diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..515bc1aa --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,4 @@ +# Reporting a security vulnerability + +To report a security issue, please email `sidebase@sidestream.tech` with a description of the issue, the steps you took to create the +issue, affected versions, and if known, mitigations for the issue. Our vulnerability management team will acknowledge receiving your email within 3 working days. This project follows a 90 day disclosure timeline. diff --git a/docs/content/1.getting-started/1.index.md b/docs/content/1.getting-started/1.index.md index 73ecfe94..7e54c277 100644 --- a/docs/content/1.getting-started/1.index.md +++ b/docs/content/1.getting-started/1.index.md @@ -20,9 +20,10 @@ These are the docs for the new v0.6 version of `nuxt-auth` with static Nuxt 3 an - documentation, recipes and example code to get you started :: -`nuxt-auth` employs 2 providers to facilitate the act of authenticating a user: +`nuxt-auth` employs 3 providers to facilitate the act of authenticating a user: ::list{type="success"} - `local`: Username and password authentication. `local` expects the endpoint to return a token that can be used to authenticate subsequent requests +- `refresh`: A extended version of the `local` provider, made for systems that require a token refresh. - `authjs`: A `authjs` (`next-auth`) based provider that supports most OAuth- and Magic-URL sign-ins (think Slack or Notion). This provider also supports username and password based sign-in, but discourages from using it :: @@ -44,26 +45,28 @@ Here's the source-code https://github.com/sidebase/nuxt-auth-example of the exam To pick a provider you will first have to take into consideration the requirements of your use-case. Below is a small table to help you pick: -| | authjs | local | -|----------------------------------------------------------- |-------------------------------------: |------: | -| **Authentication Methods** | | | -| OAuth | ✅ (>50 providers) | ❌ | -| Magic URLs | ✅ | ❌ | -| Credential / Username + Password flow | 🚧 (if possible: use `local` instead) | ✅ | -| | | | -| **Features** | | | -| app `useAuth`-composable to sign-in, sign-out, ... | ✅ | ✅ | -| session-management: auto-refresh, refresh on refocus, ... | ✅ | ✅ | -| static apps ("nuxi generate") | ❌ | ✅ | -| guest mode | ✅ | ✅ | -| app-side middleware | ✅ | ✅ | -| server-side middleware | ✅ | ✅ | -| pre-made login-page | ✅ (impacts bundle-size) | ❌ | -| database-adapters, server-side callback-hooks | ✅ | ❌ | +| | authjs | local | refresh +|----------------------------------------------------------- |-------------------------------------: |------: | ------: +| **Authentication Methods** | | | +| OAuth | ✅ (>50 providers) | ❌ | ❌ +| Magic URLs | ✅ | ❌ | ❌ +| Credentials / Username + Password flow | 🚧 (if possible: use `local` instead) | ✅ | ✅ +| Refresh tokens | ✅ | ❌ | ✅ +| | | | +| **Features** | | | +| app `useAuth`-composable to sign-in, sign-out, ... | ✅ | ✅ | ✅ +| session-management: auto-refresh, refresh on refocus, ... | ✅ | ✅ | ✅ +| static apps ("nuxi generate") | ❌ | ✅ | ✅ +| guest mode | ✅ | ✅ | ✅ +| app-side middleware | ✅ | ✅ | ✅ +| server-side middleware | ✅ | ✅ | ✅ +| pre-made login-page | ✅ (impacts bundle-size) | ❌ | ❌ +| database-adapters, server-side callback-hooks | ✅ | ❌ | ❌ In general one can say that picking: - `authjs` is best suited for plug-and-play OAuth for established oauth-providers or magic-url based sign-ins - `local` is best when you already have a backend that accepts username + password as a login or want to build a static application +- `refresh` if you would need to extend the functionality of the `local` provider, with a refresh token ### `authjs` Remarks diff --git a/docs/content/1.getting-started/2.installation.md b/docs/content/1.getting-started/2.installation.md index 70a28930..3496f27a 100644 --- a/docs/content/1.getting-started/2.installation.md +++ b/docs/content/1.getting-started/2.installation.md @@ -17,27 +17,31 @@ pnpm i -D @sidebase/nuxt-auth ``` :: -::alert{type="info"} -Note that we try our best to keep `nuxt-auth` stable, but it is also a fresh module that is in active development. If you want to be extra sure nothing breaks, you should pin the patch version, e.g., by using `--save-exact` when running the install command. -:: - ## Specifics: `authjs`-Provider If you want to use the `authjs` provider, you have to install `next-auth`. With all package managers except `npm` you must manually install the peer dependency alongside `nuxt-auth`: ::code-group ```bash [yarn] -yarn add next-auth@4.21.1 +yarn add next-auth@4.22.5 ``` ```bash [pnpm] -pnpm i next-auth@4.21.1 +pnpm i next-auth@4.22.5 ``` :: +::alert{type="warning"} +Due