-
-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Refresh not triggered if the access token is not also known, which limits its purpose #902
base: main
Are you sure you want to change the base?
Conversation
β¦lly send auth token too for the backends that might require it.
commit: |
Fix is incomplete - logout doesn't clear refresh cookie so the user re-authenticates on each visit. |
β¦ is overwritten by unemptied cookie.
Tested with my local setup, everything works fine now. |
provider.token.signInResponseTokenPointer | ||
)}. Tried to find token at ${provider.token.signInResponseTokenPointer | ||
} in ${JSON.stringify(response)}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please not apply stylistic changes? Thanks
@@ -57,8 +58,7 @@ export default defineNuxtPlugin({ | |||
console.error( | |||
`Auth: string token expected, received instead: ${JSON.stringify( | |||
extractedRefreshToken | |||
)}. Tried to find token at ${ | |||
provider.refresh.token.signInResponseRefreshTokenPointer | |||
)}. Tried to find token at ${provider.refresh.token.signInResponseRefreshTokenPointer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
useCookie(config.token.cookieName, { | ||
maxAge: 0, | ||
domain: config.token.cookieDomain, | ||
sameSite: config.token.sameSiteAttribute, | ||
secure: config.token.secureCookieAttribute, | ||
httpOnly: config.token.httpOnlyCookieAttribute | ||
}).value = null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been trying to understand why is this required - could you please clarify that?
π Linked issue
#890 [second part]
β Type of change
π Description
The refresh logic should be triggered if the refresh token is known.
Some backends might require both tokens for a refresh, but this is not default behavior.
Refresh tokens are long-lasting and usually expire after access tokens, so requiring both for a successful refresh should be optional.
π Checklist