nuxt-auth icon indicating copy to clipboard operation
nuxt-auth copied to clipboard
verified publisher icon sidebase

User not logged out when 401 on refresh occurs

Open benoitlemaire opened this issue 1 year ago • 4 comments

Environment

  • Operating System: Darwin
  • Node Version: v20.16.0
  • Nuxt Version: 3.14.1592
  • CLI Version: 3.16.0
  • Nitro Version: 2.10.4

Reproduction

playground-local with external backend api

Describe the bug

Description:
I'm encountering an issue with user sessions and token refresh behavior. Here's the scenario:

  1. I log in to my site, and everything works perfectly.
  2. I open the same site in an incognito window and log in with the same user. Everything works perfectly here too.
  3. However, when I return to the first session (non-incognito), the refresh requests start failing with a 401 error because my backend send an error due to refresh tokens are different.

Despite the 401 errors, the user is not logged out in the original session. They can still navigate through the site and access pages, which is not the expected behavior.

Expected Behavior:
If the refresh or getSession requests throw a 401 or 403 error, the user should be automatically logged out from that session.

Current Configuration:
Below is my current configuration:

auth: {
  baseURL: 'https://external-backend.com/api/',
  provider: {
    type: 'local',
    endpoints: {
      getSession: { path: '/auth/get-session', method: 'get' },
      signIn: { path: '/auth/login', method: 'post' },
      signUp: { path: '/auth/register', method: 'post' },
      signOut: { path: '/auth/logout', method: 'get' },
    },
    pages: {
      login: '/'
    },
    token: {
      signInResponseTokenPointer: '/accessToken',
    },
    refresh: {
      isEnabled: true,
      endpoint: { path: 'auth/refresh', method: 'post' },
      refreshOnlyToken: false,
      token: {
        signInResponseRefreshTokenPointer: '/refreshToken',
        refreshRequestTokenPointer: '/refreshToken',
        maxAgeInSeconds: 900,
      }
    }
  },
  sessionRefresh: {
    enableOnWindowFocus: false,
    enablePeriodically: 5000,
  },
  globalAppMiddleware: {
    isEnabled: true
  }
}

Question:
What am I missing in my configuration to ensure that the user is logged out automatically if the refresh or getSession requests fail with a 401 or 403 error? Tried on 0.9.4and 0.10.0

https://github.com/user-attachments/assets/4ddf2b26-6070-46f9-8897-e006af3822ac

Additional context

I think the FetchError is not caught it useAuth, here is the errors in console when refresh fails :

ofetch.03887fc3.mjs?v=88c26a32:316 Uncaught (in promise) FetchError: [POST] "https://my-external-api.com/api/auth/refresh": 401 
    at async $fetch2 (ofetch.03887fc3.mjs?v=88c26a32:316:15)
    at async Object.refresh (useAuth.ts:198:20)

Logs

No response

benoitlemaire avatar Dec 20 '24 07:12 benoitlemaire

Noticed this too in my application. What is the expected behavior? The docs says nothing about error handling when refresh is denied by the backend.

OlePc avatar Jan 06 '25 20:01 OlePc

Finding the same issue with credentials auth with a custom backend. Anyone have any work arounds?

NathanD19 avatar Jan 07 '25 04:01 NathanD19

It would be nice if the getSession method throws an error instead of just clearing the session data, and returning null: https://github.com/sidebase/nuxt-auth/blob/52d4b9a5b48431eb9d522865410d209c6d66a613/src/runtime/composables/local/useAuth.ts#L147

I made a workaround using the callGetSession option set to false of the signIn method for the local provider, but I am not sure if you can do the same with refresh calls.

bitfactory-frank-spee avatar Jan 09 '25 08:01 bitfactory-frank-spee

also looking for a solution. what is the expected behaviour actually?

n0-m4d avatar Jan 20 '25 23:01 n0-m4d