feat(oidc): ✨ Added per provider session configuration

itpropro · itpropro · commit 20c92ef25968 · 2024-09-22T18:51:31.000+02:00
diff --git a/README.md b/README.md
@@ -434,18 +434,28 @@ export default defineNuxtConfig({
 | exposeIdToken | `boolean` (optional) | `false` | Expose raw id token to the client within session object
 | callbackRedirectUrl | `string` (optional) | `/` | Set a custom redirect url to redirect to after a successful callback
 | allowedClientAuthParameters | `string[]` (optional) | `[]` | List of allowed client-side user-added query parameters for the auth request
+| sessionConfiguration | `ProviderSessionConfig` (optional) | `{}` | Session configuration overrides, see [session](#session)
 
 #### `session`
 
-The following options are available for the session configuration.
+The following options are available for the global session configuration.
 
 | Option | Type | Default | Description |
 | --- | --- | --- | --- |
-| expirationCheck | `boolean` | `true` | Check if session is expired based on access token exp |
 | automaticRefresh | `boolean` | `true` | Automatically refresh access token and session if refresh token is available (indicated by `canRefresh` property on user object) |
+| expirationCheck | `boolean` | `true` | Check if session is expired based on access token exp |
+| expirationThreshold | `number` | `0` | Amount of seconds before access token expiration to trigger automatic refresh |
 | maxAge | `number` | `60 * 60 * 24` (1 day) | Maximum auth session duration in seconds |
 | cookie | `` | `` | Additional cookie setting overrides for `sameSite` and `secure` |
 
+The following options are available on every provider as overrides for the global session configuration.
+
+| Option | Type | Default | Description |
+| --- | --- | --- | --- |
+| automaticRefresh | `boolean` | `true` | Check if session is expired based on access token exp |
+| expirationCheck | `boolean` | `true` | Automatically refresh access token and session if refresh token is available (indicated by `canRefresh` property on user object) |
+| expirationThreshold | `number` | `0` | Amount of seconds before access token expiration to trigger automatic refresh |
+
 #### `middleware`
 
 | Option | Type | Default | Description |
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/module.ts b/src/module.ts
@@ -125,13 +125,15 @@ export default defineNuxtModule<ModuleOptions>({
       })
     }
     else {
-      if (options.defaultProvider && !options.middleware.customLoginPage) {
-        extendRouteRules('/auth/login', {
-          redirect: {
-            to: `/auth/${options.defaultProvider}/login`,
-            statusCode: 302,
-          },
-        })
+      if (options.defaultProvider) {
+        if (!options.middleware.customLoginPage) {
+          extendRouteRules('/auth/login', {
+            redirect: {
+              to: `/auth/${options.defaultProvider}/login`,
+              statusCode: 302,
+            },
+          })
+        }
         extendRouteRules('/auth/logout', {
           redirect: {
             to: `/auth/${options.defaultProvider}/logout`,
diff --git a/src/runtime/server/api/refresh.post.ts b/src/runtime/server/api/refresh.post.ts
@@ -4,6 +4,7 @@ import { getUserSession, refreshUserSession, sessionHooks } from '../utils/sessi
 export default eventHandler(async (event) => {
   await getUserSession(event)
   const session = await refreshUserSession(event)
-  await sessionHooks.callHookParallel('refresh', session, event)
+  if (session)
+    await sessionHooks.callHookParallel('refresh', session, event)
   return session
 })
diff --git a/src/runtime/server/utils/provider.ts b/src/runtime/server/utils/provider.ts
@@ -1,3 +1,4 @@
+import type { ProviderSessionConfig } from '../../types'
 import { createDefu } from 'defu'
 
 type MakePropertiesRequired<T, K extends keyof T> = T & Required<Pick<T, K>>
@@ -171,6 +172,11 @@ export interface OidcProviderConfig {
    * @default []
    */
   allowedClientAuthParameters?: string[]
+  /**
+   * Session configuration overrides
+   * @default {}
+   */
+  sessionConfiguration: ProviderSessionConfig
 }
 
