nuxt-auth icon indicating copy to clipboard operation
nuxt-auth copied to clipboard
verified publisher icon sidebase

Custom signin pages with swr/caching enabled - unexpected redirect to login page

Open i7en0v91 opened this issue 1 year ago • 5 comments

Environment

Operating System: Ubuntu 22.04.4 LTS Node Version: v20.14.0 Nuxt Version: Nuxt 3.12.3 with Nitro CLI Version: 3.12.0 Nitro Version: 2.9.7 Package Manager: [email protected] Project modules: from https://github.com/sidebase/nuxt-auth/tree/main/playground-authjs

Reproduction

Download https://github.com/sidebase/nuxt-auth/tree/main/playground-authjs project.

  1. Add custom sign-in page to the project (e.g. https://github.com/sidebase/nuxt-auth/blob/42b99e2cb973024af7af8666d1bd5230f9ec870e/playground-authjs/pages/custom-signin.vue ). Name it login.vue, put in playground-authjs/pages folder
  2. Register custom signin page in server/api/auth/[...].ts:
...
pages: {
    signIn: '/login'
  }
...
  1. Configure /with-caching page to allow unauthenticated users in playground-authjs/pages/with-caching.vue:
//definePageMeta({ auth: false })
definePageMeta({
  middleware: 'auth',
  auth: {
    unauthenticatedOnly: true
  }
})
  1. Even disable global app middleware in nuxt.config.ts: globalAppMiddleware: false
  2. npm run dev, open browser and type http://localhost:3000/with-caching

User gets redirected to sign-in page: redirection-flow

All changes to original 0.8.0 playground-authjs project necessary for reproduction were captured in all-changes .

Describe the bug

Hi nuxt-auth team!

In 0.8.0 release I've encountered unobvious behavior redirection to login page. The problem is specific only when:

  1. custom sign-in page is used
  2. caching is enabled in nitro route rules and disableServerSideAuth: true - exactly as it is in playground for auth-js provider for /with-caching page
  3. user is unauthenticated and page is configured to allow unauthenticated users with unauthenticatedOnly: true

When an unauthenticated user visits such a page then it gets redirected to custom sign-in page. But why this should happen? It seems that in 0.7.2 version it worked (no redirects happen), yet disableServerSideAuth was not used there (at least in playground).

Additional context

No response

Logs

No response

i7en0v91 avatar Jul 07 '24 22:07 i7en0v91

I've encountered an identical issue with nearly the same setup in 0.10.0

It seems the issue is from the client side where the authenticated status gets switched to loading at this point the user is redirected to the login page.

if the user is signed in they get redirected back again to the original page.

I only get this issue if I set the disableServerSideAuth: true globally and then set the specific page i am route guarding to disableServerSideAuth: false

Plinpod avatar Jan 09 '25 21:01 Plinpod

I have the same issue. Basically, disableServerSideAuth: true globally will always redirect to login page no matter what.

imyourm8 avatar Apr 17 '25 08:04 imyourm8

I'm encountering the same issue. I set disableServerSideAuth: true since I'm building a static site and not using the nuxt server component. However, when initially navigating to the site, the nuxt-auth middleware processes the initial request while in the loading state and therefore does not respect the unauthenticatedOnly: true setting defined on the page. However, after it redirects to the login page and loads the site, the state becomes unauthenticated and then I can navigate to the unauthenticated pages.

Is there a way to make the middleware block resolving the route until it has finished its loading procedure?

coreyshuman avatar Jul 08 '25 02:07 coreyshuman

@coreyshuman ,

probably there is one more thing to consider regarding your scenario... I suppose, static website should be using page caching heavily and once the page is rendered and put into Nitro's cache Nuxt middlewares wont be called in subsequent requests. So, even an authenticated user will be able to obtain cached version of page with unauthenticatedOnly: true setting set . Believe there should be only a few pages with this option in such a website - mainly login pages

i7en0v91 avatar Jul 08 '25 22:07 i7en0v91

I am now also running in to this issue. I have disableServerSideAuth: true because some of my pages will show different info on them depending on if the user is logged in or not, but I don't want to be caching the page when it is displaying authenticated only data. As soon as I disable server auth, the middleware fails for unauthenticated routes because it gets sent into an infinite loop.

Moonlight63 avatar Sep 12 '25 20:09 Moonlight63