Refresh logic with local strategy

julienguillot77 commented 3 days ago

Environment

Operating System: Darwin
Node Version: v20.17.0
Nuxt Version: 3.14.1592
CLI Version: 3.15.0
Nitro Version: 2.10.4
Package Manager: yarn@1.22.22
Builder: -
User Config: default
Runtime Modules: @nuxt/image@1.8.1, @sidebase/nuxt-auth@0.9.4, @nuxt/icon@1.9.0, @nuxtjs/tailwindcss@6.12.2, shadcn-nuxt@0.11.3, @vueuse/nuxt@12.0.0, @nuxtjs/color-mode@3.5.2, @nuxt/fonts@0.10.2, @pinia/nuxt@0.8.0, nuxt-lodash@2.5.3, nuxt-zod-i18n@1.11.0, @nuxtjs/i18n@9.1.0
Build Modules: -

Reproduction

Set your nuxt.config.ts auth options :

auth: {
    originEnvKey: "NUXT_AUTH_ORIGIN",
    globalAppMiddleware: true,
    baseURL: process.env.NUXT_MANAGEMENT_API_URL,
    sessionRefresh: {
      enablePeriodically: 10000, // 10 seconds
      enableOnWindowFocus: false,
    },
    provider: {
      type: "local",
      session: {
        dataType: {
          id: "number",
          email: "string",
          username: "string",
          first_name: "string",
          last_name: "string",
          role: "string",
        },
      },
      pages: {
        login: "/auth/login",
      },
      endpoints: {
        signIn: { path: "management/login", method: "post" },
        signOut: { path: "management/logout", method: "delete" },
        signUp: { path: "management/signup", method: "post" },
        getSession: { path: "management/session", method: "get" },
      },
      token: {
        signInResponseTokenPointer: "/data/access_token",
        type: "Bearer",
        cookieName: "my-app.access_token",
        headerName: "Authorization",
        maxAgeInSeconds: 1800, // 30 minutes
        sameSiteAttribute: "lax",
        secureCookieAttribute: false,
        httpOnlyCookieAttribute: false,
      },
      refresh: {
        isEnabled: true,
        endpoint: { path: "management/refresh", method: "post" },
        refreshOnlyToken: false,
        token: {
          signInResponseRefreshTokenPointer: "/data/refresh_token",
          refreshRequestTokenPointer: "/admin/refresh_token",
          cookieName: "my-app.refresh_token",
          maxAgeInSeconds: 14 * 24 * 60 * 60, // 2 weeks
          sameSiteAttribute: "lax",
          secureCookieAttribute: false,
          httpOnlyCookieAttribute: false,
        },
      },
    },
  }

signIn to your app

Describe the bug

I can't say it's a bug or it's volountary but this, I think, a strange behaviour.

The refresh token API endpoint is called at the same time as session refresh.

A first attempt of session refresh is done right after the signIn process. The returned access_token and refresh_token are rightly set to auth state and cookies but the next refresh tentative is still using the previous refresh_token...

Am I missing something or an issue really occurs ?

Is refreshing tokens in same time as session refresh a normal behaviour ?

Additional context

No response

Logs

No response

julienguillot77 commented 1 day ago

After some debugging, I realized that the access_token and refresh_token stored in the app state are the old one, and those in the cookie are the valid one. But the tokens that are used during the refresh are those of the app state, right? Is is intentional or something needs to be done on my side (or package side ?)

julienguillot77 commented 1 day ago

Additional info :

If I disable SSR from nuxt.config.ts, the tokens stored in cookie and state are now the same.

sidebase / nuxt-auth