From 8014e2c72f0bfd8a7e948f20d64b82b237ddf911 Mon Sep 17 00:00:00 2001
From: becem <99251251+becem-gharbi@users.noreply.github.com>
Date: Sat, 21 Jan 2023 11:07:50 +0100
Subject: [PATCH 1/3] fix: session management cookie base

save access token in httpOnly cookie for ssr
---
 playground/pages/auth/login.vue               |   2 -
 playground/pages/home.vue                     |  12 +-
 src/module.ts                                 |   6 +
 src/runtime/composables/useAuth.ts            | 134 ++++++++----------
 src/runtime/composables/useAuthFetch.ts       |  18 ++-
 src/runtime/middleware/auth.ts                |  16 +--
 src/runtime/middleware/common.global.ts       |  13 +-
 src/runtime/middleware/guest.ts               |  13 +-
 src/runtime/plugin.ts                         |  18 +--
 .../api/auth/login/[provider]/callback.get.ts |  63 +++++---
 .../server/api/auth/login/index.post.ts       |  13 +-
 src/runtime/server/api/auth/logout.post.ts    |  12 +-
 .../server/api/auth/password/change.put.ts    |   1 -
 .../server/api/auth/password/reset.put.ts     |   1 -
 src/runtime/server/api/auth/refresh.post.ts   |  24 ++--
 src/runtime/server/utils/index.ts             |   3 +
 src/runtime/server/utils/token.ts             |  55 +++++--
 src/runtime/server/utils/user.ts              |   2 +-
 src/runtime/types.d.ts                        |   8 ++
 19 files changed, 221 insertions(+), 193 deletions(-)

diff --git a/playground/pages/auth/login.vue b/playground/pages/auth/login.vue
index 2831e5f..a2e853f 100644
--- a/playground/pages/auth/login.vue
+++ b/playground/pages/auth/login.vue
@@ -16,8 +16,6 @@ const { login, requestPasswordReset, loginWithProvider } = useAuth()
 
 async function handleLogin() {
     const { data, error } = await login({ email: "becem.gharbi96@gmail.com", password: "123456" })
-    console.log(data.value?.accessToken)
-    console.error(error.value?.data?.message)
 }
 
 async function handleRequestPasswordReset() {
diff --git a/playground/pages/home.vue b/playground/pages/home.vue
index 889b124..26a887e 100644
--- a/playground/pages/home.vue
+++ b/playground/pages/home.vue
@@ -3,22 +3,16 @@
         <h1>Home</h1>
         <button @click="fetchUser">Fetch user</button>
         <button @click="handleLogout">Logout</button>
+        <p>{{ user }}</p>
     </div>
 </template>
 
 <script setup lang="ts">
-import { User } from '.prisma/client';
-
 definePageMeta({ middleware: "auth" })
 
-const { logout } = useAuth()
-
-async function fetchUser() {
-    const data = await useAuthFetch<User>("/api/auth/me")
-
-    console.log(data)
-}
+const { logout, fetchUser, useUser } = useAuth()
 
+const user = useUser()
 
 async function handleLogout() {
     await logout()
diff --git a/src/module.ts b/src/module.ts
index c61b78f..a059a45 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -24,6 +24,7 @@ export default defineNuxtModule<ModuleOptions>({
     refreshTokenSecret: "efg",
     accessTokenExpiresIn: "7s",
     refreshTokenMaxAge: 3600,
+    accessTokenMaxAge: 10,
 
     smtp: {
       host: "",
@@ -36,6 +37,9 @@ export default defineNuxtModule<ModuleOptions>({
     baseUrl: "http://localhost:3000",
     enableGlobalAuthMiddleware: false,
     refreshTokenCookieName: "auth_refresh_token",
+
+    accessTokenCookieName: "auth_access_token",
+
     redirect: {
       login: "/auth/login",
       logout: "/auth/login",
@@ -147,6 +151,7 @@ export default defineNuxtModule<ModuleOptions>({
         refreshTokenSecret: options.refreshTokenSecret,
         accessTokenExpiresIn: options.accessTokenExpiresIn,
         refreshTokenMaxAge: options.refreshTokenMaxAge,
+        accessTokenMaxAge: options.accessTokenMaxAge,
         accessTokenClaims: options.accessTokenClaims,
 
