From ba383786efcefa9c907f00dc3ddfe538401d70d1 Mon Sep 17 00:00:00 2001 From: bmhtech07 <64862099+bmhtech07@users.noreply.github.com> Date: Wed, 9 Aug 2023 15:32:11 +0100 Subject: [PATCH 1/4] feat: Add sameSite attribute to config in `local` provider (#505) --- docs/content/v0.6/2.configuration/2.nuxt-config.md | 9 +++++++++ src/module.ts | 3 ++- src/runtime/composables/local/useAuthState.ts | 2 +- src/runtime/types.ts | 7 +++++++ 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/content/v0.6/2.configuration/2.nuxt-config.md b/docs/content/v0.6/2.configuration/2.nuxt-config.md index 5c03d248..a2bae96e 100644 --- a/docs/content/v0.6/2.configuration/2.nuxt-config.md +++ b/docs/content/v0.6/2.configuration/2.nuxt-config.md @@ -206,6 +206,15 @@ type ProviderLocal = { * Note: Your backend may reject / expire the token earlier / differently. */ maxAgeInSeconds?: number, + /** + * The cookie sameSite policy. Can be used as a form of csrf forgery protection. If set to `strict`, the cookie will only be passed with requests to the same 'site'. Typically, this includes subdomains. So, a sameSite: strict cookie set by app.mysite.com will be passed to api.mysite.com, but not api.othersite.com. + * + * See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7 + * + * @default 'lax' + * @example 'strict' + */ + sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined, }, /** * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint. diff --git a/src/module.ts b/src/module.ts index 2b5e7b97..756abe8c 100644 --- a/src/module.ts +++ b/src/module.ts @@ -35,7 +35,8 @@ const defaultsByBackend: { [key in SupportedAuthProviders]: DeepRequired { const commonAuthState = makeCommonAuthState() // Re-construct state from cookie, also setup a cross-component sync via a useState hack, see https://github.com/nuxt/nuxt/issues/13020#issuecomment-1397282717 - const _rawTokenCookie = useCookie('auth:token', { default: () => null, maxAge: config.token.maxAgeInSeconds, sameSite: 'lax' }) + const _rawTokenCookie = useCookie('auth:token', { default: () => null, maxAge: config.token.maxAgeInSeconds, sameSite: config.token.sameSiteAttribute }) const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value) watch(rawToken, () => { _rawTokenCookie.value = rawToken.value }) diff --git a/src/runtime/types.ts b/src/runtime/types.ts index 4d17dfa6..3770e881 100644 --- a/src/runtime/types.ts +++ b/src/runtime/types.ts @@ -142,6 +142,13 @@ type ProviderLocal = { * Note: Your backend may reject / expire the token earlier / differently. */ maxAgeInSeconds?: number, + /** + * The cookie sameSite policy. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7 + * + * @default 'lax' + * @example 'strict' + */ + sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined, }, /** * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint. From 7234c66beb7ebd6a05763e95201e6424d85fef3d Mon Sep 17 00:00:00 2001 From: Zoey Date: Wed, 9 Aug 2023 16:45:04 +0200 Subject: [PATCH 2/4] release: 0.6.0-beta.4 (#511) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index be421162..9ee4cae8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@sidebase/nuxt-auth", - "version": "0.6.0-beta.3", + "version": "0.6.0-beta.4", "license": "MIT", "type": "module", "exports": { From 972b56190eea1264b384631b16d53fb1bee43d5c Mon Sep 17 00:00:00 2001 From: Eugen Istoc Date: Wed, 30 Aug 2023 10:26:40 -0400 Subject: [PATCH 3/4] fix: Don't fetch session during nitro prerender (#521) Co-authored-by: Michael Thiessen Co-authored-by: Zoey --- src/runtime/plugin.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/runtime/plugin.ts b/src/runtime/plugin.ts index eb1e5977..2acca240 100644 --- a/src/runtime/plugin.ts +++ b/src/runtime/plugin.ts @@ -1,4 +1,5 @@ import { addRouteMiddleware, defineNuxtPlugin, useRuntimeConfig } from '#app' +import { getHeader } from 'h3' import authMiddleware from './middleware/auth' import { useAuth, useAuthState } from '#imports' @@ -7,8 +8,14 @@ export default defineNuxtPlugin(async (nuxtApp) => { const { data, lastRefreshedAt } = useAuthState() const { getSession } = useAuth() + // Skip auth if we're prerendering + let nitroPrerender = false + if (nuxtApp.ssrContext) { + nitroPrerender = getHeader(nuxtApp.ssrContext.event, 'x-nitro-prerender') !== undefined + } + // Only fetch session if it was not yet initialized server-side - if (typeof data.value === 'undefined') { + if (typeof data.value === 'undefined' && !nitroPrerender) { await getSession() } From 55aee8a8b463f5b633d319d0c192ccd372622c43 Mon Sep 17 00:00:00 2001 From: Zoey Date: Wed, 30 Aug 2023 16:30:10 +0200 Subject: [PATCH 4/4] release: 0.6.0-beta.5 (#522) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9ee4cae8..6f259ac8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@sidebase/nuxt-auth", - "version": "0.6.0-beta.4", + "version": "0.6.0-beta.5", "license": "MIT", "type": "module", "exports": {