sidebase · benjipott · Nov 9, 2023 · Nov 14, 2023 · Nov 14, 2023 · Jan 1, 2024
diff --git a/src/module.ts b/src/module.ts
@@ -1,22 +1,22 @@
 import {
-  defineNuxtModule,
-  useLogger,
-  createResolver,
-  addTemplate,
+  addImports,
   addPlugin,
+  addRouteMiddleware,
   addServerPlugin,
-  addImports,
-  addRouteMiddleware
+  addTemplate,
+  createResolver,
+  defineNuxtModule,
+  useLogger
 } from '@nuxt/kit'
 import { defu } from 'defu'
-import { joinURL } from 'ufo'
 import { genInterface } from 'knitwork'
 import type { DeepRequired } from 'ts-essentials'
+import { joinURL } from 'ufo'
 import { getOriginAndPathnameFromURL, isProduction } from './runtime/helpers'
 import type {
+  AuthProviders,
   ModuleOptions,
-  SupportedAuthProviders,
-  AuthProviders
+  SupportedAuthProviders
 } from './runtime/types'
 
 const topLevelDefaults = {
@@ -52,8 +52,11 @@
       signInResponseTokenPointer: '/token',
       type: 'Bearer',
       headerName: 'Authorization',
+      sameSiteAttribute: 'lax',
+      name: 'auth:token',
       maxAgeInSeconds: 30 * 60,
-      sameSiteAttribute: 'lax'
+      secure: false,
+      domain: undefined
     },
     sessionDataType: { id: 'string | number' }
   },
@@ -71,7 +74,7 @@
      getSession: { path: '/session', method: 'get' },
      refresh: { path: '/refresh', method: 'post' }
    },
    token: {
      signInResponseTokenPointer: '/token',
      type: 'Bearer',
      headerName: 'Authorization',

diff --git a/src/runtime/composables/local/useAuth.ts b/src/runtime/composables/local/useAuth.ts
@@ -1,13 +1,13 @@
 import { readonly, Ref } from 'vue'
-import { callWithNuxt } from '#app/nuxt'
-import { CommonUseAuthReturn, SignOutFunc, SignInFunc, GetSessionFunc, SecondarySignInOptions } from '../../types'
-import { _fetch } from '../../utils/fetch'
 import { jsonPointerGet, useTypedBackendConfig } from '../../helpers'
+import { CommonUseAuthReturn, GetSessionFunc, SecondarySignInOptions, SignInFunc, SignOutFunc } from '../../types'
 import { getRequestURLWN } from '../../utils/callWithNuxt'
+import { _fetch } from '../../utils/fetch'
 import { useAuthState } from './useAuthState'
+import { callWithNuxt } from '#app/nuxt'
 // @ts-expect-error - #auth not defined
 import type { SessionData } from '#auth'
-import { useNuxtApp, useRuntimeConfig, nextTick, navigateTo } from '#imports'
+import { navigateTo, nextTick, useNuxtApp, useRuntimeConfig } from '#imports'
 
 type Credentials = { username?: string, email?: string, password?: string } & Record<string, any>
 
@@ -43,13 +43,29 @@ const signIn: SignInFunc<Credentials, any> = async (credentials, signInOptions,
   }
 }
 
+const addHeaders = (token: string | null, config: ReturnType<typeof useTypedBackendConfig>) => {
+  if (!(token && config.token.headerName)) {
+    return undefined
+  }
+
+  if (config.token.type.length > 0) {
+    switch (config.token.type) {
+      case 'Cookie':
+        return { [config.token.headerName]: `${config.token.name}=${token}` }
+      case 'Bearer':
+      default:
+        return { [config.token.headerName]: `${config.token.type} ${token}` }
+    }
+  }
+}
+
 const signOut: SignOutFunc = async (signOutOptions) => {
   const nuxt = useNuxtApp()
   const runtimeConfig = await callWithNuxt(nuxt, useRuntimeConfig)
   const config = useTypedBackendConfig(runtimeConfig, 'local')
   const { data, rawToken, token } = await callWithNuxt(nuxt, useAuthState)
 
-  const headers = new Headers({ [config.token.headerName]: token.value } as HeadersInit)
+  const headers = new Headers(addHeaders(token.value, config))
   data.value = null
   rawToken.value = null
 
@@ -80,7 +96,7 @@ const getSession: GetSessionFunc<SessionData | null | void> = async (getSessionO
     return
   }
 