         emailTemplates: options.emailTemplates,
@@ -160,6 +165,7 @@ export default defineNuxtModule<ModuleOptions>({
           baseUrl: options.baseUrl,
           enableGlobalAuthMiddleware: options.enableGlobalAuthMiddleware,
           refreshTokenCookieName: options.refreshTokenCookieName,
+          accessTokenCookieName: options.accessTokenCookieName,
           redirect: {
             login: options.redirect.login,
             logout: options.redirect.logout,
diff --git a/src/runtime/composables/useAuth.ts b/src/runtime/composables/useAuth.ts
index f4ae883..1ac836d 100644
--- a/src/runtime/composables/useAuth.ts
+++ b/src/runtime/composables/useAuth.ts
@@ -1,9 +1,10 @@
-import jwt_decode from "jwt-decode";
-import type { Ref } from "vue";
-import { appendHeader } from "h3";
+import { Ref } from "vue";
+import { appendHeader, setHeader } from "h3";
 import type { User, Provider } from "../types";
 import type { AsyncData } from "#app";
 import type { FetchError } from "ofetch";
+import useAuthFetch from "./useAuthFetch";
+import jwtDecode from "jwt-decode";
 
 import {
   useRuntimeConfig,
@@ -27,22 +28,30 @@ type FetchReturn<T> = Promise<AsyncData<UseFetchDataT<T>, UseFetchErrorT>>;
 
 export default function () {
   const publicConfig = useRuntimeConfig().public.auth;
-  const useInitialized: () => Ref<boolean> = () =>
-    useState("auth_initialized", () => false);
+
   const useUser: () => Ref<User | null> = () =>
     useState<User | null>("auth_user", () => null);
-  const useAccessToken: () => Ref<string | null> = () =>
-    useState<string | null>("auth_access_token", () => null);
+
+  const useAccessToken: () => Ref<string | undefined | null> = () =>
+    useState<string | undefined | null>("auth_access_token", () => null);
+
+  const useAccessTokenCookie = () =>
+    useCookie(publicConfig.accessTokenCookieName);
+
+  const useRefreshTokenCookie = () =>
+    useCookie(publicConfig.refreshTokenCookieName);
+
   const event = useRequestEvent();
-  const route = useRoute();
 
   function isAccessTokenExpired() {
     const accessToken = useAccessToken();
+
     if (accessToken.value) {
-      const decoded = jwt_decode(accessToken.value) as { exp: number };
+      const decoded = jwtDecode(accessToken.value) as { exp: number };
       const expires = decoded.exp * 1000;
       return expires < Date.now();
     }
+
     return true;
   }
 
@@ -50,24 +59,24 @@ export default function () {
     email: string;
     password: string;
   }): FetchReturn<{ accessToken: string }> {
-    const accessToken = useAccessToken();
-
     return useFetch<UseFetchDataT<{ accessToken: string }>, UseFetchErrorT>(
       "/api/auth/login",
       {
         method: "POST",
-        credentials: "include",
         body: {
           email: input.email,
           password: input.password,
         },
       }
     ).then(async (res) => {
-      if (res.data.value) {
-        accessToken.value = res.data.value.accessToken;
-        await fetchUser();
+      const accessToken = useAccessToken();
+
+      accessToken.value = res.data.value?.accessToken;
+
+      if (accessToken.value) {
         await navigateTo(publicConfig.redirect.home);
       }
+
       return res;
     });
   }
@@ -80,92 +89,67 @@ export default function () {
 
   async function prefetch(): Promise<void> {
     const accessToken = useAccessToken();
-    if (accessToken.value) {
-      if (isAccessTokenExpired()) {
-        await refresh();
-        if (!accessToken.value) {
-          await logout();
-          throw new Error("Unauthorized");
-        }
-      }
+
+    await refresh();
+
+    if (!accessToken.value) {
+      await logout();
+      throw new Error("unauthorized");
     }
   }
 
   async function refresh(): Promise<void> {
-    let cookie: string | undefined;
-    const accessToken = useAccessToken();
-
     try {
+      const accessToken = useAccessToken();
+
       if (process.server) {
-        const headers = useRequestHeaders(["Cookie"]);
-        cookie = headers.cookie;
+        accessToken.value = useAccessTokenCookie().value;
+      } else {
+        accessToken.value = isAccessTokenExpired() ? null : accessToken.value;
+      }
 
-        if (!cookie || !cookie.includes(publicConfig.refreshTokenCookieName)) {
-          accessToken.value = null;
-          return;
-        }
+      if (accessToken.value) {
+        return;
+      }
+
+      if (process.server && !useRefreshTokenCookie().value) {
+        return;
       }
 
