From 9852116a7d3f3be56f6fdc1cba8bdff747c4cbb8 Mon Sep 17 00:00:00 2001
From: Johannes Przymusinski <johannes@przymusinski.de>
Date: Thu, 12 Sep 2024 12:03:10 +0200
Subject: [PATCH 1/5] docs: correct location of session data type definitions
 (#904)

---
 docs/guide/local/session-data.md | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/docs/guide/local/session-data.md b/docs/guide/local/session-data.md
index 33398446..4dfbcc7c 100644
--- a/docs/guide/local/session-data.md
+++ b/docs/guide/local/session-data.md
@@ -7,11 +7,13 @@ export default defineNuxtConfig({
   auth: {
     provider: {
       type: 'local',
-      sessionDataType: {
-        id: 'string | number',
-        firstName: 'string',
-        lastName: 'string'
-      }
+      session: {
+        dataType: {
+          id: 'string | number',
+          firstName: 'string',
+          lastName: 'string',
+        },
+      },
     }
   }
 })
@@ -36,11 +38,13 @@ export default defineNuxtConfig({
   auth: {
     provider: {
       type: 'local',
-      sessionDataType: {
-        id: 'string | number',
-        firstName: 'string',
-        lastName: 'string',
-        subscriptions: '{ id: number, active: boolean}[]'
+      session: {
+        dataType: {
+          id: 'string | number',
+          firstName: 'string',
+          lastName: 'string',
+          subscriptions: '{ id: number, active: boolean }[]'
+        },
       }
     }
   }

From 734415b11a4691ab4777bdb3de0f66dc2a0686fc Mon Sep 17 00:00:00 2001
From: Marsel Shayhin <18054980+phoenix-ru@users.noreply.github.com>
Date: Fri, 13 Sep 2024 01:36:21 +0200
Subject: [PATCH 2/5] docs(#906): clarify `origin` documentation (#908)

---
 docs/guide/application-side/configuration.md | 22 ++++++++++++-
 docs/resources/error-reference.md            | 34 ++++++++++++++------
 2 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/docs/guide/application-side/configuration.md b/docs/guide/application-side/configuration.md
index f1345781..6294ea6c 100644
--- a/docs/guide/application-side/configuration.md
+++ b/docs/guide/application-side/configuration.md
@@ -31,7 +31,27 @@ Whether the module is enabled at all
 - **Type**: `string`
 - **Default**: `AUTH_ORIGIN`
 
-The name of the environment variable that holds the origin of the application. This is used to determine the origin of your application in production. Read more [here](/resources/error-reference#auth-no-origin).
+The name of the environment variable that holds the origin of the application. This is used to determine the origin of your application in production.
+
+By default, NuxtAuth will look at `AUTH_ORIGIN` environment variable and `runtimeConfig.authOrigin`.
+
+::: tip
+If you want to use `runtimeConfig` and `NUXT_` prefixed environment variables, you need to make sure to also define the key inside `runtimeConfig`,
+because otherwise Nuxt will not acknowledge your env variable ([issue #906](https://github.com/sidebase/nuxt-auth/issues/906), read more [here](https://nuxt.com/docs/guide/going-further/runtime-config#environment-variables)).
+
+```ts
+export default defineNuxtConfig({
+  auth: {
+    originEnvKey: 'NUXT_YOUR_ORIGIN'
+  },
+  runtimeConfig: {
+    yourOrigin: ''
+  }
+})
+```
+:::
+
+You can read additional information on `origin` determining [here](/resources/error-reference#auth-no-origin).
 
 ## `disableServerSideAuth`
 
diff --git a/docs/resources/error-reference.md b/docs/resources/error-reference.md
index ce8f071d..3760cecf 100644
--- a/docs/resources/error-reference.md
+++ b/docs/resources/error-reference.md
@@ -19,20 +19,36 @@ export default NuxtAuthHandler({
 
 ## AUTH_NO_ORIGIN
 
-`AUTH_NO_ORIGIN` will appear as a warning message during development and be thrown as an error that stops the application during production. It is safe to ignore the development warning - it is only meant as a heads-up for your later production-deployment. `AUTH_NO_ORIGIN` occurs when the origin of your application was not set. NuxtAuth tries to find the origin of your application in the following order:
+`AUTH_NO_ORIGIN` will appear as a warning message during development and be thrown as an error that stops the application during production.
+It is safe to ignore the development warning - it is only meant as a heads-up for your later production-deployment.
 
