fix: authState getting wiped on page reload on static websites #785
Conversation
set and reload data, rawToken from cookie fix lint fix typecheck
zoey-kaiser
changed the title
zoey-kaiser
changed the title
zoey-kaiser
added
bug
|
Hello @zoey-kaiser, Thanks ! |
|
Hi @Geekimo 👋 I would like to get a review by @phoenix-ru in before merging this PR 😊 |
|
@zoey-kaiser Thanks for your reply |
|
Any news on this fix or can we help? I use a local provider and having auth work with ssg would be highly appreciated :-) |
|
Hello @zoey-kaiser and @phoenix-ru, Kind regards. |
commit: |
|
Hi @Vijayabhaskar96 👋 I wanted to push this PR into the next release, but sadly the authjs tests are failing. We will finalize the PRs for the release tomorrow. For the case that we are not able to include it yet, you can directly install your PR as an npm package using: |
|
Hello @zoey-kaiser, |
|
Is there a specific reason why this wasn't included in the 0.9.4 release? |
|
Sorry, I don’t want to come across as impatient, but we’re currently holding back a production site until this fix is implemented. Is there already an idea of when this will be released? |
| // Augment types | ||
| declare module 'nuxt/schema' { | ||
| interface PublicRuntimeConfig { | ||
| auth: ModuleOptionsNormalized | ||
| } | ||
| } |
There was a problem hiding this comment.
Question as to why was this added?
| sessionCookie.value = { | ||
| lastRefreshedAt: lastRefreshedAt.value, | ||
| data: data.value | ||
| } |
There was a problem hiding this comment.
Storing user data in the cookie may lead to a GDPR violation if the getSession endpoint returns any personal information (which is often the case). It undoubtedly spawns the "protecting personal data" requirement for anyone using the module, even if they weren't affected by the SSG issue in the first place.
I don't find it very attractive to introduce such a burden to NuxtAuth :/
There was a problem hiding this comment.
Maybe introducing an option to use SessionStorage nor LocalStorage would be great instead of using cookies ?
| function handleLocalAuth(config: ProviderLocal): void { | ||
| const sessionCookie = useCookie<SessionCookie | null>( | ||
| 'auth:sessionCookie' | ||
| ) | ||
| const cookieToken = useCookie<string | null>( | ||
| config.token?.cookieName ?? 'auth.token' | ||
| ) | ||
|
|
||
| if (sessionCookie?.value && !rawToken?.value && cookieToken?.value) { | ||
| restoreSessionFromCookie(sessionCookie, cookieToken) | ||
| } | ||
| } | ||
|
|
||
| function restoreSessionFromCookie( | ||
| sessionCookie: CookieRef<SessionCookie | null>, | ||
| cookieToken: CookieRef<string | null> | ||
| ): void { | ||
| try { | ||
| loading.value = true | ||
| const sessionData = sessionCookie.value | ||
| lastRefreshedAt.value = sessionData?.lastRefreshedAt | ||
| data.value = sessionData?.data | ||
| rawToken.value = cookieToken.value | ||
| } | ||
| catch (error) { | ||
| console.error('Failed to parse session data from cookie:', error) | ||
| } | ||
| finally { | ||
| loading.value = false | ||
| } |
There was a problem hiding this comment.
I am struggling to understand as to why saving/restoring the session data in the cookie is needed in the first place? I read both the original issue #551 and the PRs around it, but still haven't found a valid reason for this approach.
I think there should be a less hacky way of solving it
|
@Geekimo @thorge @Vijayabhaskar96 Hi, sorry for keeping you waiting as this PR has been quite controversial for me. I just left my concerns in the review above. I don't want to give any false promises about merging the PR soon, as I do not feel confident at all in the patch. If you trust it, you can use it at your risk by using the latest commit (see the message from bot -> click on commit): I know it's one of the long-standing issues in the |
Previous PR: #712
🔗 Linked issue
#551
This issue occurs because
data(data fromgetSession()) is not stored in the browser, which is not a problem in SSR with server because the server takes care of it, but on a statically generated website, thisdatais lost along withrawTokeneven if the token is stored in the browser cookies if you refresh the webpage.❓ Type of change
📚 Description
This PR stores the retrieved data from
getSession()and stores it in the browser cookieauth:sessionCookieand reloads thedataandrawTokenback on the client side if they'reundefined.This PR fixes the data issue, but you still need to set the
prerender:falsefor middleware protected routes in routeRules so that client-side middleware is forced to run and load the states.📝 Checklist