+      const cookie = useRequestHeaders(["cookie"]).cookie || "";
+
       const res = await $fetch.raw<{ accessToken: string }>(
         "/api/auth/refresh",
         {
           method: "POST",
-          credentials: "include",
-          headers: cookie ? { cookie } : {},
-          body: {
-            accessToken: accessToken.value,
-          },
+          headers: process.server ? { cookie } : {},
         }
       );
 
       if (process.server) {
-        const cookie = res.headers.get("set-cookie") || "";
-        appendHeader(event, "set-cookie", cookie);
+        const cookies = (res.headers.get("set-cookie") || "").split(",");
+        for (const cookie of cookies) {
+          appendHeader(event, "set-cookie", cookie);
+        }
       }
 
-      accessToken.value = res._data?.accessToken || null;
-    } catch (error) {
-      accessToken.value = null;
-    }
+      accessToken.value = res._data?.accessToken;
+    } catch (e) {}
   }
 
   async function fetchUser(): Promise<void> {
-    const accessToken = useAccessToken();
     const user = useUser();
-
-    if (!accessToken.value) {
-      user.value = null;
-      return;
-    }
-
-    await prefetch();
-
-    try {
-      user.value = await $fetch<User>("/api/auth/me", {
-        headers: {
-          Authorization: "Bearer " + accessToken.value,
-        },
-      });
-    } catch (error) {
-      user.value = null;
-    }
+    user.value = await useAuthFetch<User>("/api/auth/me");
   }
 
   async function logout(): Promise<void> {
-    const accessToken = useAccessToken();
-    const user = useUser();
-
-    if (accessToken.value) {
-      await $fetch("/api/auth/logout", {
-        method: "POST",
-        credentials: "include",
-      });
-
+    await $fetch("/api/auth/logout", {
+      method: "POST",
+    }).finally(() => {
+      const accessToken = useAccessToken();
       accessToken.value = null;
-    }
-
-    user.value = null;
-    await navigateTo(publicConfig.redirect.logout);
+      return navigateTo(publicConfig.redirect.logout);
+    });
   }
 
   async function register(input: {
@@ -192,6 +176,7 @@ export default function () {
   }
 
   async function resetPassword(password: string): FetchReturn<void> {
+    const route = useRoute();
     return useFetch<UseFetchDataT<void>, UseFetchErrorT>(
       "/api/auth/password/reset",
       {
@@ -217,7 +202,6 @@ export default function () {
   }
 
   return {
-    useInitialized,
     useUser,
     useAccessToken,
     login,
diff --git a/src/runtime/composables/useAuthFetch.ts b/src/runtime/composables/useAuthFetch.ts
index 2a25e22..dd932db 100644
--- a/src/runtime/composables/useAuthFetch.ts
+++ b/src/runtime/composables/useAuthFetch.ts
@@ -8,18 +8,16 @@ export default async function <DataT>(
 ): Promise<DataT> {
   const { useAccessToken, prefetch } = useAuth();
 
-  const accessToken = useAccessToken();
-
   await prefetch();
 
-  if (accessToken.value) {
-    fetchOptions.headers = defu(
-      {
-        Authorization: "Bearer " + accessToken.value,
-      },
-      fetchOptions.headers
-    );
-  }
+  const accessToken = useAccessToken();
+
+  fetchOptions.headers = defu(
+    {
+      Authorization: "Bearer " + accessToken.value,
+    },
+    fetchOptions.headers
+  );
 
   return $fetch<DataT>(path, fetchOptions);
 }
diff --git a/src/runtime/middleware/auth.ts b/src/runtime/middleware/auth.ts
index 6a27a58..18a548a 100644
--- a/src/runtime/middleware/auth.ts
+++ b/src/runtime/middleware/auth.ts
@@ -2,25 +2,25 @@ import { defineNuxtRouteMiddleware, useRuntimeConfig, navigateTo } from "#app";
 import useAuth from "../composables/useAuth";
 
 export default defineNuxtRouteMiddleware((to) => {
-  const config = useRuntimeConfig();
+  const publicConfig = useRuntimeConfig().public.auth;
 
   if (
-    to.path === config.public.auth.redirect.login ||
-    to.path === config.public.auth.redirect.callback
+    to.path === publicConfig.redirect.login ||
+    to.path === publicConfig.redirect.callback
   ) {
     return;
   }
 
-  if (config.public.auth.enableGlobalAuthMiddleware === true) {
+  if (publicConfig.enableGlobalAuthMiddleware === true) {
     if (to.meta.auth === false) {
       return;
     }
   }
 
-  const { useUser } = useAuth();
-  const user = useUser();
+  const { useAccessToken } = useAuth();
 
