Refresh logic with local strategy

[julienguillot77]

Environment

• Operating System: Darwin
• Node Version: v20.17.0
• Nuxt Version: 3.14.1592
• CLI Version: 3.15.0
• Nitro Version: 2.10.4
• Package Manager: yarn@1.22.22
• Builder: -
• User Config: default
• Runtime Modules: @nuxt/image@1.8.1, @sidebase/nuxt-auth@0.9.4, @nuxt/icon@1.9.0, @nuxtjs/tailwindcss@6.12.2, shadcn-nuxt@0.11.3, @vueuse/nuxt@12.0.0, @nuxtjs/color-mode@3.5.2, @nuxt/fonts@0.10.2, @pinia/nuxt@0.8.0, nuxt-lodash@2.5.3, nuxt-zod-i18n@1.11.0, @nuxtjs/i18n@9.1.0
• Build Modules: -

Reproduction

Set your nuxt.config.ts auth options :

auth: {
    originEnvKey: "NUXT_AUTH_ORIGIN",
    globalAppMiddleware: true,
    baseURL: process.env.NUXT_MANAGEMENT_API_URL,
    sessionRefresh: {
      enablePeriodically: 10000, // 10 seconds
      enableOnWindowFocus: false,
    },
    provider: {
      type: "local",
      session: {
        dataType: {
          id: "number",
          email: "string",
          username: "string",
          first_name: "string",
          last_name: "string",
          role: "string",
        },
      },
      pages: {
        login: "/auth/login",
      },
      endpoints: {
        signIn: { path: "management/login", method: "post" },
        signOut: { path: "management/logout", method: "delete" },
        signUp: { path: "management/signup", method: "post" },
        getSession: { path: "management/session", method: "get" },
      },
      token: {
        signInResponseTokenPointer: "/data/access_token",
        type: "Bearer",
        cookieName: "my-app.access_token",
        headerName: "Authorization",
        maxAgeInSeconds: 1800, // 30 minutes
        sameSiteAttribute: "lax",
        secureCookieAttribute: false,
        httpOnlyCookieAttribute: false,
      },
      refresh: {
        isEnabled: true,
        endpoint: { path: "management/refresh", method: "post" },
        refreshOnlyToken: false,
        token: {
          signInResponseRefreshTokenPointer: "/data/refresh_token",
          refreshRequestTokenPointer: "/admin/refresh_token",
          cookieName: "my-app.refresh_token",
          maxAgeInSeconds: 14 * 24 * 60 * 60, // 2 weeks
          sameSiteAttribute: "lax",
          secureCookieAttribute: false,
          httpOnlyCookieAttribute: false,
        },
      },
    },
  }

signIn to your app

Describe the bug

I can't say it's a bug or it's volountary but this, I think, a strange behaviour.

The refresh token API endpoint is called at the same time as session refresh.

A first attempt of session refresh is done right after the signIn process. The returned access_token and refresh_token are rightly set to auth state and cookies but the next refresh tentative is still using the previous refresh_token...

Am I missing something or an issue really occurs ?

Is refreshing tokens in same time as session refresh a normal behaviour ?

Additional context

No response

Logs

No response

[julienguillot77]

After some debugging, I realized that the access_token and refresh_token stored in the app state are the old one, and those in the cookie are the valid one. But the tokens that are used during the refresh are those of the app state, right?
Is is intentional or something needs to be done on my side (or package side ?)

[julienguillot77]

Additional info :

If I disable SSR from nuxt.config.ts, the tokens stored in cookie and state are now the same.

[phoenix-ru]

Hi @julienguillot77 , there has been several reports of state mismatch between cookies and useState and a whole issue about Nuxt's useCookie.

As I am going on a quite long vacation due to some state holidays, etc., I would be able to properly check your issue end of January 2025 earliest. Apologies for a long wait! In the meantime, NuxtAuth always welcomes contributors and detailed investigations :)

There is a similar issue but for static websites: #785. I believe that we need to fix the whole cookie/state situation for both SSR/static.