nuxt-auth-utils icon indicating copy to clipboard operation
nuxt-auth-utils copied to clipboard
verified publisher icon Atinux

Add features for refresh token

Open guilherme-codes opened this issue 10 months ago • 3 comments

I'm having trouble handling refresh tokens because setUserSession doesn't update the session. So, I'm considering the possibility of adding options to setUserSession or returning an updateSession function along with the useUserSession composable.

Other ideas could be add options to refresh token in the route files... and maybe add the refresh token method to the providers definitions too. I'd like to know people here think about this

P.S: I read the others topics talking about this issue and I think we don't have a good solution yet

// expose update session
const { updateSession } = useUserSession()

updateSession( {
  token: 'token',
   refresh_toke: 'token'
})

// allow session mutation by setUserSession
setUserSession(event, {
  token: 'token',
   refresh_toke: 'token'
}, { updateSession: true })

// add refreshtoken callback
export default defineOAuthAuth0EventHandler({
    async onSuccess(event, data) {},
    async onRefreshToken() {}
})

guilherme-codes avatar Feb 17 '25 17:02 guilherme-codes

Hey, I'm having a similar issue when refreshing the auth0 access token. I'm calling setUserSession with the new tokens. They get sent to the client correctly, but it seems like on the next refresh request the server still has the old tokens in the UserSession. Have you found a fix/workaround for this already?

This is my workaround for now: https://github.com/atinux/nuxt-auth-utils/issues/357#issuecomment-2676667313

Crease29 avatar Feb 23 '25 06:02 Crease29

@Crease29 I did my own implementation for now. It is based on nuxt-auth-utils and shows how I think we should have control of sessions sending requests directly to a Nitro server using composables.

https://github.com/guilherme-codes/nuxt-auth0

guilherme-codes avatar Feb 25 '25 13:02 guilherme-codes

A fix is potentially on the way for this in https://github.com/unjs/h3/issues/1004, but in the mean time here is a simple HACKY fix to reset the createdAt on the session object to cause the cookie expiration to move forward.

// Grab a copy of the session data object
const session = await getUserSession(event)

// update the `createdAt` time on the session object
Object.entries(event.context.sessions ?? {})
  .forEach(([ k, v ]) => event.context.sessions![k] = { ...v, createdAt: Date.now() })

// Call update to ensure the cookie gets sealed using the updated date
await setUserSession(event, session)

A full implementation for a refresh endpoint would look something like this:

// server/api/_auth/refresh.get.ts
export default defineEventHandler(async event => {
  const session = await getUserSession(event)
  if (session && session.user) {
    /**
     * @todo: remove hack once session fix is released
     * ref: https://github.com/unjs/h3/pull/1010
     */
    Object.entries(event.context.sessions ?? {})
      .forEach(([ k, v ]) => event.context.sessions![k] = { ...v, createdAt: Date.now() })
    await setUserSession(event, session)
    setResponseStatus(event, 204)
  } else {
    await clearUserSession(event)
    setResponseStatus(event, 401)
  }
})

nerdoza avatar Apr 02 '25 19:04 nerdoza