Refresh logic with local strategy

[julienguillot77]

Environment

• Operating System: Darwin
• Node Version: v20.17.0
• Nuxt Version: 3.14.1592
• CLI Version: 3.15.0
• Nitro Version: 2.10.4
• Package Manager: [email protected]
• Builder: -
• User Config: default
• Runtime Modules: @nuxt/[email protected], @sidebase/[email protected], @nuxt/[email protected], @nuxtjs/[email protected], [email protected], @vueuse/[email protected], @nuxtjs/[email protected], @nuxt/[email protected], @pinia/[email protected], [email protected], [email protected], @nuxtjs/[email protected]
• Build Modules: -

Reproduction

Set your nuxt.config.ts auth options :

auth: {
    originEnvKey: "NUXT_AUTH_ORIGIN",
    globalAppMiddleware: true,
    baseURL: process.env.NUXT_MANAGEMENT_API_URL,
    sessionRefresh: {
      enablePeriodically: 10000, // 10 seconds
      enableOnWindowFocus: false,
    },
    provider: {
      type: "local",
      session: {
        dataType: {
          id: "number",
          email: "string",
          username: "string",
          first_name: "string",
          last_name: "string",
          role: "string",
        },
      },
      pages: {
        login: "/auth/login",
      },
      endpoints: {
        signIn: { path: "management/login", method: "post" },
        signOut: { path: "management/logout", method: "delete" },
        signUp: { path: "management/signup", method: "post" },
        getSession: { path: "management/session", method: "get" },
      },
      token: {
        signInResponseTokenPointer: "/data/access_token",
        type: "Bearer",
        cookieName: "my-app.access_token",
        headerName: "Authorization",
        maxAgeInSeconds: 1800, // 30 minutes
        sameSiteAttribute: "lax",
        secureCookieAttribute: false,
        httpOnlyCookieAttribute: false,
      },
      refresh: {
        isEnabled: true,
        endpoint: { path: "management/refresh", method: "post" },
        refreshOnlyToken: false,
        token: {
          signInResponseRefreshTokenPointer: "/data/refresh_token",
          refreshRequestTokenPointer: "/admin/refresh_token",
          cookieName: "my-app.refresh_token",
          maxAgeInSeconds: 14 * 24 * 60 * 60, // 2 weeks
          sameSiteAttribute: "lax",
          secureCookieAttribute: false,
          httpOnlyCookieAttribute: false,
        },
      },
    },
  }

signIn to your app

Describe the bug

I can't say it's a bug or it's volountary but this, I think, a strange behaviour.

The refresh token API endpoint is called at the same time as session refresh.

A first attempt of session refresh is done right after the signIn process. The returned access_token and refresh_token are rightly set to auth state and cookies but the next refresh tentative is still using the previous refresh_token...

Am I missing something or an issue really occurs ?

Is refreshing tokens in same time as session refresh a normal behaviour ?

Additional context

No response

Logs

No response

[julienguillot77]

After some debugging, I realized that the access_token and refresh_token stored in the app state are the old one, and those in the cookie are the valid one. But the tokens that are used during the refresh are those of the app state, right?
Is is intentional or something needs to be done on my side (or package side ?)

[julienguillot77]

Additional info :

If I disable SSR from nuxt.config.ts, the tokens stored in cookie and state are now the same.