nuxt-auth-utils icon indicating copy to clipboard operation
nuxt-auth-utils copied to clipboard

Published 20 hours ago verified publisher icon Atinux

Bypass 4096-byte limit

Open tschni opened this issue 9 months ago • 12 comments

I am currently in the process of connecting my company's own internal OAuth IDP via nuxt-auth-utils. I need the access & refresh token in my session.

I need the access token to send it with my API requests in the authorization header (this happens on the server and client side). I need the refresh token to request a new access token if it has expired (this happens on the server side, although I don't yet know exactly how best to implement this :/).

With the two tokens I clearly exceed the 4096-byte limit. What is the best way to store these tokens? I would not like to set up an extra PostgreSQL database for this small use case. Does anyone have any helpful ideas for me?

If anyone has any ideas on how best to implement the refresh token flow, I would also be very grateful. :)

Translated with DeepL.com (free version)

tschni avatar Feb 14 '25 12:02 tschni

+1 this limit has stopped me from using this lib because the JWT I receive is very large and I don't have the ability to shrink it down. Any chance that chunking will be implemented?

inthegreenwild avatar Feb 28 '25 17:02 inthegreenwild

+1

kstan79 avatar Mar 14 '25 12:03 kstan79

+1

Latex88 avatar Mar 17 '25 15:03 Latex88

+1

LuckyFox31 avatar May 12 '25 13:05 LuckyFox31

+1

AndreasCaldewei avatar May 25 '25 21:05 AndreasCaldewei

I think the only solution is break out some information to separate cookies. Issue is will this plugin manage for us, or we manage ourself separately

kstan79 avatar May 25 '25 23:05 kstan79

The problem is with H3 that does not have cookie chunking for the session data, which is used by nuxt-auth-utils. See https://github.com/h3js/h3/blob/main/src/utils/session.ts

DavidDeSloovere avatar May 26 '25 14:05 DavidDeSloovere

Yes, so I manually add another httponly cookie for store refreshtoken and etc. with some encryption.

kstan79 avatar May 26 '25 15:05 kstan79

I've created this issue in H3: https://github.com/h3js/h3/issues/1062

I believe this issue here can be closed.

DavidDeSloovere avatar May 27 '25 09:05 DavidDeSloovere

Chunking of session cookie is coming in H3 v3, which will be used by Nuxt v5. We'll have to wait a bit and keep the workarounds around.

DavidDeSloovere avatar Aug 27 '25 14:08 DavidDeSloovere

Thank you for this awesome work @DavidDeSloovere

In the meantime, you can for instance use Nitro's KV storage to store the content of the session based using the session.id as key so you can limit only the data you store in the cookie. You will have to configure the Nitro storage to use a persistent storage in production like Redis.

atinux avatar Sep 08 '25 17:09 atinux

Thanks for the workaround details, and thanks also to @DavidDeSloovere for your work.

I would leave the issue open for now until Nuxt v5 is released and cookie chunking is implemented here.

tschni avatar Sep 08 '25 18:09 tschni