-1. Use the `NUXT_AUTH_ORIGIN` environment variable if it is set
-2. Development only: Determine the origin automatically from the incoming HTTP request
+`AUTH_NO_ORIGIN` occurs when the origin of your application was not set.
+NuxtAuth attempts to find the origin of your application in the following order ([source](https://github.com/sidebase/nuxt-auth/blob/9852116a7d3f3be56f6fdc1cba8bdff747c4cbb8/src/runtime/server/services/utils.ts#L8-L34)):
 
-The `origin` is important for callbacks that happen to a specific origin for `oauth` flows. Note that in order for (2) to work the `origin` already has to be set at build-time, i.e., when you run `npm run build` or `npm run generate` and it will lead to the `origin` being inside your app-bundle.
+### 1. Environment variable and `runtimeConfig`
+
+Use the `AUTH_ORIGIN` environment variable or `runtimeConfig.authOrigin` if set. Name can be customized, refer to [`originEnvKey`](/guide/application-side/configuration#originenvkey).
+
+### 2. `baseURL`
+
+The `origin` is computed using `ufo` from the provided `baseURL`. See implementation [here](https://github.com/sidebase/nuxt-auth/blob/9852116a7d3f3be56f6fdc1cba8bdff747c4cbb8/src/runtime/helpers.ts#L9-L23).
 
 ```ts
-// file: nuxt.config.ts
 export default defineNuxtConfig({
-  runtimeConfig: {
-    authOrigin: 'https://example.org', // You can either set a default or leave it empty
+  auth: {
+    baseURL: `http://localhost:${process.env.PORT || 3000}`
   }
-
-  // ... rest of your config
 })
 ```
+
+### 3. Development only: automatically from the incoming HTTP request
+
+When the server is running in development mode, NuxtAuth can automatically infer it from the incoming request.
+
+::: info
+This is only done for your convenience - make sure to set a proper origin in production.
+:::
+
+---
+
+If there is no valid `origin` after the steps above, `AUTH_NO_ORIGIN` error is thrown in production.

From c32f9b11bf5f545b1fff37450a5470d46595550e Mon Sep 17 00:00:00 2001
From: Marsel Shayhin <18054980+phoenix-ru@users.noreply.github.com>
Date: Fri, 13 Sep 2024 01:56:30 +0200
Subject: [PATCH 3/5] enh: provide a demo implementation of refresh provider
 (#901)

---
 .github/workflows/ci.yaml                     | 15 ++--
 playground-local/app.vue                      |  4 +-
 playground-local/config/AuthRefreshHandler.ts | 17 ++++
 playground-local/nuxt.config.ts               | 14 +++-
 .../server/api/auth/login.post.ts             | 80 ++++++++++++++++---
 .../server/api/auth/refresh.post.ts           | 76 ++++++++++++++++++
 playground-local/server/api/auth/user.get.ts  | 47 ++++++-----
 7 files changed, 217 insertions(+), 36 deletions(-)
 create mode 100644 playground-local/config/AuthRefreshHandler.ts
 create mode 100644 playground-local/server/api/auth/refresh.post.ts

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d0dd9904..026adb55 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VER }}
-          cache: 'pnpm'
+          cache: "pnpm"
 
       - name: Install deps and prepare types
         run: pnpm i && pnpm dev:prepare
@@ -56,7 +56,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VER }}
-          cache: 'pnpm'
+          cache: "pnpm"
 
       - name: Install deps and prepare types
         run: pnpm i && pnpm dev:prepare
@@ -82,7 +82,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VER }}
-          cache: 'pnpm'
+          cache: "pnpm"
 
       - name: Install deps
         run: pnpm i
@@ -93,7 +93,12 @@ jobs:
       # Check building
       - run: pnpm build
 
-      - name: Run Playwright tests using Vitest
+      - name: Run Playwright tests using Vitest with refresh disabled
+        run: pnpm test:e2e
+        env:
+          NUXT_AUTH_REFRESH_ENABLED: false
+
+      - name: Run Playwright tests using Vitest with refresh enabled
         run: pnpm test:e2e
 
   test-playground-authjs:
@@ -113,7 +118,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VER }}
-          cache: 'pnpm'
+          cache: "pnpm"
 
       - name: Install deps
         run: pnpm i
diff --git a/playground-local/app.vue b/playground-local/app.vue
index 6ccd2788..1f770a6f 100644
--- a/playground-local/app.vue
+++ b/playground-local/app.vue
@@ -4,8 +4,8 @@ import { useAuth } from '#imports'
 
 const { signIn, token, refreshToken, data, status, lastRefreshedAt, signOut, getSession } = useAuth()
 