-  const headers = new Headers(token.value ? { [config.token.headerName]: token.value } as HeadersInit : undefined)
+  const headers = new Headers(addHeaders(token.value, config))
 
   loading.value = true
   try {

diff --git a/src/runtime/composables/local/useAuthState.ts b/src/runtime/composables/local/useAuthState.ts
@@ -1,9 +1,9 @@
-import { computed, watch, ComputedRef } from 'vue'
-import type { CookieRef } from '#app'
+import type { CookieRef } from '#app/nuxt'
+import { ComputedRef, computed, watch } from 'vue'
+import { useTypedBackendConfig } from '../../helpers'
 import { CommonUseAuthStateReturn } from '../../types'
 import { makeCommonAuthState } from '../commonAuthState'
-import { useTypedBackendConfig } from '../../helpers'
-import { useRuntimeConfig, useCookie, useState } from '#imports'
+import { useCookie, useRuntimeConfig, useState } from '#imports'
 // @ts-expect-error - #auth not defined
 import type { SessionData } from '#auth'
 
@@ -19,7 +19,7 @@ export const useAuthState = (): UseAuthStateReturn => {
   const commonAuthState = makeCommonAuthState<SessionData>()
 
   // Re-construct state from cookie, also setup a cross-component sync via a useState hack, see https://github.com/nuxt/nuxt/issues/13020#issuecomment-1397282717
-  const _rawTokenCookie = useCookie<string | null>('auth:token', { default: () => null, maxAge: config.token.maxAgeInSeconds, sameSite: config.token.sameSiteAttribute })
+  const _rawTokenCookie = useCookie<string | null>(config.token.name, { default: config.token.default, maxAge: config.token.maxAgeInSeconds, sameSite: config.token.sameSiteAttribute, secure: config.token.secure, domain: config.token.domain })
 
   const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value)
   watch(rawToken, () => { _rawTokenCookie.value = rawToken.value })
@@ -28,7 +28,8 @@ export const useAuthState = (): UseAuthStateReturn => {
     if (rawToken.value === null) {
       return null
     }
-    return config.token.type.length > 0 ? `${config.token.type} ${rawToken.value}` : rawToken.value
+
+    return rawToken.value
   })
 
   const setToken = (newToken: string | null) => {

diff --git a/src/runtime/types.ts b/src/runtime/types.ts
@@ -1,5 +1,5 @@
-import type { Ref, ComputedRef } from 'vue'
 import { RouterMethod } from 'h3'
+import type { ComputedRef, Ref } from 'vue'
 import { SupportedProviders } from './composables/authjs/useAuth'
 
 /**
@@ -119,6 +119,14 @@ type ProviderLocal = {
    * Settings for the authentication-token that `nuxt-auth` receives from the `signIn` endpoint and that can be used to authenticate subsequent requests.
    */
   token?: {
+    /**
+     * The name of the cookie to store the authentication-token in.
+     *
+     * @default auth:token  Access the cookie `auth:token` from session
+     */
+    name?: string,
+
+    default?: () => string | null
     /**
      * How to extract the authentication-token from the sign-in response.
      *
@@ -142,14 +150,14 @@ type ProviderLocal = {
      * Header name to be used in requests that need to be authenticated, e.g., to be used in the `getSession` request.
      *
      * @default Authorization
-     * @example Auth
+     * @example Cookie
      */
     headerName?: string;
     /**
      * Maximum age to store the authentication token for. After the expiry time the token is automatically deleted on the application side, i.e., in the users' browser.
      *
      * Note: Your backend may reject / expire the token earlier / differently.
-     * @default 1800
+     * @default undefined
      * @example 60 * 60 * 24
      */
     maxAgeInSeconds?: number;
@@ -159,8 +167,23 @@ type ProviderLocal = {
      * @default 'lax'
      * @example 'strict'
      */
-    sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined;
-  };
+    sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined,
+    /**
+     * Specifies the boolean value for the Secure Set-Cookie attribute. When truthy, the Secure attribute is set; otherwise it is not. By default, the Secure attribute is not set.
+     * Note: Be careful when setting this to true, as compliant clients will not allow client-side JavaScript to see the cookie in document.cookie.
+     * @default false
+     * @example true
+     */
+    secure?: boolean,
+    /**
+     * Specifies the value for the Domain Set-Cookie attribute. By default, no domain is set, and most clients will consider applying the cookie only to the current domain.
+     *
+     * @default undefined use
+     * @example 'domain.com'
+     */
+    domain?: string,
+
+  },
   /**
    * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint.
    *