.

JoaoPedroAS51 commented 3 years ago

@steklopod Actually, you just need to add one more thing if you need authorization header for refresh request:

refreshToken: {
  property: 'refresh_token',
  tokenRequired: true // <- Add the authorization header to refresh request
}

JoaoPedroAS51 commented 3 years ago

Closing here, due to inactivity. Feel free to reopen if the issue persist.

nuxt-community / auth-module