Merge branch 'main' into main

docs/content/v0.6/2.configuration/2.nuxt-config.md

@@ -206,6 +206,15 @@ type ProviderLocal = {
      * Note: Your backend may reject / expire the token earlier / differently.
      */
     maxAgeInSeconds?: number,
+    /**
+     * The cookie sameSite policy. Can be used as a form of csrf forgery protection. If set to `strict`, the cookie will only be passed with requests to the same 'site'. Typically, this includes subdomains. So, a sameSite: strict cookie set by app.mysite.com will be passed to api.mysite.com, but not api.othersite.com. 
+     *
+     * See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7
+     *
+     * @default 'lax'
+     * @example 'strict'
+     */
+     sameSiteAttribute?:  boolean | 'lax' | 'strict' | 'none' | undefined,
   },
   /**
    * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sidebase/nuxt-auth",
-  "version": "0.6.0-beta.3",
+  "version": "0.6.0-beta.5",
   "license": "MIT",
   "type": "module",
   "exports": {

src/module.ts

@@ -35,7 +35,8 @@ const defaultsByBackend: { [key in SupportedAuthProviders]: DeepRequired<Extract
       signInResponseTokenPointer: '/token',
       type: 'Bearer',
       headerName: 'Authorization',
-      maxAgeInSeconds: 30 * 60
+      maxAgeInSeconds: 30 * 60,
+      sameSiteAttribute: 'lax'
     },
     sessionDataType: { id: 'string | number' }
   },

src/runtime/composables/local/useAuthState.ts

@@ -17,7 +17,7 @@ export const useAuthState = (): UseAuthStateReturn => {
   const commonAuthState = makeCommonAuthState<SessionData>()
 
   // Re-construct state from cookie, also setup a cross-component sync via a useState hack, see https://github.com/nuxt/nuxt/issues/13020#issuecomment-1397282717
-  const _rawTokenCookie = useCookie<string | null>('auth:token', { default: () => null, maxAge: config.token.maxAgeInSeconds, sameSite: 'lax' })
+  const _rawTokenCookie = useCookie<string | null>('auth:token', { default: () => null, maxAge: config.token.maxAgeInSeconds, sameSite: config.token.sameSiteAttribute })
 
   const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value)
   watch(rawToken, () => { _rawTokenCookie.value = rawToken.value })

src/runtime/plugin.ts

@@ -1,4 +1,5 @@
 import { addRouteMiddleware, defineNuxtPlugin, useRuntimeConfig } from '#app'
+import { getHeader } from 'h3'
 import authMiddleware from './middleware/auth'
 import { useAuth, useAuthState } from '#imports'
 
@@ -7,8 +8,14 @@ export default defineNuxtPlugin(async (nuxtApp) => {
   const { data, lastRefreshedAt } = useAuthState()
   const { getSession } = useAuth()
 
+  // Skip auth if we're prerendering
+  let nitroPrerender = false
+  if (nuxtApp.ssrContext) {
+    nitroPrerender = getHeader(nuxtApp.ssrContext.event, 'x-nitro-prerender') !== undefined
+  }
+
   // Only fetch session if it was not yet initialized server-side
-  if (typeof data.value === 'undefined') {
+  if (typeof data.value === 'undefined' && !nitroPrerender) {
     await getSession()
   }
 

src/runtime/types.ts

@@ -142,6 +142,13 @@ type ProviderLocal = {
      * Note: Your backend may reject / expire the token earlier / differently.
      */
     maxAgeInSeconds?: number,
+    /**
+     * The cookie sameSite policy. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7
+     *
+     * @default 'lax'
+     * @example 'strict'
+     */
+     sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined,
   },
   /**
    * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint.