v3.1.0 - Refactor: HttpOnly cookies (#90)

* v3.1.0 - Refactor: HttpOnly cookies

- This update aims to provide support for httpOnly cookies in all the schemes and providers for this module.

* fix: dev mode base url

* fix: remove token on reset

Author: Denoder

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@nuxt-alt/auth",
-    "version": "3.0.5",
+    "version": "3.1.0",
     "description": "An alternative module to @nuxtjs/auth",
     "homepage": "https://github.com/nuxt-alt/auth",
     "author": "Denoder",

src/module.ts

@@ -1,5 +1,5 @@
 import type { ModuleOptions } from './types';
-import { addImports, addPluginTemplate, addTemplate, createResolver, defineNuxtModule, installModule, addRouteMiddleware } from '@nuxt/kit';
+import { addImports, addPluginTemplate, addTemplate, createResolver, defineNuxtModule, installModule, addRouteMiddleware, addServerHandler } from '@nuxt/kit';
 import { name, version } from '../package.json';
 import { resolveStrategies } from './resolve';
 import { moduleDefaults } from './options';
@@ -94,6 +94,14 @@ export default defineNuxtModule({
         // Transpile
         nuxt.options.build.transpile.push(runtime, providers, utils)
 
+        if (nuxt.options.ssr) {
+            addServerHandler({
+                route: '/_auth/reset',
+                method: 'post',
+                handler: resolver.resolve(runtime, 'token-nitro'),
+            })
+        }
+
         // Middleware
         if (options.enableMiddleware) {
             addRouteMiddleware({

src/resolve.ts

@@ -1,5 +1,6 @@
 import type { Strategy, ModuleOptions, ProviderNames, SchemeNames } from './types';
 import type { Nuxt } from '@nuxt/schema';
+import { addAuthorize, addLocalAuthorize, assignAbsoluteEndpoints, assignDefaults } from './utils/provider';
 import { ProviderAliases } from './runtime/providers';
 import * as AUTH_PROVIDERS from './runtime/providers';
 import { resolvePath } from '@nuxt/kit';
@@ -16,6 +17,113 @@ export const BuiltinSchemes = {
     auth0: 'Auth0Scheme',
 };
 
+export const OAUTH2DEFAULTS = {
+    accessType: undefined,
+    redirectUri: undefined,
+    logoutRedirectUri: undefined,
+    clientId: undefined,
+    clientSecretTransport: 'body',
+    audience: undefined,
+    grantType: undefined,
+    responseMode: undefined,
+    acrValues: undefined,
+    autoLogout: false,
+    endpoints: {
+        logout: undefined,
+        authorization: undefined,
+        token: undefined,
+        userInfo: undefined,
+    },
+    scope: [],
+    token: {
+        property: 'access_token',
+        expiresProperty: 'expires_in',
+        type: 'Bearer',
+        name: 'Authorization',
+        maxAge: false,
+        global: true,
+        prefix: '_token.',
+        expirationPrefix: '_token_expiration.',
+    },
+    idToken: {
+        property: 'id_token',
+        maxAge: 1800,
+        prefix: '_id_token.',
+        expirationPrefix: '_id_token_expiration.',
+    },
+    refreshToken: {
+        property: 'refresh_token',
+        maxAge: 60 * 60 * 24 * 30,
+        prefix: '_refresh_token.',
+        expirationPrefix: '_refresh_token_expiration.',
+        httpOnly: false,
+    },
+    user: {
+        property: false,
+    },
+    responseType: 'token',
+    codeChallengeMethod: false,
+    clientWindow: false,
+    clientWindowWidth: 400,
+    clientWindowHeight: 600
+};
+
+export const LOCALDEFAULTS = {
+    cookie: {
+        name: undefined
+    },
+    endpoints: {
+        csrf: {
+            url: '/api/csrf-cookie',
+        },
+        login: {
+            url: '/api/auth/login',
+            method: 'post',
+        },
+        logout: {
+            url: '/api/auth/logout',
+            method: 'post',
+        },
+        user: {
+            url: '/api/auth/user',
+            method: 'get',
+        },
+        refresh: {
+            url: '/api/auth/refresh',
+            method: 'POST',
+        },
+    },
+    token: {
+        expiresProperty: 'expires_in',
+        property: 'token',
+        type: 'Bearer',
+        name: 'Authorization',
+        maxAge: false,
+        global: true,
+        required: true,
+        prefix: '_token.',
+        expirationPrefix: '_token_expiration.',
+    },
+    refreshToken: {
+        property: 'refresh_token',
+        data: 'refresh_token',
+        maxAge: 60 * 60 * 24 * 30,
+        required: true,
+        tokenRequired: false,
+        prefix: '_refresh_token.',
+        expirationPrefix: '_refresh_token_expiration.',
+        httpOnly: false,
+    },
+    autoLogout: false,
+    user: {
+        property: 'user',
+        autoFetch: true,
+    },
+    clientId: false,
+    grantType: false,
+    scope: false,
+};
+
 export interface ImportOptions {
     name: string;
     as: string;
@@ -44,13 +152,15 @@ export async function resolveStrategies(nuxt: Nuxt, options: ModuleOptions) {
             strategy.provider = strategy.name as ProviderNames;
         }
 
+        // Determine if SSR is enabled
+        strategy.ssr = nuxt.options.ssr
+
         // Try to resolve provider
-        const provider = await resolveProvider(strategy.provider);
+        const provider = await resolveProvider(strategy.provider, nuxt, strategy);
 
         delete strategy.provider;
 