to a breaking change in NextAuth, nuxt-auth is only compoatible with NextAuth versions under v4.23.0. We recommend pinning the version to `4.22.5`. See more [here](https://github.com/sidebase/nuxt-auth/issues/514). +:: + +::alert{type="info"} +Note that we try our best to keep `nuxt-auth` stable, but it is also a fresh module that is in active development. If you want to be extra sure nothing breaks, you should pin the patch version, e.g., by using `--save-exact` when running the install command. +:: + You can find all available `next-auth` versions [on npm](https://www.npmjs.com/package/next-auth?activeTab=versions). You do not need to install any other peer-dependencies in order to use `nuxt-auth`. If you are unsure which provider to choose, have a look at the [overview on the getting-started page](/nuxt-auth/v0.6/getting-started#which-provider-should-i-pick). -## Specifics: `local`-Provider +## Specifics: `local`/`refresh`-Provider The `local` provider does not have any specific extra dependencies. However, you will need to make sure that you have a backend somewhere that provides username + password based authentication, [read more about this on the quick-start page](/nuxt-auth/v0.6/getting-started/quick-start). diff --git a/docs/content/1.getting-started/3.quick-start.md b/docs/content/1.getting-started/3.quick-start.md index c6d40142..b892d9cd 100644 --- a/docs/content/1.getting-started/3.quick-start.md +++ b/docs/content/1.getting-started/3.quick-start.md @@ -84,7 +84,7 @@ Note: The backend can also be in the same Nuxt 3 application, e.g., have a look The linked example-implementation only serves as a starting-point and is not considered to be secure. :: -The backend musst accept a request with a body like: +The backend must accept a request with a body like: ```ts { username: 'bernd@sidebase.io', @@ -103,7 +103,7 @@ and return a token that can be used to authenticate future requests in the respo ### Provider: `refresh` ::alert{type="info"} -The refresh provider is only available in version `0.6.3-alpha.1` and later +The refresh provider is only available in version `0.6.3` and later :: The refresh provider does not require any additional steps, as it relies on an already existing backend. By default, the `refresh` provider will try to reach this backend using the following default-configuration: diff --git a/docs/content/2.configuration/1.index.md b/docs/content/2.configuration/1.index.md index b8b8343c..ce91ed75 100644 --- a/docs/content/2.configuration/1.index.md +++ b/docs/content/2.configuration/1.index.md @@ -5,7 +5,7 @@ description: "Overview of the configuration options of `nuxt-auth` for Vue / Nux # Overview Use the following places to configure how `nuxt-auth` behaves: -- `local` & `authjs`-provider: The [auth key in `nuxt.config.ts`](/nuxt-auth/v0.6/configuration/nuxt-config). Use it to configure the module itself, e.g., whether global page protection is enabled +- `local`/`refresh` & `authjs`-provider: The [auth key in `nuxt.config.ts`](/nuxt-auth/v0.6/configuration/nuxt-config). Use it to configure the module itself, e.g., whether global page protection is enabled - `authjs`-provider: The [NuxtAuthHandler](/nuxt-auth/v0.6/configuration/nuxt-auth-handler). Use it to configure the `authjs` authentication behavior, e.g., what authentication providers to use. See the detailed possible configuration options on the next pages. diff --git a/package.json b/package.json index cbf9e147..c101dd11 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@sidebase/nuxt-auth", - "version": "0.6.3-alpha.1", + "version": "0.6.3", "license": "MIT", "type": "module", "exports": { diff --git a/src/runtime/composables/refresh/useAuth.ts b/src/runtime/composables/refresh/useAuth.ts index 2c72f68d..4b18666a 100644 --- a/src/runtime/composables/refresh/useAuth.ts +++ b/src/runtime/composables/refresh/useAuth.ts @@ -152,22 +152,26 @@ const signOut: SignOutFunc = async (signOutOptions) => { rawToken.value = null rawRefreshToken.value = null - const { path, method } = config.endpoints.signOut as { - path: string; - method: - | 'get' - | 'head' - | 'patch' - | 'post' - | 'put' - | 'delete' - | 'connect' - | 'options' - | 'trace'; + const signOutConfig = config.endpoints.signOut + let res + + if (signOutConfig) { + const { path, method } = config.endpoints.signOut as { + path: string; + method: + | 'get' + | 'head' + | 'patch' + | 'post' + | 'put' + | 'delete' + | 'connect' + | 'options' + | 'trace'; + } + res = await _fetch(nuxt, path, { method, headers }) } - const res = await _fetch(nuxt, path, { method, headers }) - const { callbackUrl, redirect = true } = signOutOptions ?? {} if (redirect) { await navigateTo(callbackUrl ?? (await getRequestURLWN(nuxt)))