 // Cannot import from utils here, otherwise Nuxt will throw '[worker reload] [worker init] Cannot access 'configMerger' before initialization'
@@ -211,6 +217,7 @@ export function defineOidcProvider<TConfig, TRequired extends keyof OidcProvider
     callbackRedirectUrl: '/',
     allowedClientAuthParameters: [],
     logoutUrl: '',
+    sessionConfiguration: {},
   }
   const mergedConfig = configMerger(config, defaults)
   return mergedConfig as MakePropertiesRequired<Partial<typeof mergedConfig>, TRequired>
diff --git a/src/runtime/server/utils/session.ts b/src/runtime/server/utils/session.ts
@@ -1,8 +1,8 @@
 import type { H3Event, SessionConfig } from 'h3'
-import type { AuthSessionConfig, PersistentSession, ProviderKeys, UserSession } from '../../types'
+import type { AuthSessionConfig, PersistentSession, ProviderKeys, ProviderSessionConfig, UserSession } from '../../types'
 import type { OidcProviderConfig } from './provider'
 import { defu } from 'defu'
-import { createError, deleteCookie, useSession } from 'h3'
+import { createError, deleteCookie, sendRedirect, useSession } from 'h3'
 import { createHooks } from 'hookable'
 import * as providerPresets from '../../providers'
 import { configMerger, refreshAccessToken, useOidcLogger } from './oidc'
@@ -11,7 +11,8 @@ import { decryptToken, encryptToken, parseJwtToken } from './security'
 import { useRuntimeConfig, useStorage } from '#imports'
 
 const sessionName = 'nuxt-oidc-auth'
-let sessionConfig: SessionConfig & AuthSessionConfig
+let sessionConfig: Pick<SessionConfig, 'name' | 'password'> & AuthSessionConfig
+const providerSessionConfigs: Record<ProviderKeys, ProviderSessionConfig> = {} as any
 
 export interface SessionHooks {
   /**
@@ -61,14 +62,10 @@ export async function refreshUserSession(event: H3Event) {
   const persistentSession = await useStorage('oidc').getItem<PersistentSession>(session.id as string) as PersistentSession | null
 
   if (!session.data.canRefresh || !persistentSession?.refreshToken) {
-    throw createError({
-      statusCode: 500,
-      message: 'No refresh token',
-    })
+    logger.warn('No refresh token')
+    return
   }
 
-  await sessionHooks.callHookParallel('refresh', session.data, event)
-
   // Refresh the access token
   const tokenKey = process.env.NUXT_OIDC_TOKEN_KEY as string
   const refreshToken = await decryptToken(persistentSession.refreshToken, tokenKey)
@@ -82,7 +79,7 @@ export async function refreshUserSession(event: H3Event) {
   }
   catch (error) {
     logger.error(error)
-    await clearUserSession(event)
+    return sendRedirect(event, '/auth/logout')
   }
 
   const { user, tokens, expiresIn } = tokenRefreshResponse!
@@ -110,7 +107,8 @@ export async function requireUserSession(event: H3Event) {
 
 export async function getUserSession(event: H3Event) {
   const logger = useOidcLogger()
-  const userSession = (await _useSession(event)).data
+  const session = await _useSession(event)
+  const userSession = session.data
 
   if (Object.keys(userSession).length === 0) {
     throw createError({
@@ -119,19 +117,21 @@ export async function getUserSession(event: H3Event) {
     })
   }
 
+  const provider = userSession.provider as ProviderKeys
+
   // Expiration check
-  if (sessionConfig.expirationCheck) {
-    const sessionId = await getUserSessionId(event)
+  if (providerSessionConfigs[provider]?.expirationCheck) {
+    const sessionId = session.id
     const persistentSession = await useStorage('oidc').getItem<PersistentSession>(sessionId as string) as PersistentSession | null
     if (!persistentSession)
       logger.warn('Persistent user session not found')
 
