feat(auth): allow turning off session cookie

Author: posva

packages/nuxt/playground/nuxt.config.ts

@@ -39,7 +39,10 @@ export default defineNuxtConfig({
     [
       '../src/module',
       {
-        auth: true,
+        auth: {
+          enabled: true,
+          sessionCookie: true,
+        },
         appCheck: {
           // TODO: could automatically pick up a debug token defined as an env variable
           debug: process.env.NODE_ENV !== 'production',

packages/nuxt/src/module.ts

@@ -59,18 +59,34 @@ export default defineNuxtModule<VueFireNuxtModuleOptions>({
     nuxt.options.appConfig.firebaseConfig = markRaw(options.config)
     nuxt.options.appConfig.vuefireOptions = markRaw(options)
 
-    nuxt.options.runtimeConfig.vuefire = {
-      options: {
-        ...options,
-        // ensure the resolved version easier to consume
-        emulators: {
-          enabled:
-            typeof options.emulators === 'object'
-              ? options.emulators.enabled ?? true // allows user to comment out enabled: false
-              : !!options.emulators,
-          ...(typeof options.emulators === 'object' ? options.emulators : {}),
-        },
+    const isAuthEnabled =
+      typeof options.auth === 'object'
+        ? options.auth.enabled ?? true // allows user to comment out enabled: false
+        : !!options.auth
+
+    const resolvedVueFireOptions = {
+      ...options,
+      // ensure the resolved version easier to consume
+      emulators: {
+        enabled:
+          typeof options.emulators === 'object'
+            ? options.emulators.enabled ?? true // allows user to comment out enabled: false
+            : !!options.emulators,
+        ...(typeof options.emulators === 'object' ? options.emulators : {}),
       },
+      auth: {
+        enabled: isAuthEnabled,
+        // enable session cookie when auth is `true`
+        sessionCookie:
+          typeof options.auth === 'object'
+            ? isAuthEnabled && options.auth.sessionCookie // deactivating auth also deactivates the session cookie
+            : !!options.auth, // fallback to the boolean value of options.auth
+        ...(typeof options.auth === 'object' ? options.auth : {}),
+      },
+    } satisfies VueFireNuxtModuleOptionsResolved
+
+    nuxt.options.runtimeConfig.vuefire = {
+      options: resolvedVueFireOptions,
     }
 
     // we need this to avoid some warnings about missing credentials and ssr
@@ -169,7 +185,11 @@ export default defineNuxtModule<VueFireNuxtModuleOptions>({
         )
       }
 
-      if (nuxt.options.ssr && (hasServiceAccount || emulatorsConfig)) {
+      if (
+        nuxt.options.ssr &&
+        (hasServiceAccount || emulatorsConfig) &&
+        resolvedVueFireOptions.auth.sessionCookie
+      ) {
         // Add the session handler than mints a cookie for the user
         addServerHandler({
           route: '/api/__session',
@@ -243,7 +263,7 @@ export default defineNuxtModule<VueFireNuxtModuleOptions>({
       }
 
       if (hasServiceAccount || emulatorsConfig) {
-        if (options.auth) {
+        if (resolvedVueFireOptions.auth.sessionCookie) {
           // decodes user token from cookie if any
           addPlugin(resolve(runtimeDir, 'auth/plugin-user-token.server'))
         }

packages/nuxt/src/module/options.ts

@@ -39,16 +39,34 @@ export interface VueFireNuxtModuleOptions {
   appCheck?: NuxtVueFireAppCheckOptions
 
   /**
-   * Enables Authentication
+   * Enables the Authentication module and the session cookie. Pass an object to individually customize the modules.
+   * @defaultValue `false`
    */
-  auth?: boolean
+  auth?:
+    | boolean
+    | {
+        /**
+         * Adds the Authentication module to VueFire.
+         * @defaultValue `true` if `options.auth` is an object.
+         */
+        enabled?: boolean
+
+        /**
+         * Enables the `/api/__session` endpoint to mint cookies and verifying the user during SSR. This requires you to
+         * configure a [valid Service
+         * Account](https://vuefire.vuejs.org/nuxt/getting-started.html#Configuring-the-Admin-SDK) and the valid
+         * permissions on your Google Cloud project. You can find more information about what happens behind the scenes
+         * in Firebase docs: [Manage Session Cookies](https://firebase.google.com/docs/auth/admin/manage-cookies).
+         */
+        sessionCookie?: boolean
+      }
 
   /**
    * Controls whether to use emulators or not. Pass `false` to disable emulators. When set to `true`, emulators are
    * enabled when they are detected in the `firebase.json` file. You still need to run the emulators in parallel to your
    * app.
    *
-   * @default true
+   * @defaultValue `true`
    * @experimental
    */
   emulators?:
@@ -76,6 +94,7 @@ export interface VueFireNuxtModuleOptions {
 }
 
 export interface VueFireNuxtModuleOptionsResolved
-  extends Omit<VueFireNuxtModuleOptions, 'emulators'> {
+  extends Omit<VueFireNuxtModuleOptions, 'emulators' | 'auth'> {
   emulators: Exclude<VueFireNuxtModuleOptions['emulators'], boolean | undefined>
+  auth: Exclude<VueFireNuxtModuleOptions['auth'], boolean | undefined>
 }

packages/nuxt/src/runtime/auth/plugin.server.ts

@@ -24,6 +24,7 @@ export default defineNuxtPlugin(async (nuxtApp) => {
 
   const uid = decodedToken?.uid
 
+  // this is also undefined if the user hasn't enabled the session cookie option
   if (uid) {
     // reauthenticate if the user is not the same (e.g. invalidated)
     if (auth.currentUser?.uid !== uid) {