Merge branch 'main' into update-pull-request

Author: zoey-kaiser

docs/guide/local/quick-start.md

@@ -141,6 +141,8 @@ export default defineNuxtConfig({
                 maxAgeInSeconds: 1800,
                 sameSiteAttribute: 'lax',
                 cookieDomain: 'sidebase.io'
+                secureCookieAttribute: false,
+                httpOnlyCookieAttribute: false,
             }
         }
     }
@@ -204,6 +206,20 @@ The cookie domain. See the specification here: https://datatracker.ietf.org/doc/
 - **Type:** `string`
 - **Default:** `''`
 
+### `secureCookieAttribute`
+
+If set, the cookie will be only sent through `HTTPS` protocol. See the specification here : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.5
+
+-   **Type:** `boolean`
+-   **Default:** `'false'`
+
+### `httpOnlyCookieAttribute`
+
+If set, the cookie will not be accessible from JavaScript. See the specification here : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.6
+
+-   **Type:** `boolean`
+-   **Default:** `'false'`
+
 ## Refresh token
 
 :::tip
@@ -226,13 +242,17 @@ export default defineNuxtConfig({
                 maxAgeInSeconds: 1800,
                 sameSiteAttribute: 'lax',
                 cookieDomain: 'sidebase.io'
+                secureCookieAttribute: false,
+                httpOnlyCookieAttribute: false,
             },
             refreshToken: {
                 signInResponseRefreshTokenPointer: '/refresh-token',
                 refreshRequestTokenPointer: 'Bearer',
                 cookieName: 'auth.token',
                 maxAgeInSeconds: 1800,
                 cookieDomain: 'sidebase.io'
+                secureCookieAttribute: false,
+                httpOnlyCookieAttribute: false,
             }
         }
     }
@@ -280,6 +300,20 @@ Note: Your backend may reject / expire the refreshToken earlier / differently.
 
 The cookie domain. See the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.3
 
+### `secureCookieAttribute`
+
+If set, the cookie will be only sent through `HTTPS` protocol. See the specification here : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.5
+
+-   **Type:** `boolean`
+-   **Default:** `'false'`
+
+### `httpOnlyCookieAttribute`
+
+If set, the cookie will not be accessible from JavaScript. See the specification here : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.6
+
+-   **Type:** `boolean`
+-   **Default:** `'false'`
+
 ## `refreshOnlyToken`
 
 :::tip

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sidebase/nuxt-auth",
-  "version": "0.8.1",
+  "version": "0.8.2",
   "license": "MIT",
   "type": "module",
   "engines": {

src/module.ts

@@ -64,7 +64,8 @@ const defaultsByBackend: {
       maxAgeInSeconds: 30 * 60, // 30 minutes
       sameSiteAttribute: 'lax',
       secureCookieAttribute: false,
-      cookieDomain: ''
+      cookieDomain: '',
+      httpOnlyCookieAttribute: false
     },
     session: {
       dataType: { id: 'string | number' },
@@ -93,15 +94,17 @@ const defaultsByBackend: {
       maxAgeInSeconds: 5 * 60, // 5 minutes
       sameSiteAttribute: 'none',
       secureCookieAttribute: false,
-      cookieDomain: ''
+      cookieDomain: '',
+      httpOnlyCookieAttribute: false
     },
     refreshToken: {
       signInResponseRefreshTokenPointer: '/refreshToken',
       refreshRequestTokenPointer: '/refreshToken',
       cookieName: 'auth.refresh-token',
       maxAgeInSeconds: 60 * 60 * 24 * 7, // 7 days
       secureCookieAttribute: false,
-      cookieDomain: ''
+      cookieDomain: '',
+      httpOnlyCookieAttribute: false
     },
     session: {
       dataType: { id: 'string | number' },

src/runtime/composables/local/useAuthState.ts

@@ -30,7 +30,8 @@ export const useAuthState = (): UseAuthStateReturn => {
     domain: config.token.cookieDomain,
     maxAge: config.token.maxAgeInSeconds,
     sameSite: config.token.sameSiteAttribute,
-    secure: config.token.secureCookieAttribute
+    secure: config.token.secureCookieAttribute,
+    httpOnly: config.token.httpOnlyCookieAttribute
   })
 
   const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value)

src/runtime/composables/refresh/useAuthState.ts

@@ -20,7 +20,8 @@ export const useAuthState = (): UseAuthStateReturn => {
       domain: config.refreshToken.cookieDomain,
       maxAge: config.refreshToken.maxAgeInSeconds,
       sameSite: 'lax',
-      secure: config.refreshToken.secureCookieAttribute
+      secure: config.refreshToken.secureCookieAttribute,
+      httpOnly: config.refreshToken.httpOnlyCookieAttribute
     }
   )
 

src/runtime/types.ts

@@ -182,6 +182,13 @@ export type ProviderLocal = {
      * @example 'sidebase.io'
      */
     cookieDomain?: string;
+    /**
+     * Whether to set the httpOnly flag on the cookie.
+     *
+     * @default false
+     * @example true
+     */
+    httpOnlyCookieAttribute?: boolean;
   };
   /**
    * Settings for the session-data that `nuxt-auth` receives from the `getSession` endpoint.
@@ -292,6 +299,13 @@ export type ProviderLocalRefresh = Omit<ProviderLocal, 'type'> & {
      * @example 'sidebase.io'
      */
     cookieDomain?: string;
+    /**
+     * Whether to set the httpOnly flag on the cookie.
+     *
+     * @default false
+     * @example true
+     */
+    httpOnlyCookieAttribute?: boolean;
   };
 };