Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh of tokens is not triggered on local schema browser close #947

Open
florjanklancar-kaldi opened this issue Nov 25, 2024 · 3 comments
Open

Refresh of tokens is not triggered on local schema browser close #947

florjanklancar-kaldi opened this issue Nov 25, 2024 · 3 comments
Labels
bug A bug that needs to be resolved pending An issue waiting for triage

Comments

@florjanklancar-kaldi
Copy link

Environment

Reproduction

Nuxt config:

 auth: {
    baseURL: `${process.env.API_BASE_URL}/auth/`,
    provider: {
      type: "local",
      endpoints: {
        signIn: { path: "login", method: "post" },
        getSession: { path: "current", method: "get" },
        signOut: false,
      },
      pages: {
        login: "/login",
      },
      token: {
        maxAgeInSeconds: +process.env.JWT_SECRET_EXPIRATION_IN_SECONDS!,
        signInResponseTokenPointer: "/access_token",
      },
      refresh: {
        isEnabled: true,
        endpoint: { path: "refresh", method: "post" },
        refreshOnlyToken: false,
        token: {
          signInResponseRefreshTokenPointer: "/refresh_token",
          refreshRequestTokenPointer: "/refresh_token",
          maxAgeInSeconds: +process.env.JWT_SECRET_EXPIRATION_IN_SECONDS!,
        },
      },
      session: {
        dataType: {
          firstName: "string",
          lastName: "string",
          sub: "string",
          userId: "string",
          isTwoFactorAuthorized: "boolean",
          isTwoFactorEnable: "boolean",
          isTwoFactorOptIn: "boolean",
          location: `{amlDataAccess: boolean,
            locationId: string,
            locationName: string,
            locationNameId: string,
            locationToPartnerId:string,
            partnerType: string}[]`,
          roles: `{ name: string, companyId: string}[]`,
        },
      },
    },
    sessionRefresh: {
      enableOnWindowFocus: true,
      enablePeriodically: +process.env.JWT_EXPIRATION_IN_S! * 1000,
    },
    globalAppMiddleware: {
      isEnabled: true,
      allow404WithoutAuth: true,
    },
  },

Describe the bug

When setting the access token max age, I use the same expiration value (in seconds) as the refresh_token. Initially, the token appears to have the correct expiry date in the browser's cookie storage. However, once the access token expires (10 minutes in my case), it is removed from the cookies.

If I close the browser and return after more than 10 minutes, I am automatically signed out and redirected to the login screen. I would expect the library to call the refresh token endpoint to obtain a new session instead of requiring users to sign in again, especially when a valid refresh_token is still available in the cookies.

Also the access token is removed from cookies storage even when the expired date was set the same as refresh token which is 5 days in my example.

Additional context

No response

Logs

No response
@florjanklancar-kaldi florjanklancar-kaldi added bug A bug that needs to be resolved pending An issue waiting for triage labels Nov 25, 2024
@einz-loggik
Copy link

I have the same problem. User gets logged out if the access tokens reached eol regardless of the lifetime of the refresh token.
Expected behaviour would be that if the access token is no longer valid there is a check if a valid refresh-token exists that would trigger a refresh.

And i can also confirm that the access token cookie gets removed if you close the browser. I set the lifetime of the access token to 72 hours but if i close and reopen the page the access token cookie is deleted and i am redirected to the login page.

@anjarupnik
Copy link
Contributor

Hi, I also ran into similar issue. I think main cause is check for refreshing the token in refresh-token.server.ts:
if (refreshToken.value && token.value). This means that if auth token is expired and not present in cookies any more when requesting from server, even though there is a valid refresh token, it won't be refreshed. Maybe it makes sense for some implementations but I think in most cases you would want to request new token with the refresh token after token was expired right? 🤔 I would suggest changing condition to if (refreshToken.value && !token.value) (only refresh token after it is expired) or only check for presence of the refreshToken (though this has negative side effect that it will also run every time user opens new tab)

@florjanklancar-kaldi
Copy link
Author

Hey Anja since nobody from their side replied to me in months I think this library is dead...
I've coded the client-side authentication composable myself since I don't need any other functionality from this library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A bug that needs to be resolved pending An issue waiting for triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@anjarupnik @einz-loggik @florjanklancar-kaldi