-        // check that the provider isn't a nuxt module
-        if (typeof provider === 'function') {
+        if (typeof provider === "function") {
             provider(nuxt, strategy);
         }
 
@@ -103,7 +213,7 @@ export async function resolveScheme(scheme: string) {
     }
 }
 
-export async function resolveProvider(provider: string | ((...args: any[]) => any)) {
+export async function resolveProvider(provider: string | ((...args: any[]) => any), nuxt: Nuxt, strategy: Strategy) {
 
     provider = (ProviderAliases[provider as keyof typeof ProviderAliases] || provider);
 
@@ -113,11 +223,26 @@ export async function resolveProvider(provider: string | ((...args: any[]) => an
 
     // return the provider
     if (typeof provider === 'function') {
-        return provider;
+        return provider(nuxt, strategy);
     }
 
     // return an empty function as it doesn't use a provider
     if (typeof provider === 'string') {
-        return (nuxt, strategy) => {}
+        return (nuxt: Nuxt, strategy: Strategy) => {
+            if (['oauth2', 'openIDConnect', 'auth0'].includes(strategy.scheme!) && strategy.ssr) {
+                assignDefaults(strategy as any, OAUTH2DEFAULTS)
+                addAuthorize(nuxt, strategy as any, true)
+            }
+
+            if (['refresh', 'local', 'cookie'].includes(strategy.scheme!) && strategy.ssr) {
+                assignDefaults(strategy as any, LOCALDEFAULTS)
+
+                if (strategy.url) {
+                    assignAbsoluteEndpoints(strategy as any);
+                }
+
+                addLocalAuthorize(nuxt, strategy as any)
+            }
+        }
     }
 }

src/runtime/core/auth.ts

@@ -67,7 +67,7 @@ export class Auth {
         return redirects;
     }
 
-    checkTokenValidation() {
+    #checkTokenValidation() {
         this.#tokenValidationInterval = setInterval(async () => {
             // Perform scheme checks.
             const { valid, tokenExpired, refreshTokenExpired, isRefreshable } = this.check(true);
@@ -195,12 +195,12 @@ export class Auth {
                     }
 
                     if (enableTokenValidation && loggedIn) {
-                        this.checkTokenValidation()
+                        this.#checkTokenValidation()
                     }
                 })
 
                 if (enableTokenValidation && this.loggedIn) {
-                    this.checkTokenValidation()
+                    this.#checkTokenValidation()
                 }
             }
         }
@@ -311,9 +311,7 @@ export class Auth {
             this.refreshStrategy.refreshToken.reset();
         }
 
-        return this.strategy.reset!(
-            ...(args as [options?: { resetInterceptor: boolean }])
-        );
+        return this.strategy.reset!(...(args as [options?: { resetInterceptor: boolean }]));
     }
 
     async refreshTokens(): Promise<HTTPResponse<any> | void> {
@@ -372,13 +370,24 @@ export class Auth {
             return Promise.reject(new Error('[AUTH] add the @nuxt-alt/http module to nuxt.config file'));
         }
 
-        return this.ctx.$http.raw(request).catch((error: Error) => {
-            // Call all error handlers
-            this.callOnError(error, { method: 'request' });
+        if (process.server && this.ctx.ssrContext) {
+            return this.ctx.ssrContext.event.$http.raw(request).catch((error: Error) => {
+                // Call all error handlers
+                this.callOnError(error, { method: 'request' });
+    
+                // Throw error
+                return Promise.reject(error);
+            });
+        } else {
+            return this.ctx.$http.raw(request).catch((error: Error) => {
+                // Call all error handlers
+                this.callOnError(error, { method: 'request' });
+    
+                // Throw error
+                return Promise.reject(error);
+            });
+        }
 
-            // Throw error
-            return Promise.reject(error);
-        });
     }
 
     async requestWith(endpoint?: HTTPRequest, defaults?: HTTPRequest): Promise<HTTPResponse<any>> {

src/runtime/core/storage.ts

@@ -13,14 +13,13 @@ export class Storage {
     #initPiniaStore!: AuthStore;
     #initStore!: Ref<AuthState>;
     state: AuthState;
-    #state: AuthState;
+    memory!: Ref<AuthState>;
     #piniaEnabled: boolean = false;
 
     constructor(ctx: NuxtApp, options: ModuleOptions) {
         this.ctx = ctx;
         this.options = options;
         this.state = options.initialState!
-        this.#state = options.initialState!
 
         this.#initState();
     }
@@ -104,7 +103,7 @@ export class Storage {
     async #initState() {
         // Use pinia for local state's if possible
         const pinia = this.ctx.$pinia as Pinia
-        this.#piniaEnabled = this.options.stores.pinia!.enabled && !!pinia;
+        this.#piniaEnabled = this.options.stores.pinia!?.enabled! && !!pinia;
 
         if (this.#piniaEnabled) {
             const { defineStore } = await import('pinia')
@@ -121,6 +120,8 @@ export class Storage {
 
             this.state = this.#initStore.value
         }
+
+        this.memory = useState<AuthState>('auth-internal', () => ({}))
     }
 
     get pinia() {
@@ -133,7 +134,7 @@ export class Storage {
 
     setState(key: string, value: any) {
         if (key.startsWith('_')) {
-            this.#state[key] = value;
+            this.memory.value[key] = value;
         }
         else if (this.#piniaEnabled) {
             this.#initPiniaStore.$patch({ [key]: value });
@@ -149,7 +150,7 @@ export class Storage {
         if (!key.startsWith('_')) {
             return this.state[key];
         } else {
-            return this.#state[key];
+            return this.memory.value[key];
         }
     }