Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User not logged out when 401 on refresh occurs #966

Open
benoitlemaire opened this issue Dec 20, 2024 · 4 comments
Open

User not logged out when 401 on refresh occurs #966

benoitlemaire opened this issue Dec 20, 2024 · 4 comments
Labels
bug A bug that needs to be resolved pending An issue waiting for triage

Comments

@benoitlemaire
Copy link

benoitlemaire commented Dec 20, 2024

Environment

  • Operating System: Darwin
  • Node Version: v20.16.0
  • Nuxt Version: 3.14.1592
  • CLI Version: 3.16.0
  • Nitro Version: 2.10.4

Reproduction

playground-local with external backend api

Describe the bug

Description:
I'm encountering an issue with user sessions and token refresh behavior. Here's the scenario:

  1. I log in to my site, and everything works perfectly.
  2. I open the same site in an incognito window and log in with the same user. Everything works perfectly here too.
  3. However, when I return to the first session (non-incognito), the refresh requests start failing with a 401 error because my backend send an error due to refresh tokens are different.

Despite the 401 errors, the user is not logged out in the original session. They can still navigate through the site and access pages, which is not the expected behavior.

Expected Behavior:
If the refresh or getSession requests throw a 401 or 403 error, the user should be automatically logged out from that session.

Current Configuration:
Below is my current configuration:

auth: {
  baseURL: 'https://external-backend.com/api/',
  provider: {
    type: 'local',
    endpoints: {
      getSession: { path: '/auth/get-session', method: 'get' },
      signIn: { path: '/auth/login', method: 'post' },
      signUp: { path: '/auth/register', method: 'post' },
      signOut: { path: '/auth/logout', method: 'get' },
    },
    pages: {
      login: '/'
    },
    token: {
      signInResponseTokenPointer: '/accessToken',
    },
    refresh: {
      isEnabled: true,
      endpoint: { path: 'auth/refresh', method: 'post' },
      refreshOnlyToken: false,
      token: {
        signInResponseRefreshTokenPointer: '/refreshToken',
        refreshRequestTokenPointer: '/refreshToken',
        maxAgeInSeconds: 900,
      }
    }
  },
  sessionRefresh: {
    enableOnWindowFocus: false,
    enablePeriodically: 5000,
  },
  globalAppMiddleware: {
    isEnabled: true
  }
}

Question:
What am I missing in my configuration to ensure that the user is logged out automatically if the refresh or getSession requests fail with a 401 or 403 error? Tried on 0.9.4and 0.10.0

CleanShot.2024-12-20.at.16.28.55.online-video-cutter.com.1.mp4

Additional context

I think the FetchError is not caught it useAuth, here is the errors in console when refresh fails :

ofetch.03887fc3.mjs?v=88c26a32:316 Uncaught (in promise) FetchError: [POST] "https://my-external-api.com/api/auth/refresh": 401 
    at async $fetch2 (ofetch.03887fc3.mjs?v=88c26a32:316:15)
    at async Object.refresh (useAuth.ts:198:20)

Logs

No response

@benoitlemaire benoitlemaire added bug A bug that needs to be resolved pending An issue waiting for triage labels Dec 20, 2024
@OlePc
Copy link

OlePc commented Jan 6, 2025

Noticed this too in my application. What is the expected behavior? The docs says nothing about error handling when refresh is denied by the backend.

@NathanD19
Copy link

Finding the same issue with credentials auth with a custom backend. Anyone have any work arounds?

@bitfactory-frank-spee
Copy link
Contributor

It would be nice if the getSession method throws an error instead of just clearing the session data, and returning null:

// Clear all data: Request failed so we must not be authenticated

I made a workaround using the callGetSession option set to false of the signIn method for the local provider, but I am not sure if you can do the same with refresh calls.

@n0-m4d
Copy link

n0-m4d commented Jan 20, 2025

also looking for a solution. what is the expected behaviour actually?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug A bug that needs to be resolved pending An issue waiting for triage
Projects
None yet
Development

No branches or pull requests

5 participants