fix(auth): only add mint cookie endpoint with admin sdk

posva · posva · commit b81dff0a64e8 · 2023-01-15T16:34:44.000+01:00
diff --git a/packages/nuxt/src/module.ts b/packages/nuxt/src/module.ts
@@ -106,14 +106,6 @@ const VueFire: NuxtModule<VueFireNuxtModuleOptions> =
       nuxt.options.build.transpile.push('vuefire')
       nuxt.options.build.transpile.push('vuefire/server')
 
-      // Add the session handler than mints a cookie for the user
-      if (nuxt.options.ssr) {
-        addServerHandler({
-          route: '/api/__session',
-          handler: resolve(runtimeDir, './auth/api.session'),
-        })
-      }
-
       // This one is set by servers, we set the GOOGLE_APPLICATION_CREDENTIALS env variable instead that has a lower priority and can be both a path or a JSON string
       // process.env.FIREBASE_CONFIG ||= JSON.stringify(options.config)
       if (typeof options.admin?.serviceAccount === 'string') {
@@ -135,6 +127,17 @@ const VueFire: NuxtModule<VueFireNuxtModuleOptions> =
           )
         }
 
+        // Add the session handler than mints a cookie for the user
+        if (nuxt.options.ssr && hasServiceAccount) {
+          addServerHandler({
+            route: '/api/__session',
+            handler: resolve(runtimeDir, './auth/api.session'),
+          })
+
+          // must be added after (which means before in code) the plugin module
+          addPlugin(resolve(runtimeDir, 'auth/plugin-mint-cookie.client'))
+        }
+
         addPlugin(resolve(runtimeDir, 'auth/plugin.client'))
         // must be added after the admin module to use the admin app
         addPlugin(resolve(runtimeDir, 'auth/plugin.server'))
diff --git a/packages/nuxt/src/runtime/auth/plugin-mint-cookie.client.ts b/packages/nuxt/src/runtime/auth/plugin-mint-cookie.client.ts
@@ -0,0 +1,52 @@
+import type { FirebaseApp } from 'firebase/app'
+import {
+  getAuth,
+  onIdTokenChanged,
+  beforeAuthStateChanged,
+  User,
+} from 'firebase/auth'
+import { defineNuxtPlugin } from '#app'
+
+/**
+ * Sets up a watcher that mints a cookie based auth session. On the server, it reads the cookie to
+ * generate the proper auth state. **Must be added after the firebase auth plugin.**
+ */
+export default defineNuxtPlugin((nuxtApp) => {
+  const firebaseApp = nuxtApp.$firebaseApp as FirebaseApp
+
+  const auth = getAuth(firebaseApp)
+  // send a post request to the server when auth state changes to mint a cookie
+  beforeAuthStateChanged(
+    auth,
+    // if this fails, we rollback the auth state
+    mintCookie,
+    () => {
+      // rollback the auth state
+      mintCookie(auth.currentUser)
+    }
+  )
+
+  // we need both callback to avoid some race conditions
+  onIdTokenChanged(auth, mintCookie)
+})
+
+// TODO: should this be throttled to avoid multiple calls
+/**
+ * Sends a post request to the server to mint a cookie based auth session. The name of the cookie is defined in the
+ * api.session.ts file.
+ *
+ * @param user - the user to mint a cookie for
+ */
+async function mintCookie(user: User | null) {
+  const jwtToken = await user?.getIdToken(/* forceRefresh */ true)
+  // throws if the server returns an error so that beforeAuthStateChanged can catch it to cancel
+  await $fetch(
+    // '/api/__session-server',
+    '/api/__session',
+    {
+      method: 'POST',
+      // if the token is undefined, the server will delete the cookie
+      body: { token: jwtToken },
+    }
+  )
+}
diff --git a/packages/nuxt/src/runtime/auth/plugin.client.ts b/packages/nuxt/src/runtime/auth/plugin.client.ts
@@ -1,54 +1,12 @@
 import type { FirebaseApp } from 'firebase/app'
-import {
-  getAuth,
-  onIdTokenChanged,
-  beforeAuthStateChanged,
-  User,
-} from 'firebase/auth'
 import { VueFireAuth } from 'vuefire'
 import { defineNuxtPlugin } from '#app'
 
 /**
- * Setups VueFireAuth and automatically mints a cookie based auth session. On the server, it reads the cookie to
- * generate the proper auth state.
+ * Setups VueFireAuth for the client.
  */
 export default defineNuxtPlugin((nuxtApp) => {
   const firebaseApp = nuxtApp.$firebaseApp as FirebaseApp
 
   VueFireAuth(nuxtApp.payload.vuefireUser)(firebaseApp, nuxtApp.vueApp)
-  const auth = getAuth(firebaseApp)
-  // send a post request to the server when auth state changes to mint a cookie
-  beforeAuthStateChanged(
-    auth,
-    // if this fails, we rollback the auth state
-    mintCookie,
-    () => {
-      // rollback the auth state
-      mintCookie(auth.currentUser)
-    }
-  )
-
-  // we need both callback to avoid some race conditions
-  onIdTokenChanged(auth, mintCookie)
 })
-
-// TODO: should this be throttled to avoid multiple calls
-/**
- * Sends a post request to the server to mint a cookie based auth session. The name of the cookie is defined in the
- * api.session.ts file.
- *
- * @param user - the user to mint a cookie for
- */
-async function mintCookie(user: User | null) {
-  const jwtToken = await user?.getIdToken(/* forceRefresh */ true)
-  // throws if the server returns an error so that beforeAuthStateChanged can catch it to cancel
-  await $fetch(
-    // '/api/__session-server',
-    '/api/__session',
-    {
-      method: 'POST',
-      // if the token is undefined, the server will delete the cookie
-      body: { token: jwtToken },
-    }
-  )
-}