-const username = ref('')
-const password = ref('')
+const username = ref('smith')
+const password = ref('hunter2')
 </script>
 
 <template>
diff --git a/playground-local/config/AuthRefreshHandler.ts b/playground-local/config/AuthRefreshHandler.ts
new file mode 100644
index 00000000..037cf687
--- /dev/null
+++ b/playground-local/config/AuthRefreshHandler.ts
@@ -0,0 +1,17 @@
+import type { RefreshHandler } from '../../'
+
+// You may also use a plain object with `satisfies RefreshHandler`, of course!
+class CustomRefreshHandler implements RefreshHandler {
+  init(): void {
+    console.info('Use the full power of classes to customize refreshHandler!')
+  }
+
+  destroy(): void {
+    console.info(
+      'Hover above class properties or go to their definition '
+      + 'to learn more about how to craft a refreshHandler'
+    )
+  }
+}
+
+export default new CustomRefreshHandler()
diff --git a/playground-local/nuxt.config.ts b/playground-local/nuxt.config.ts
index 3dabe199..4f6e5c5e 100644
--- a/playground-local/nuxt.config.ts
+++ b/playground-local/nuxt.config.ts
@@ -19,13 +19,25 @@ export default defineNuxtConfig({
       session: {
         dataType: { id: 'string', email: 'string', name: 'string', role: '\'admin\' | \'guest\' | \'account\'', subscriptions: '{ id: number, status: \'ACTIVE\' | \'INACTIVE\' }[]' },
         dataResponsePointer: '/'
+      },
+      refresh: {
+        // This is usually a static configuration `true` or `false`.
+        // We do an environment variable for E2E testing both options.
+        isEnabled: process.env.NUXT_AUTH_REFRESH_ENABLED !== 'false',
+        endpoint: { path: '/refresh', method: 'post' },
+        token: {
+          signInResponseRefreshTokenPointer: '/token/refreshToken',
+          refreshRequestTokenPointer: '/refreshToken'
+        },
       }
     },
     sessionRefresh: {
       // Whether to refresh the session every time the browser window is refocused.
       enableOnWindowFocus: true,
       // Whether to refresh the session every `X` milliseconds. Set this to `false` to turn it off. The session will only be refreshed if a session already exists.
-      enablePeriodically: 5000
+      enablePeriodically: 5000,
+      // Custom refresh handler - uncomment to use
+      // handler: './config/AuthRefreshHandler'
     },
     globalAppMiddleware: {
       isEnabled: true
diff --git a/playground-local/server/api/auth/login.post.ts b/playground-local/server/api/auth/login.post.ts
index 54cb55fd..c03fabe6 100644
--- a/playground-local/server/api/auth/login.post.ts
+++ b/playground-local/server/api/auth/login.post.ts
@@ -2,17 +2,61 @@ import { createError, eventHandler, readBody } from 'h3'
 import { z } from 'zod'
 import { sign } from 'jsonwebtoken'
 
-const refreshTokens: Record<number, Record<string, any>> = {}
+/*
+ * DISCLAIMER!
+ * This is a demo implementation, please create your own handlers
+ */
+
+/**
+ * This is a demo secret.
+ * Please ensure that your secret is properly protected.
+ */
 export const SECRET = 'dummy'
 
+/** 30 seconds */
+export const ACCESS_TOKEN_TTL = 30
+
+export interface User {
+  username: string
+  name: string
+  picture: string
+}
+
+export interface JwtPayload extends User {
+  scope: Array<'test' | 'user'>
+  exp?: number
+}
+
+interface TokensByUser {
+  access: Map<string, string>
+  refresh: Map<string, string>
+}
+
+/**
+ * Tokens storage.
+ * You will need to implement your own, connect with DB/etc.
+ */
+export const tokensByUser: Map<string, TokensByUser> = new Map()
+
+/**
+ * We use a fixed password for demo purposes.
+ * You can use any implementation fitting your usecase.
+ */
+const credentialsSchema = z.object({
+  username: z.string().min(1),
+  password: z.literal('hunter2')
+})
+
 export default eventHandler(async (event) => {
-  const result = z.object({ username: z.string().min(1), password: z.literal('hunter2') }).safeParse(await readBody(event))
+  const result = credentialsSchema.safeParse(await readBody(event))
   if (!result.success) {
-    throw createError({ statusCode: 403, statusMessage: 'Unauthorized, hint: try `hunter2` as password' })
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Unauthorized, hint: try `hunter2` as password'
+    })
   }
 
-  const expiresIn = 15
-  const refreshToken = Math.floor(Math.random() * (1000000000000000 - 1 + 1)) + 1
+  // Emulate login
   const { username } = result.data
   const user = {
     username,
@@ -20,11 +64,23 @@ export default eventHandler(async (event) => {
     name: `User ${username}`
   }
 
-  const accessToken = sign({ ...user, scope: ['test', 'user'] }, SECRET, { expiresIn })
-  refreshTokens[refreshToken] = {
-    accessToken,
-    user
+  const tokenData: JwtPayload = { ...user, scope: ['test', 'user'] }
+  const accessToken = sign(tokenData, SECRET, {
+    expiresIn: ACCESS_TOKEN_TTL
+  })
+  const refreshToken = sign(tokenData, SECRET, {
+    // 1 day
+    expiresIn: 60 * 60 * 24
+  })
+
+  // Naive implementation - please implement properly yourself!
+  const userTokens: TokensByUser = tokensByUser.get(username) ?? {
+    access: new Map(),
+    refresh: new Map()
   }
+  userTokens.access.set(accessToken, refreshToken)
+  userTokens.refresh.set(refreshToken, accessToken)
+  tokensByUser.set(username, userTokens)
 
   return {
     token: {
@@ -33,3 +89,9 @@ export default eventHandler(async (event) => {
     }
   }
 })
+
+export function extractToken(authorizationHeader: string) {
+  return authorizationHeader.startsWith('Bearer ')
+    ? authorizationHeader.slice(7)
+    : authorizationHeader
+}
diff --git a/playground-local/server/api/auth/refresh.post.ts b/playground-local/server/api/auth/refresh.post.ts
new file mode 100644
index 00000000..45640263
--- /dev/null
+++ b/playground-local/server/api/auth/refresh.post.ts
@@ -0,0 +1,76 @@
+import { createError, eventHandler, getRequestHeader, readBody } from 'h3'
+import { sign, verify } from 'jsonwebtoken'
+import { type JwtPayload, SECRET, type User, extractToken, tokensByUser } from './login.post'
+
+/*
+ * DISCLAIMER!
+ * This is a demo implementation, please create your own handlers
+ */
+
+export default eventHandler(async (event) => {
+  const body = await readBody<{ refreshToken: string }>(event)
+  const authorizationHeader = getRequestHeader(event, 'Authorization')
+  const refreshToken = body.refreshToken
+
+  if (!refreshToken || !authorizationHeader) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized, no refreshToken or no Authorization header'
+    })
+  }
+
+  // Verify
+  const decoded = verify(refreshToken, SECRET) as JwtPayload | undefined
+  if (!decoded) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized, refreshToken can\'t be verified'
+    })
+  }
+
+  // Get tokens
+  const userTokens = tokensByUser.get(decoded.username)
+  if (!userTokens) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized, user is not logged in'
+    })
+  }
+
+  // Check against known token
+  const requestAccessToken = extractToken(authorizationHeader)
+  const knownAccessToken = userTokens.refresh.get(body.refreshToken)
+  if (!knownAccessToken || knownAccessToken !== requestAccessToken) {
+    console.log({
+      msg: 'Tokens mismatch',
+      knownAccessToken,
+      requestAccessToken
+    })
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Tokens mismatch - this is not good'
+    })
+  }
+
+  // Invalidate old access token
+  userTokens.access.delete(knownAccessToken)
+
+  const user: User = {
+    username: decoded.username,
+    picture: decoded.picture,
+    name: decoded.name
+  }
+
+  const accessToken = sign({ ...user, scope: ['test', 'user'] }, SECRET, {
+    expiresIn: 60 * 5 // 5 minutes
+  })
+  userTokens.refresh.set(refreshToken, accessToken)
+  userTokens.access.set(accessToken, refreshToken)
+
+  return {
+    token: {
+      accessToken,
+      refreshToken
+    }
+  }
+})
diff --git a/playground-local/server/api/auth/user.get.ts b/playground-local/server/api/auth/user.get.ts
index d64aa12f..d2dde1bf 100644
--- a/playground-local/server/api/auth/user.get.ts
+++ b/playground-local/server/api/auth/user.get.ts
@@ -1,32 +1,41 @@
-import type { H3Event } from 'h3'
 import { createError, eventHandler, getRequestHeader } from 'h3'
 import { verify } from 'jsonwebtoken'
-import { SECRET } from './login.post'
+import { type JwtPayload, SECRET, extractToken, tokensByUser } from './login.post'
 