     let expired = true
     if (persistentSession) {
-      expired = persistentSession?.exp <= (Math.trunc(Date.now() / 1000) + (sessionConfig.expirationThreshold && typeof sessionConfig.expirationThreshold === 'number' ? sessionConfig.expirationThreshold : 0))
+      expired = persistentSession?.exp <= (Math.trunc(Date.now() / 1000) + (providerSessionConfigs[provider].expirationThreshold && typeof providerSessionConfigs[provider].expirationThreshold === 'number' ? providerSessionConfigs[provider].expirationThreshold : 0))
     }
     else if (userSession) {
-      expired = userSession?.expireAt <= (Math.trunc(Date.now() / 1000) + (sessionConfig.expirationThreshold && typeof sessionConfig.expirationThreshold === 'number' ? sessionConfig.expirationThreshold : 0))
+      expired = userSession?.expireAt <= (Math.trunc(Date.now() / 1000) + (providerSessionConfigs[provider].expirationThreshold && typeof providerSessionConfigs[provider].expirationThreshold === 'number' ? providerSessionConfigs[provider].expirationThreshold : 0))
     }
     else {
       throw createError({
@@ -142,7 +142,7 @@ export async function getUserSession(event: H3Event) {
     if (expired) {
       logger.info('Session expired')
       // Automatic token refresh
-      if (sessionConfig.automaticRefresh) {
+      if (providerSessionConfigs[provider].automaticRefresh) {
         await refreshUserSession(event)
         logger.info('Successfully refreshed token')
         return userSession
@@ -162,9 +162,19 @@ export async function getUserSessionId(event: H3Event) {
 }
 
 function _useSession(event: H3Event) {
-  if (!sessionConfig) {
-    // @ts-expect-error - Type mismatch
-    sessionConfig = defu({ password: process.env.NUXT_OIDC_SESSION_SECRET, name: sessionName }, useRuntimeConfig(event).oidc.session)
+  if (!sessionConfig || !Object.keys(providerSessionConfigs).length) {
+    // Merge sessionConfig
+    sessionConfig = defu({ password: process.env.NUXT_OIDC_SESSION_SECRET!, name: sessionName }, useRuntimeConfig(event).oidc.session)
+    // Merge providerSessionConfigs
+    Object.keys(useRuntimeConfig(event).oidc.providers).map(
+      key => key as ProviderKeys,
+    ).forEach(
+      key => providerSessionConfigs[key] = defu(useRuntimeConfig(event).oidc.providers[key]?.sessionConfiguration, {
+        automaticRefresh: useRuntimeConfig(event).oidc.session.automaticRefresh,
+        expirationCheck: useRuntimeConfig(event).oidc.session.expirationCheck,
+        expirationThreshold: useRuntimeConfig(event).oidc.session.expirationThreshold,
+      }) as ProviderSessionConfig,
+    )
   }
   return useSession<UserSession>(event, sessionConfig)
 }
diff --git a/src/runtime/types.ts b/src/runtime/types.ts
@@ -162,7 +162,7 @@ export interface AuthorizationResponse {
 }
 
 export interface UserSession {
-  provider?: ProviderKeysWithDev
+  provider: ProviderKeysWithDev
   canRefresh: boolean
   loggedInAt?: number
   expireAt: number
@@ -217,3 +217,5 @@ export interface AuthSessionConfig {
     secure?: boolean | undefined
   }
 }
+
+export interface ProviderSessionConfig extends Omit<AuthSessionConfig, 'maxAge' | 'cookie'> {}

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ export interface AuthorizationResponse {`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`export interface UserSession {`
`165`		`- provider?: ProviderKeysWithDev`
	`165`	`+ provider: ProviderKeysWithDev`
`166`	`166`	`canRefresh: boolean`
`167`	`167`	`loggedInAt?: number`
`168`	`168`	`expireAt: number`
`@@ -217,3 +217,5 @@ export interface AuthSessionConfig {`
`217`	`217`	`secure?: boolean \| undefined`
`218`	`218`	`}`
`219`	`219`	`}`
	`220`	`+`
	`221`	`+export interface ProviderSessionConfig extends Omit<AuthSessionConfig, 'maxAge' \| 'cookie'> {}`