Config for refreshToken pulls setting from token property

[rukamir]

Version

module: 5.0.0-1608568767.2fe2217
nuxt: 2.14.12

Issue Description

When you call auth.refreshTokens() it is looking for both types of tokens. It will populate the token with token.property and the refreshToken with the refreshToken.property. If the responses for the login and refresh endpoints are not the same you can end up with refreshToken being populated with whatever refreshToken.property retrieves and if the path defined in token.property does not conform to your refresh endpoint you get undesired effects such as my example an empty token.

It is crossing configurations for token and refreshToken. It is my understanding token is closely related to the auth.login() methods while refreshToken is closely related to auth.refreshTokens() method. To make this more explicit it might be beneficial to allow both of these settings to be configured independently.

Nuxt configuration

mode:

• universal
• spa

nuxt.config.js

strategies: {
  local: {
    scheme: 'refresh',
    token: {
      property: 'tokens.access',
      required: true,
      type: 'Bearer',
      maxAge: 1800,
    },
    refreshToken: {
      property: 'token',
      data: 'refreshToken',
      tokenRequired: true,
      maxAge: 60 * 60 * 24 * 30,
    },
    ...
    endpoints: {
      login: { url: '/api/v1/auth/login', method: 'post' },
      refresh: { url: '/api/v1/auth/refresh', method: 'post' },
      logout: { url: '/api/v1/auth/logout', method: 'post' },
      user: { url: '/api/v1/auth/user', method: 'get' },
    },

/api/v1/auth/login example response

{
  "tokens": {
    "access": "...",
    "refresh": "..."
  }
}

/api/v1/auth/refresh example response

{
  "token": "..."
}

auth-module/src/schemes/refresh.ts

auth-module/src/schemes/refresh.ts

Lines 214 to 226 in 2fe2217

	protected updateTokens(
	response: HTTPResponse,
	{ isRefreshing = false, updateOnRefresh = true } = {}
	): void {
	const token = this.options.token.required
	? (getResponseProp(response, this.options.token.property) as string)
	: true
	const refreshToken = this.options.refreshToken.required
	? (getResponseProp(
	response,
	this.options.refreshToken.property
	) as string)
	: true

On these two lines

auth-module/src/schemes/refresh.ts

Line 219 in 2fe2217

? (getResponseProp(response, this.options.token.property) as string)

auth-module/src/schemes/refresh.ts

Line 224 in 2fe2217

this.options.refreshToken.property

Proposal

As mentioned above, auth.refreshTokens() gets confusing as it is implicitly crossing configurations between token and refreshToken requiring both endpoint responses to be the same. To use my response as an example and if I did return both token types for a refresh endpoint as the code looks like it attempts to achieve:

  refreshToken: {
    tokenProperty: 'tokens.access',
    refreshTokenProperty: 'tokens.refresh', // default: false
    data: 'refreshToken',
    tokenRequired: true,
    maxAge: 60 * 60 * 24 * 30,
  },

This allows a refresh endpoint to be unique if desired and is explicit about what the settings are doing.

Verification

I have verified that when I call auth.refreshTokens() the default cookie[auth._token.local] holding the token does get removed/set to empty since my response does not have a tokens.access property found in the token config block in nuxt.config.js.

Work Around

Have your Refresh and Login endpoints return the same body structure. If you do not want to issue a new refresh token, you can just return the refresh token sent along with the newly generated token.

/api/v1/auth/login & /api/v1/auth/login example response

{
  "tokens": {
    "access": "...",
    "refresh": "..."
  }
}