-const TOKEN_TYPE = 'Bearer'
-
-function extractToken(authHeaderValue: string) {
-  const [, token] = authHeaderValue.split(`${TOKEN_TYPE} `)
-  return token
-}
-
-function ensureAuth(event: H3Event) {
-  const authHeaderValue = getRequestHeader(event, 'authorization')
-  if (typeof authHeaderValue === 'undefined') {
+export default eventHandler((event) => {
+  const authorizationHeader = getRequestHeader(event, 'Authorization')
+  if (typeof authorizationHeader === 'undefined') {
     throw createError({ statusCode: 403, statusMessage: 'Need to pass valid Bearer-authorization header to access this endpoint' })
   }
 
-  const extractedToken = extractToken(authHeaderValue)
+  const extractedToken = extractToken(authorizationHeader)
+  let decoded: JwtPayload
   try {
-    return verify(extractedToken, SECRET)
+    decoded = verify(extractedToken, SECRET) as JwtPayload
   }
   catch (error) {
-    console.error('Login failed. Here\'s the raw error:', error)
+    console.error({
+      msg: 'Login failed. Here\'s the raw error:',
+      error
+    })
     throw createError({ statusCode: 403, statusMessage: 'You must be logged in to use this endpoint' })
   }
-}
 
-export default eventHandler((event) => {
-  const user = ensureAuth(event)
-  return user
+  // Check against known token
+  const userTokens = tokensByUser.get(decoded.username)
+  if (!userTokens || !userTokens.access.has(extractedToken)) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized, user is not logged in'
+    })
+  }
+
+  // All checks successful
+  const { username, name, picture, scope } = decoded
+  return {
+    username,
+    name,
+    picture,
+    scope
+  }
 })

From c1c31edbe9f439f616cf5ad0031a95c3c24424fe Mon Sep 17 00:00:00 2001
From: Zoey <zoeykaiser8@gmail.com>
Date: Tue, 17 Sep 2024 22:11:47 +0200
Subject: [PATCH 4/5] docs: fix refreshRequestTokenPointer example (#912)

---
 docs/.vitepress/routes/navbar.ts | 2 +-
 docs/guide/local/quick-start.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/.vitepress/routes/navbar.ts b/docs/.vitepress/routes/navbar.ts
index c2de2a18..0fd9c64b 100644
--- a/docs/.vitepress/routes/navbar.ts
+++ b/docs/.vitepress/routes/navbar.ts
@@ -44,7 +44,7 @@ export const routes: DefaultTheme.Config['nav'] = [
     ],
   },
   {
-    text: '0.9.1',
+    text: '0.9.2',
     items: [
       {
         text: '0.8.2',
diff --git a/docs/guide/local/quick-start.md b/docs/guide/local/quick-start.md
index e3770512..22d5295a 100644
--- a/docs/guide/local/quick-start.md
+++ b/docs/guide/local/quick-start.md
@@ -224,7 +224,7 @@ export default defineNuxtConfig({
         refreshOnlyToken: true,
         token: {
           signInResponseRefreshTokenPointer: '/refresh-token',
-          refreshRequestTokenPointer: 'Bearer',
+          refreshRequestTokenPointer: '/refresh-token',
           cookieName: 'auth.token',
           maxAgeInSeconds: 1800,
           sameSiteAttribute: 'lax',

From 8c73bf3d51bd26cf211aac6f331fcf548cffc411 Mon Sep 17 00:00:00 2001
From: Maxime Riehl <holtol33@gmail.com>
Date: Wed, 18 Sep 2024 19:12:44 +0200
Subject: [PATCH 5/5] docs: laravel-passport.md fix "Learn more" issue link
 (#909)

---
 docs/recipes/community/laravel-passport.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/recipes/community/laravel-passport.md b/docs/recipes/community/laravel-passport.md
index d69e69e7..f52f5276 100644
--- a/docs/recipes/community/laravel-passport.md
+++ b/docs/recipes/community/laravel-passport.md
@@ -111,5 +111,5 @@ export default NuxtAuthHandler({
 ```
 
 :::tip Learn more
-You can find the full discussion in the issue [#149](https://github.com/sidebase/nuxt-auth/v0.6/issues/149). Solution provided by [@Jericho1060](https://github.com/Jericho1060)
+You can find the full discussion in the issue [#149](https://github.com/sidebase/nuxt-auth/issues/149). Solution provided by [@Jericho1060](https://github.com/Jericho1060)
 :::