-  if (!user.value) {
-    return navigateTo(config.public.auth.redirect.login);
+  if (!useAccessToken().value) {
+    console.log("from auth middle redirect ro login");
+    return navigateTo(publicConfig.redirect.login);
   }
 });
diff --git a/src/runtime/middleware/common.global.ts b/src/runtime/middleware/common.global.ts
index c2359d5..9dd390c 100644
--- a/src/runtime/middleware/common.global.ts
+++ b/src/runtime/middleware/common.global.ts
@@ -2,17 +2,16 @@ import { defineNuxtRouteMiddleware, useRuntimeConfig, navigateTo } from "#app";
 import useAuth from "../composables/useAuth";
 
 export default defineNuxtRouteMiddleware((to) => {
-  const config = useRuntimeConfig();
+  const publicConfig = useRuntimeConfig().public.auth;
 
   if (
-    to.path === config.public.auth.redirect.login ||
-    to.path === config.public.auth.redirect.callback
+    to.path === publicConfig.redirect.login ||
+    to.path === publicConfig.redirect.callback
   ) {
-    const { useUser } = useAuth();
-    const user = useUser();
+    const { useAccessToken } = useAuth();
 
-    if (user.value) {
-      return navigateTo(config.public.auth.redirect.home);
+    if (useAccessToken().value) {
+      return navigateTo(publicConfig.redirect.home);
     }
   }
 });
diff --git a/src/runtime/middleware/guest.ts b/src/runtime/middleware/guest.ts
index a8decee..aea9f77 100644
--- a/src/runtime/middleware/guest.ts
+++ b/src/runtime/middleware/guest.ts
@@ -2,19 +2,18 @@ import { defineNuxtRouteMiddleware, useRuntimeConfig, navigateTo } from "#app";
 import useAuth from "../composables/useAuth";
 
 export default defineNuxtRouteMiddleware((to) => {
-  const config = useRuntimeConfig();
+  const publicConfig = useRuntimeConfig().public.auth;
 
   if (
-    to.path === config.public.auth.redirect.login ||
-    to.path === config.public.auth.redirect.callback
+    to.path === publicConfig.redirect.login ||
+    to.path === publicConfig.redirect.callback
   ) {
     return;
   }
 
-  const { useUser } = useAuth();
-  const user = useUser();
+  const { useAccessToken } = useAuth();
 
-  if (user.value) {
-    return navigateTo(config.public.auth.redirect.home);
+  if (useAccessToken().value) {
+    return navigateTo(publicConfig.redirect.home);
   }
 });
diff --git a/src/runtime/plugin.ts b/src/runtime/plugin.ts
index 06b3ef9..e214d1f 100644
--- a/src/runtime/plugin.ts
+++ b/src/runtime/plugin.ts
@@ -6,9 +6,6 @@ import guest from "./middleware/guest";
 
 export default defineNuxtPlugin(async () => {
   const config = useRuntimeConfig();
-  const { useAccessToken, useInitialized } = useAuth();
-  const accessToken = useAccessToken();
-  const initialized = useInitialized();
 
   addRouteMiddleware(common);
 
@@ -18,17 +15,10 @@ export default defineNuxtPlugin(async () => {
 
   addRouteMiddleware("guest", guest);
 
-  if (initialized.value) {
-    return;
-  }
-
-  initialized.value = true;
-
-  const { refresh, fetchUser } = useAuth();
-
-  await refresh();
+  if (process.server) {
+    const { refresh, useAccessToken } = useAuth();
+    await refresh();
 
-  if (accessToken.value) {
-    await fetchUser();
+    //console.log("after plugin refresh", useAccessToken().value);
   }
 });
diff --git a/src/runtime/server/api/auth/login/[provider]/callback.get.ts b/src/runtime/server/api/auth/login/[provider]/callback.get.ts
index 3af0553..ce3877a 100644
--- a/src/runtime/server/api/auth/login/[provider]/callback.get.ts
+++ b/src/runtime/server/api/auth/login/[provider]/callback.get.ts
@@ -1,7 +1,19 @@
 import { defineEventHandler, getQuery, sendRedirect } from "h3";
-import { createUser, findUser } from "#auth";
-import { createRefreshToken, setRefreshTokenCookie } from "#auth";
-import { privateConfig, publicConfig } from "#auth";
+
+import { $fetch } from "ohmyfetch";
+
+import {
+  createRefreshToken,
+  setRefreshTokenCookie,
+  privateConfig,
+  createUser,
+  findUser,
+  publicConfig,
+  createAccessToken,
+  setAccessTokenCookie,
+} from "#auth";
+
+import { User } from "@prisma/client";
 
 export default defineEventHandler(async (event) => {
   try {
@@ -25,48 +37,53 @@ export default defineEventHandler(async (event) => {
       `${publicConfig.baseUrl}/api/auth/login/${provider}/callback`
     );
 
