feat: Add support for secure attribute of local/refresh provider cook…

…ies (#729) * Fixed misplaced comment and added comment for the duration in human-readable time. * Added secure cookie attribute for local and refresh provider. * Set secure attribute of token to false by default. * Added documentation for the added secureCookieAttribute. * Update useAuthState.ts --------- Co-authored-by: Marsel Shayhin <[email protected]>
sidebase · May 16, 2024 · f3fc581 · f3fc581
1 parent a863d92
commit f3fc581
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 13 deletions.
diff --git a/docs/content/2.configuration/2.nuxt-config.md b/docs/content/2.configuration/2.nuxt-config.md
@@ -240,12 +240,20 @@ type ProviderLocal = {
      */
      sameSiteAttribute?:  boolean | 'lax' | 'strict' | 'none' | undefined,
     /**
-     * The cookie domain. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean,
+    /**
+     * The cookie domain.
+     * See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
      *
      * @default ''
-     * @example sidebase.io
+     * @example 'sidebase.io'
      */
-    cookieDomain?: string;
+    cookieDomain?: string,
   },
   /*
    * Settings for the session-data that `nuxt-auth` receives from the `getSession` endpoint.
@@ -401,12 +409,20 @@ type ProviderRefresh = {
      */
      sameSiteAttribute?:  boolean | 'lax' | 'strict' | 'none' | undefined,
     /**
-     * The cookie domain. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean,
+    /**
+     * The cookie domain.
+     * See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
      *
      * @default ''
-     * @example sidebase.io
+     * @example 'sidebase.io'
      */
-    cookieDomain?: string;
+    cookieDomain?: string,
   },
   /**
    * Settings for the authentication-refreshToken that `nuxt-auth` receives from the `signIn` endpoint and that can be used to authenticate subsequent requests.

diff --git a/src/module.ts b/src/module.ts
@@ -56,8 +56,9 @@ const defaultsByBackend: {
       type: 'Bearer',
       cookieName: 'auth.token',
       headerName: 'Authorization',
-      maxAgeInSeconds: 30 * 60,
+      maxAgeInSeconds: 30 * 60, // 30 minutes
       sameSiteAttribute: 'lax',
+      secureCookieAttribute: false,
       cookieDomain: ''
     },
     session: {
@@ -86,13 +87,15 @@ const defaultsByBackend: {
       headerName: 'Authorization',
       maxAgeInSeconds: 5 * 60, // 5 minutes
       sameSiteAttribute: 'none',
+      secureCookieAttribute: false,
       cookieDomain: ''
     },
     refreshToken: {
       signInResponseRefreshTokenPointer: '/refreshToken',
       refreshRequestTokenPointer: '/refreshToken',
       cookieName: 'auth.refresh-token',
       maxAgeInSeconds: 60 * 60 * 24 * 7, // 7 days
+      secureCookieAttribute: false,
       cookieDomain: ''
     },
     session: {

diff --git a/src/runtime/composables/local/useAuthState.ts b/src/runtime/composables/local/useAuthState.ts
@@ -29,7 +29,8 @@ export const useAuthState = (): UseAuthStateReturn => {
     default: () => null,
     domain: config.token.cookieDomain,
     maxAge: config.token.maxAgeInSeconds,
-    sameSite: config.token.sameSiteAttribute
+    sameSite: config.token.sameSiteAttribute,
+    secure: config.token.secureCookieAttribute
   })
 
   const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value)

diff --git a/src/runtime/composables/refresh/useAuthState.ts b/src/runtime/composables/refresh/useAuthState.ts
@@ -19,7 +19,8 @@ export const useAuthState = (): UseAuthStateReturn => {
       default: () => null,
       domain: config.refreshToken.cookieDomain,
       maxAge: config.refreshToken.maxAgeInSeconds,
-      sameSite: 'lax'
+      sameSite: 'lax',
+      secure: config.refreshToken.secureCookieAttribute
     }
   )
 

diff --git a/src/runtime/types.ts b/src/runtime/types.ts
@@ -168,10 +168,18 @@ export type ProviderLocal = {
      */
     sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined;
     /**
-     * The cookie domain. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean;
+    /**
+     * The cookie domain.
+     * See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
      *
      * @default ''
-     * @example sidebase.io
+     * @example 'sidebase.io'
      */
     cookieDomain?: string;
   };
@@ -270,10 +278,18 @@ export type ProviderLocalRefresh = Omit<ProviderLocal, 'type'> & {
      */
     maxAgeInSeconds?: number;
     /**
-     * The cookie domain. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean;
+    /**
+     * The cookie domain.
+     * See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
      *
      * @default ''
-     * @example sidebase.io
+     * @example 'sidebase.io'
      */
     cookieDomain?: string;
   };