Prevent clear auth data when getSession error

[nvthuong1996]

Describe the feature

If getSession throws an exception, the backend is most likely at fault:
If you clear auth data, all users using the website will have to log in again.

nuxt-auth/src/runtime/composables/local/useAuth.ts

Line 99 in faa039b

data.value = null

How would you implement this?

Only clear the session when the http error code returned from the backend is 401

Additional information

• Would you be willing to help implement this feature?

Provider

• AuthJS
• Local
• Refresh
• New Provider

[mbellamyy]

I'm having the same problem with refresh method.

For example, when the user disconnects their Wifi and periodic refresh is turned on, with the first failed request, the user is logged out because the token data is removed from the state.

The tokens should only be removed in three cases imo:

• the user explicitly wants them removed (by signing out)
• the tokens are expired... A refresh token that is still valid should not be nullified.
• a request to refresh (and get a valid access token) fails on SSR

[zoey-kaiser]

Hi @mbellamyy and @nvthuong1996 👋

I added the rfc label to this issue. I would pull in @phoenix-ru, and we can revisit the current behavior and discuss potential modifications to it!

[nvthuong1996]

hello @phoenix-ru @zoey-kaiser ! has any update for this issue ?

[zoey-kaiser]

Hi @nvthuong1996 👋

We are currently focusing on finishing up the documentation rewrites, which is why we are currently less actively pushing forward discussions on new issues. Once we have the docs deployed we will revisit this issue (should be pretty soon).

[Ulrich-Mbouna]

Some updates for this error ?

[bitfactory-frank-spee]

It would be nice if the getSession method throws an error instead of just clearing the session data and returning null:

nuxt-auth/src/runtime/composables/local/useAuth.ts

Line 147 in 52d4b9a

// Clear all data: Request failed so we must not be authenticated

I made a workaround using the callGetSession option set to false of the signIn method for the local provider, but I am not sure if you can do the same with refresh calls. And I still need to do a manual getSession like call which is for us this:

public async loginWith(...): Promise<void> {
        const { getSession, signIn } = useAuth();

        await signIn(
            {...},
            {
                // Don't redirect and don't call get session, because login must catch OTP/2FA errors from getSession.
                callGetSession: false,
                // The callback URL is only set to prevent the sidebase signIn method from doing extra work.
                // Improvement issue opened: https://github.com/sidebase/nuxt-auth/issues/978
                callbackUrl: '/',
                redirect: false,
            },
        );

        // NOTE: This extra fetch is needed because of how getSession works. It does not return error response data.
        // See https://github.com/sidebase/nuxt-auth/blob/main/src/runtime/composables/local/useAuth.ts#L142
        // This is a custom API call to check if we get an error. If it returns an error it is caught upstream.
        await useNuxtApp().$backendFetch('/user/me');

        // Second is a call to really get the user session so the Sidebase Auth module is filled. Redirect after.
        await getSession();
        const { redirectedFrom } = useRoute();
        navigateTo(redirectedFrom ? redirectedFrom.fullPath : '/');
    }

[sadeghi-aa]

@bitfactory-frank-spee

I have a similar issue (described in detail in #998). The workaround you mentioned doesn't appear to fix the issue I've described, does it? Do you know any solution for my issue?

[sadeghi-aa]

As a suggestion: It would be nice if we could pass a custom errorHandler function to override the catch block of the getSession function. This way the developer could decide when and how to logout the user; it could be a 401 error or any other custom condition. And if not passed, the default behavior takes precedence.

nuxt-auth/src/runtime/composables/local/useAuth.ts

Lines 143 to 151 in 956b0fa

	catch (err) {
	if (!data.value && err instanceof Error) {
	console.error(`Session: unable to extract session, ${err.message}`)
	}
	// Clear all data: Request failed so we must not be authenticated
	data.value = null
	rawToken.value = null
	}

[sadeghi-aa]

I created this PR (#999). I'm generally new to contributing to open-source projects, so forgive me if I've made any mistakes in the PR. I deliberately left the PR as minimal as possible to get feedback and of course, to see if the feature is actually a valid feature in your opinion.

Update: Closed the PR for now because it doesn't work. Will reopen it when it works.

[bitfactory-frank-spee]

It looks like this issue is going stale for some time now. I think @sadeghi-aa has a good point on how to solve it with a hook without breaking existing functionality. I don't know if this is still relevant for the latest nuxt-auth version. Shame the #999 PR is not finished. It looks like a good idea, maybe not do a return in the catch though. Just call the hook.