-    const tokenResponse = await fetch(privateConfig.oauth[provider].tokenUrl, {
-      method: "POST",
-      body: formData,
-      headers: {
-        Accept: "application/json",
-      },
-    });
-
-    const { access_token } = await tokenResponse.json();
+    const { access_token } = await $fetch(
+      privateConfig.oauth[provider].tokenUrl,
+      {
+        method: "POST",
+        body: formData,
+        headers: {
+          Accept: "application/json",
+        },
+      }
+    );
 
-    const userResponse = await fetch(privateConfig.oauth[provider].userUrl, {
+    const userInfo = await $fetch(privateConfig.oauth[provider].userUrl, {
       headers: {
         Authorization: "Bearer " + access_token,
       },
     });
 
-    const userInfo = await userResponse.json();
-
     if (userInfo.email) {
-      let user = await findUser({ email: userInfo.email });
+      let user: User | undefined = undefined;
+
+      try {
+        user = await findUser({ email: userInfo.email });
+      } catch (error) {}
 
       if (user && user.provider !== provider) {
         throw new Error("wrong-provider");
       }
 
       if (!user) {
-        user = await createUser({
+        const newUser = await createUser({
           email: userInfo.email,
           name: userInfo.name,
           provider: provider,
           verified: true,
         });
+
+        user = Object.assign(newUser);
       }
 
       if (user) {
-        const refreshToken = await createRefreshToken(user.id);
+        const refreshToken = await createRefreshToken(user);
 
-        setRefreshTokenCookie(event, {
-          id: refreshToken.id,
-          uid: refreshToken.uid,
-          userId: refreshToken.userId,
-        });
+        setRefreshTokenCookie(event, refreshToken);
+
+        const accessToken = createAccessToken(user);
+
+        setAccessTokenCookie(event, accessToken);
       }
     }
 
diff --git a/src/runtime/server/api/auth/login/index.post.ts b/src/runtime/server/api/auth/login/index.post.ts
index 8d8be81..0291139 100644
--- a/src/runtime/server/api/auth/login/index.post.ts
+++ b/src/runtime/server/api/auth/login/index.post.ts
@@ -3,6 +3,7 @@ import {
   createRefreshToken,
   setRefreshTokenCookie,
   createAccessToken,
+  setAccessTokenCookie,
 } from "#auth";
 import { findUser, verifyPassword } from "#auth";
 
@@ -12,7 +13,7 @@ export default defineEventHandler(async (event) => {
 
     const user = await findUser({ email });
 
-    if (!user || !user.password || !verifyPassword(password, user.password)) {
+    if (!user.password || !verifyPassword(password, user.password)) {
       throw new Error("wrong-credentials");
     }
 
@@ -24,16 +25,14 @@ export default defineEventHandler(async (event) => {
       throw new Error("user-blocked");
     }
 
-    const refreshToken = await createRefreshToken(user.id);
+    const refreshToken = await createRefreshToken(user);
 
-    setRefreshTokenCookie(event, {
-      id: refreshToken.id,
-      uid: refreshToken.uid,
-      userId: refreshToken.userId,
-    });
+    setRefreshTokenCookie(event, refreshToken);
 
     const accessToken = createAccessToken(user);
 
+    setAccessTokenCookie(event, accessToken);
+
     return { accessToken };
   } catch (error) {
     throw createError({
diff --git a/src/runtime/server/api/auth/logout.post.ts b/src/runtime/server/api/auth/logout.post.ts
index 37b91d9..9b47f96 100644
--- a/src/runtime/server/api/auth/logout.post.ts
+++ b/src/runtime/server/api/auth/logout.post.ts
@@ -3,24 +3,26 @@ import {
   deleteRefreshTokenCookie,
   getRefreshTokenFromCookie,
   verifyRefreshToken,
+  deleteAccessTokenCookie,
+  deleteRefreshToken,
 } from "#auth";
-import { deleteRefreshToken } from "../../utils/token";
 
 export default defineEventHandler(async (event) => {
   try {
     const refreshToken = getRefreshTokenFromCookie(event);
 
