User not logged out when 401 on refresh occurs

[benoitlemaire]

Environment

• Operating System: Darwin
• Node Version: v20.16.0
• Nuxt Version: 3.14.1592
• CLI Version: 3.16.0
• Nitro Version: 2.10.4

Reproduction

playground-local with external backend api

Describe the bug

Description:
I'm encountering an issue with user sessions and token refresh behavior. Here's the scenario:

1. I log in to my site, and everything works perfectly.
2. I open the same site in an incognito window and log in with the same user. Everything works perfectly here too.
3. However, when I return to the first session (non-incognito), the refresh requests start failing with a 401 error because my backend send an error due to refresh tokens are different.

Despite the 401 errors, the user is not logged out in the original session. They can still navigate through the site and access pages, which is not the expected behavior.

Expected Behavior:
If the refresh or getSession requests throw a 401 or 403 error, the user should be automatically logged out from that session.

Current Configuration:
Below is my current configuration:

auth: {
  baseURL: 'https://external-backend.com/api/',
  provider: {
    type: 'local',
    endpoints: {
      getSession: { path: '/auth/get-session', method: 'get' },
      signIn: { path: '/auth/login', method: 'post' },
      signUp: { path: '/auth/register', method: 'post' },
      signOut: { path: '/auth/logout', method: 'get' },
    },
    pages: {
      login: '/'
    },
    token: {
      signInResponseTokenPointer: '/accessToken',
    },
    refresh: {
      isEnabled: true,
      endpoint: { path: 'auth/refresh', method: 'post' },
      refreshOnlyToken: false,
      token: {
        signInResponseRefreshTokenPointer: '/refreshToken',
        refreshRequestTokenPointer: '/refreshToken',
        maxAgeInSeconds: 900,
      }
    }
  },
  sessionRefresh: {
    enableOnWindowFocus: false,
    enablePeriodically: 5000,
  },
  globalAppMiddleware: {
    isEnabled: true
  }
}

Question:
What am I missing in my configuration to ensure that the user is logged out automatically if the refresh or getSession requests fail with a 401 or 403 error? Tried on 0.9.4and 0.10.0

CleanShot.2024-12-20.at.16.28.55.online-video-cutter.com.1.mp4

Additional context

I think the FetchError is not caught it useAuth, here is the errors in console when refresh fails :

ofetch.03887fc3.mjs?v=88c26a32:316 Uncaught (in promise) FetchError: [POST] "https://my-external-api.com/api/auth/refresh": 401 
    at async $fetch2 (ofetch.03887fc3.mjs?v=88c26a32:316:15)
    at async Object.refresh (useAuth.ts:198:20)

Logs

No response

[OlePc]

Noticed this too in my application. What is the expected behavior? The docs says nothing about error handling when refresh is denied by the backend.

[NathanD19]

Finding the same issue with credentials auth with a custom backend. Anyone have any work arounds?