search

sidebase / nuxt-auth

Authentication built for Nuxt 3! Easily add authentication via OAuth providers, credentials or Email Magic URLs!
https://auth.sidebase.io
MIT License
1.33k stars 164 forks source link

token.maxAgeInSeconds seems to be completely ignored #939

Closed einz-loggik closed 2 weeks ago

einz-loggik commented 1 month ago

Environment

nuxt-auth: V0.9.4

Reproduction

I am using Django with Dango REST framework and simple JWT as Backend.

This is my auth configuration:

    auth: { 
      baseURL: process.env.BACKEND_BASE_URL + '/',
      provider: {
        type: 'local',
        session: {
          dataType: {
            shops: 'string'
          },
        },
        endpoints: {
          signIn: { path: 'api/token/', method: 'post' },
          getSession: { path: '/' },
          signOut: false
        },
        pages: {
          login: '/login'
        },
        token: {
          signInResponseTokenPointer: '/access',
          maxAgeInSeconds: 50 * 1 - 5,
          sameSiteAttribute: 'lax',
          cookieName: 'auth.token'
        },
        refresh: {
          isEnabled: true,
          endpoint: { path: 'api/token/refresh/', method: 'post' },
          refreshOnlyToken: true,
          token: {
            signInResponseRefreshTokenPointer: '/refresh',
            refreshRequestTokenPointer: '/refresh',
            maxAgeInSeconds: 115, 
            cookieName: 'auth.refresh-token',
          }
        }
      },
      globalAppMiddleware: {
        isEnabled: true
      },
    }

To reproduce the error do a login, make a call to a protected API Endpoint and you should get a 401 because the access token expired and was not refreshed. If you login and wait at least 120 seconds the refresh token expires and triggers a token refresh.

Describe the bug

When the token expires, it does not trigger a refresh and does not get renewed. Only the lifetime of the refresh token triggers a refresh.

Expected behavior: If the lifetime of the token expires, the refresh is triggered. If the refresh token expires, the user gets logged out automatically.

Additional context

No response

Logs

No response

einz-loggik commented 2 weeks ago

No bug, just me not being able to use the module correctly.

This 'bug' occurs if you do not implement the session correctly.