-    if (!refreshToken) {
-      throw new Error("Unauthorized");
-    }
-
     const payload = await verifyRefreshToken(refreshToken);
 
     await deleteRefreshToken(payload.id);
 
     deleteRefreshTokenCookie(event);
+    deleteAccessTokenCookie(event);
+
     return {};
   } catch (error) {
+    deleteRefreshTokenCookie(event);
+    deleteAccessTokenCookie(event);
+
     throw createError({
       statusCode: 400,
       message: error.message,
diff --git a/src/runtime/server/api/auth/password/change.put.ts b/src/runtime/server/api/auth/password/change.put.ts
index 692446a..d48a818 100644
--- a/src/runtime/server/api/auth/password/change.put.ts
+++ b/src/runtime/server/api/auth/password/change.put.ts
@@ -34,7 +34,6 @@ export default defineEventHandler(async (event) => {
 
     return {};
   } catch (error) {
-    console.warn(error);
     throw createError({
       statusCode: 400,
       message: error.message,
diff --git a/src/runtime/server/api/auth/password/reset.put.ts b/src/runtime/server/api/auth/password/reset.put.ts
index 0a2caf0..19d02b0 100644
--- a/src/runtime/server/api/auth/password/reset.put.ts
+++ b/src/runtime/server/api/auth/password/reset.put.ts
@@ -14,7 +14,6 @@ export default defineEventHandler(async (event) => {
 
     return {};
   } catch (error) {
-    console.warn(error);
     throw createError({
       statusCode: 400,
       message: error.message,
diff --git a/src/runtime/server/api/auth/refresh.post.ts b/src/runtime/server/api/auth/refresh.post.ts
index 9bd4fb3..b039399 100644
--- a/src/runtime/server/api/auth/refresh.post.ts
+++ b/src/runtime/server/api/auth/refresh.post.ts
@@ -5,36 +5,36 @@ import {
   setRefreshTokenCookie,
   updateRefreshToken,
   verifyRefreshToken,
+  setAccessTokenCookie,
+  deleteAccessTokenCookie,
+  deleteRefreshTokenCookie,
+  findUser,
 } from "#auth";
-import { findUser } from "../../utils/user";
 
 export default defineEventHandler(async (event) => {
   try {
     const refreshToken = getRefreshTokenFromCookie(event);
 
-    if (!refreshToken) {
-      throw new Error("Unauthorized");
-    }
-
     const payload = await verifyRefreshToken(refreshToken);
 
     const newRefreshToken = await updateRefreshToken(payload.id);
 
-    setRefreshTokenCookie(event, {
-      id: newRefreshToken.id,
-      uid: newRefreshToken.uid,
-      userId: newRefreshToken.userId,
-    });
+    setRefreshTokenCookie(event, newRefreshToken);
 
-    const user = await findUser({ id: newRefreshToken.userId });
+    const user = await findUser({ id: payload.userId });
 
     const accessToken = createAccessToken(user);
 
+    setAccessTokenCookie(event, accessToken);
+
     return { accessToken };
   } catch (error) {
+    deleteRefreshTokenCookie(event);
+    deleteAccessTokenCookie(event);
+
     throw createError({
       statusCode: 400,
-      message: error,
+      message: error.message,
     });
   }
 });
diff --git a/src/runtime/server/utils/index.ts b/src/runtime/server/utils/index.ts
index f0bd9c9..c101749 100644
--- a/src/runtime/server/utils/index.ts
+++ b/src/runtime/server/utils/index.ts
@@ -18,6 +18,9 @@ export {
   verifyEmailVerifyToken,
   verifyRefreshToken,
   verifyResetPasswordToken,
+  setAccessTokenCookie,
+  getAccessTokenFromCookie,
+  deleteAccessTokenCookie,
 } from "./token";
 
 export {
diff --git a/src/runtime/server/utils/token.ts b/src/runtime/server/utils/token.ts
index dd88a48..aa7522e 100644
--- a/src/runtime/server/utils/token.ts
+++ b/src/runtime/server/utils/token.ts
@@ -35,7 +35,7 @@ export function createAccessToken(user: User) {
   };
 
   const accessToken = jwt.sign(payload, privateConfig.accessTokenSecret, {
-    expiresIn: privateConfig.accessTokenExpiresIn,
+    expiresIn: privateConfig.accessTokenMaxAge,
   });
 
   return accessToken;
@@ -57,21 +57,48 @@ export function verifyAccessToken(accessToken: string) {
   return payload;
 }
 
+export function setAccessTokenCookie(event: H3Event, accessToken: string) {
+  setCookie(event, publicConfig.accessTokenCookieName, accessToken, {
+    httpOnly: true,
+    secure: true,
+    maxAge: privateConfig.accessTokenMaxAge,
+    sameSite: "lax",
+  });
+}
+
+export function getAccessTokenFromCookie(event: H3Event) {
+  const accessToken = getCookie(event, publicConfig.accessTokenCookieName);
+  return accessToken;
+}
+
+export function deleteAccessTokenCookie(event: H3Event) {
+  deleteCookie(event, publicConfig.accessTokenCookieName);
+}
 /*************** Refresh token ***************/
 
