search

sidebase / nuxt-auth

Authentication built for Nuxt 3! Easily add authentication via OAuth providers, credentials or Email Magic URLs!
https://auth.sidebase.io
MIT License
1.31k stars 164 forks source link

Refresh Token Cookie Not Updating, Causing Invalid Token Error and Automatic Sign-Out #867

Closed vamsii777 closed 3 months ago

vamsii777 commented 3 months ago

Environment

Reproduction

Steps to Reproduce:

  1. Use the following auth configuration: 
    auth: {
   baseURL: 'http://localhost:8081/v1/auth/',
   globalAppMiddleware: true,
   isEnabled: true,
   provider: {
     type: "refresh",
     refreshOnlyToken: true,
     endpoints: {
       signIn: { path: 'login', method: 'post' },
       signOut: { path: 'logout', method: 'post' },
       signUp: false,
       getSession: { path: 'me', method: 'get' },
       refresh: { path: 'refresh', method: 'post' },
       resetPassword: { path: 'reset-password', method: 'post' },
     },
     token: {
       signInResponseTokenPointer: '/access_token',
       type: 'Bearer',
       headerName: 'Authorization',
       maxAgeInSeconds: 1800,
       sameSiteAttribute: 'Lax',
       secureCookie: false,
       cookieName: 'auth._t.local',
       httpOnlyCookieAttribute: false,
     },
     refreshToken: {
       refreshRequestTokenPointer: '/refresh_token',
       signInResponseRefreshTokenPointer: '/refresh_token',
       maxAgeInSeconds: 2592000,
       sameSiteAttribute: 'Lax',
       secureCookie: false,
       cookieName: 'auth._rt.local',
       httpOnlyCookieAttribute: false,
     },
     sessionDataType: {
       phoneNumberVerified: 'boolean',
       lastName: 'string',
       phoneNumber: 'string',
       emailVerified: 'boolean',
       address: 'string',
       firstName: 'string',
       id: 'string',
       provider: 'string',
       role: 'string[]',
       status: 'string',
       accountType: 'string',
       email: 'string',
       area: 'string'
     },
     pages: {
       login: '/auth/login' // Specify your login page route
     },
     sessionRefresh: {
       enableOnWindowFocus: false,
     }
   }
}
  2. Log in to receive valid access and refresh tokens.
  3. Ensure that tokens are saved in the cookies.
  4. Refresh the page.
  5. Change the browser window or tab.
  6. Observe that:
    • The refresh token cookie is not updated during the refresh process.
    • The token refreshes even though enableOnWindowFocus is set to false.
    • The backend server may respond with an "Invalid Token" error, leading to automatic sign-out.

Expected Behavior:

Actual Behavior:

Describe the bug

Screenshot 2024-08-16 at 4 23 10 AM Screenshot 2024-08-16 at 4 23 20 AM

When refreshing the authentication token, the refresh token cookie is not being updated correctly. This causes the backend server to reject the token as invalid, resulting in the user being automatically signed out. Additionally, the token refreshes when switching tabs, even though enableOnWindowFocus is set to false.

Additional context

This issue could be caused by improper handling of the refresh token cookie during the refresh process.

Please investigate this issue as it disrupts the user experience by causing unexpected sign-outs, unnecessary token refreshes, and as described in issue #859.

Logs

No response

Suniron commented 3 months ago

Hey,

I got almost same behavior. Also, multiple refresh token request are sent to my backend which cause sometimes 401 on the get session route and in this case, the access token is not set in cookies..

I'm thinking about switching to the Authjs provider + call to my backend from callbacks.

It's not really clean but I hope it's more stable...

vamsii777 commented 3 months ago

It appears that the pull request #858 has been merged which fixes #834. We will need to wait for the new release to confirm that the issue is fully resolved.

vamsii777 commented 3 months ago

Setting refreshOnlyToken: false resolves the issue as the refresh token cookie updates correctly during the refresh process.