-
-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Refresh not triggered if the access token is not also known, which limits its purpose #902
Conversation
β¦lly send auth token too for the backends that might require it.
commit: |
Fix is incomplete - logout doesn't clear refresh cookie so the user re-authenticates on each visit. |
β¦ is overwritten by unemptied cookie.
Tested with my local setup, everything works fine now. |
provider.token.signInResponseTokenPointer | ||
)}. Tried to find token at ${provider.token.signInResponseTokenPointer | ||
} in ${JSON.stringify(response)}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please not apply stylistic changes? Thanks
@@ -57,8 +58,7 @@ export default defineNuxtPlugin({ | |||
console.error( | |||
`Auth: string token expected, received instead: ${JSON.stringify( | |||
extractedRefreshToken | |||
)}. Tried to find token at ${ | |||
provider.refresh.token.signInResponseRefreshTokenPointer | |||
)}. Tried to find token at ${provider.refresh.token.signInResponseRefreshTokenPointer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
useCookie(config.token.cookieName, { | ||
maxAge: 0, | ||
domain: config.token.cookieDomain, | ||
sameSite: config.token.sameSiteAttribute, | ||
secure: config.token.secureCookieAttribute, | ||
httpOnly: config.token.httpOnlyCookieAttribute | ||
}).value = null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been trying to understand why is this required - could you please clarify that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
coding is hard! for skill issues, use chatgpt
@cip8 Whats your status on this? Would love to see this merged because it should fix the problem with automatic logout if the access token reached EOL. |
Hey @einz-loggik π Yeah, Iβd really like to see this merged as well - but Iβve decided to move on from contributing to this project. Iβve created my own fork and use it for my projects instead. The incredibly long wait times for reviews & some challenges with its maintainers just don't align with how I like to work. Good luck ππ |
π Linked issue
#890 [second part]
β Type of change
π Description
The refresh logic should be triggered if the refresh token is known.
Some backends might require both tokens for a refresh, but this is not default behavior.
Refresh tokens are long-lasting and usually expire after access tokens, so requiring both for a successful refresh should be optional.
π Checklist