-export async function createRefreshToken(userId: number) {
-  const refreshToken = await prisma.refreshToken.create({
+export async function createRefreshToken(user: User) {
+  const refreshTokenEntity = await prisma.refreshToken.create({
     data: {
       uid: uuidv4(),
-      userId: userId,
+      userId: user.id,
     },
   });
 
+  const payload = {
+    id: refreshTokenEntity.id,
+    uid: refreshTokenEntity.uid,
+    userId: refreshTokenEntity.userId,
+  };
+
+  const refreshToken = jwt.sign(payload, privateConfig.refreshTokenSecret, {
+    expiresIn: privateConfig.refreshTokenMaxAge,
+  });
+
   return refreshToken;
 }
 
 export async function updateRefreshToken(refreshTokenId: number) {
-  const refreshToken = await prisma.refreshToken.update({
+  const refreshTokenEntity = await prisma.refreshToken.update({
     where: {
       id: refreshTokenId,
     },
@@ -79,15 +106,21 @@ export async function updateRefreshToken(refreshTokenId: number) {
       uid: uuidv4(),
     },
   });
+
+  const payload = {
+    id: refreshTokenEntity.id,
+    uid: refreshTokenEntity.uid,
+    userId: refreshTokenEntity.userId,
+  };
+
+  const refreshToken = jwt.sign(payload, privateConfig.refreshTokenSecret, {
+    expiresIn: privateConfig.refreshTokenMaxAge,
+  });
+
   return refreshToken;
 }
 
-export function setRefreshTokenCookie(
-  event: H3Event,
-  payload: RefreshTokenPayload
-) {
-  const refreshToken = jwt.sign(payload, privateConfig.refreshTokenSecret);
-
+export function setRefreshTokenCookie(event: H3Event, refreshToken: string) {
   setCookie(event, publicConfig.refreshTokenCookieName, refreshToken, {
     httpOnly: true,
     secure: true,
diff --git a/src/runtime/server/utils/user.ts b/src/runtime/server/utils/user.ts
index 2dd291e..9474100 100644
--- a/src/runtime/server/utils/user.ts
+++ b/src/runtime/server/utils/user.ts
@@ -3,7 +3,7 @@ import { Prisma } from "@prisma/client";
 import bcrypt from "bcrypt";
 
 export async function findUser(where: Prisma.UserWhereUniqueInput) {
-  const user = await prisma.user.findUnique({
+  const user = await prisma.user.findUniqueOrThrow({
     where,
   });
   return user;
diff --git a/src/runtime/types.d.ts b/src/runtime/types.d.ts
index f1c737d..70fd5eb 100644
--- a/src/runtime/types.d.ts
+++ b/src/runtime/types.d.ts
@@ -34,10 +34,15 @@ export type RefreshTokenPayload = {
 
 export type PrivateConfig = {
   accessTokenSecret: string;
+
   accessTokenExpiresIn: string;
+
+  accessTokenMaxAge: number;
+
   accessTokenClaims?: Record<string, any>;
 
   refreshTokenSecret: string;
+
   refreshTokenMaxAge: number;
 
   oauth?: Partial<
@@ -71,7 +76,10 @@ export type PrivateConfig = {
 export type PublicConfig = {
   baseUrl: string;
   enableGlobalAuthMiddleware: boolean;
+
   refreshTokenCookieName: string;
+  accessTokenCookieName: string;
+
   redirect: {
     login: string;
     logout: string;

From 2cd46db6fbc4f77d85f02916d507f8658373b130 Mon Sep 17 00:00:00 2001
From: becem <99251251+becem-gharbi@users.noreply.github.com>
Date: Sat, 21 Jan 2023 11:30:04 +0100
Subject: [PATCH 2/3] feat: return user info on login & refresh, no need for
 fetchUser req

---
 src/runtime/composables/useAuth.ts            | 35 +++++++++++--------
 .../server/api/auth/login/index.post.ts       |  4 ++-
 src/runtime/server/api/auth/refresh.post.ts   |  4 ++-
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/src/runtime/composables/useAuth.ts b/src/runtime/composables/useAuth.ts
index 1ac836d..15934f7 100644
--- a/src/runtime/composables/useAuth.ts
+++ b/src/runtime/composables/useAuth.ts
@@ -29,8 +29,8 @@ type FetchReturn<T> = Promise<AsyncData<UseFetchDataT<T>, UseFetchErrorT>>;
 export default function () {
   const publicConfig = useRuntimeConfig().public.auth;
 
-  const useUser: () => Ref<User | null> = () =>
-    useState<User | null>("auth_user", () => null);
+  const useUser: () => Ref<User | null | undefined> = () =>
+    useState<User | null | undefined>("auth_user", () => null);
 
   const useAccessToken: () => Ref<string | undefined | null> = () =>
     useState<string | undefined | null>("auth_access_token", () => null);
@@ -58,20 +58,22 @@ export default function () {
   async function login(input: {
     email: string;
     password: string;
-  }): FetchReturn<{ accessToken: string }> {
-    return useFetch<UseFetchDataT<{ accessToken: string }>, UseFetchErrorT>(
-      "/api/auth/login",
-      {
-        method: "POST",
-        body: {
-          email: input.email,
-          password: input.password,
-        },
-      }
-    ).then(async (res) => {
+  }): FetchReturn<{ accessToken: string; user: User }> {
+    return useFetch<
+      UseFetchDataT<{ accessToken: string; user: User }>,
+      UseFetchErrorT
+    >("/api/auth/login", {
+      method: "POST",
+      body: {
+        email: input.email,
+        password: input.password,
+      },
+    }).then(async (res) => {
       const accessToken = useAccessToken();
+      const user = useUser();
 
       accessToken.value = res.data.value?.accessToken;
+      user.value = res.data.value?.user;
 
       if (accessToken.value) {
         await navigateTo(publicConfig.redirect.home);
@@ -101,6 +103,7 @@ export default function () {
   async function refresh(): Promise<void> {
     try {
       const accessToken = useAccessToken();
+      const user = useUser();
 
       if (process.server) {
         accessToken.value = useAccessTokenCookie().value;
@@ -109,6 +112,9 @@ export default function () {
       }
 
       if (accessToken.value) {
+        if (!user.value) {
+          await fetchUser();
+        }
         return;
       }
 
@@ -118,7 +124,7 @@ export default function () {
 
       const cookie = useRequestHeaders(["cookie"]).cookie || "";
 
-      const res = await $fetch.raw<{ accessToken: string }>(
+      const res = await $fetch.raw<{ accessToken: string; user: User }>(
         "/api/auth/refresh",
         {
           method: "POST",
@@ -134,6 +140,7 @@ export default function () {
       }
 
       accessToken.value = res._data?.accessToken;
+      user.value = res._data?.user;
     } catch (e) {}
   }
 
diff --git a/src/runtime/server/api/auth/login/index.post.ts b/src/runtime/server/api/auth/login/index.post.ts
index 0291139..f25f04f 100644
--- a/src/runtime/server/api/auth/login/index.post.ts
+++ b/src/runtime/server/api/auth/login/index.post.ts
@@ -33,7 +33,9 @@ export default defineEventHandler(async (event) => {
 
     setAccessTokenCookie(event, accessToken);
 
-    return { accessToken };
+    delete user.password;
+
+    return { accessToken, user };
   } catch (error) {
     throw createError({
       statusCode: 400,
diff --git a/src/runtime/server/api/auth/refresh.post.ts b/src/runtime/server/api/auth/refresh.post.ts
index b039399..aa34190 100644
--- a/src/runtime/server/api/auth/refresh.post.ts
+++ b/src/runtime/server/api/auth/refresh.post.ts
@@ -27,7 +27,9 @@ export default defineEventHandler(async (event) => {
 
     setAccessTokenCookie(event, accessToken);
 
-    return { accessToken };
+    delete user.password;
+    
+    return { accessToken, user };
   } catch (error) {
     deleteRefreshTokenCookie(event);
     deleteAccessTokenCookie(event);

From 0245f599f4902101aa2808a7d577e1cd0c3b228b Mon Sep 17 00:00:00 2001
From: becem <99251251+becem-gharbi@users.noreply.github.com>
Date: Sat, 21 Jan 2023 11:40:36 +0100
Subject: [PATCH 3/3] fix: recursive fetchUser in refresh handler

---
 src/runtime/composables/useAuth.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/runtime/composables/useAuth.ts b/src/runtime/composables/useAuth.ts
index 15934f7..a7ccf2f 100644
--- a/src/runtime/composables/useAuth.ts
+++ b/src/runtime/composables/useAuth.ts
@@ -1,5 +1,5 @@
 import { Ref } from "vue";
-import { appendHeader, setHeader } from "h3";
+import { appendHeader } from "h3";
 import type { User, Provider } from "../types";
 import type { AsyncData } from "#app";
 import type { FetchError } from "ofetch";
@@ -113,7 +113,11 @@ export default function () {
 
       if (accessToken.value) {
         if (!user.value) {
-          await fetchUser();
+          user.value = await $fetch<User>("/api/auth/me", {
+            headers: {
+              Authorization: "Bearer " + accessToken.value,
+            },
+          });
         }
         return;
       }