2

I am halfway through implementing Nuxt Auth (local/refresh) in my application. I have a table in the db where I store the refresh tokens and I want to delete the refresh token from the db when Nuxt Auth logs out. Nuxt Auth is not sending the refresh token to my endpoint so there is no way for me to look it up and delete it from the database.

Nuxt Auth is correctly getting both tokens and the user details on login and is correctly calling my logout API endpoint, it is just sending an empty body.

package.json:

"@nuxtjs/auth-next": "^5.0.0-1624817847.21691f1",

nuxt.config:

auth: {
  strategies: {
    local: {
      scheme: 'refresh',
      token: {
        property: 'accessToken',
        maxAge: 1800,
        global: true,
      },
      refreshToken: {
        property: 'refreshToken',
        data: 'refreshToken',
        maxAge: 60 * 60 * 24 * 30
      },
      endpoints: {
        login: {url: '/login', method: 'post'},
        refresh: { url: '/token', method: 'post'},
        logout: {url: '/logout', method: 'delete'},
        user: {url: '/user', method: 'get'}
      },
      user: {
        property: false,
      },
      tokenRequired: true,
      tokenType: 'bearer'
    }
  }
}

API Endpoint:

router.delete('/logout', async (req, res) => {
  const sql =`DELETE FROM tokens WHERE id = '${req.body.refreshToken}'`
  await pool.query(sql)
  res.sendStatus(204)
})
kissu
  • 40,416
  • 14
  • 65
  • 133
Alfredo GC
  • 21
  • 1
  • 3

2 Answers2

0

You should definitely NOT send SQL over HTTP.
Either send some ID to your backend on some path like /expire or let the token expire by itself.

My company is using a 5min token expiration. Meaning that each 5 minutes, the token is expired and refreshed with the refresh_token.
You could lower this even more, to like 1min if you want.

But this is a backend question and more code of this would be needed.
Even a need question I'd say.

kissu
  • 40,416
  • 14
  • 65
  • 133
  • I understand the concept of refresh tokens and that is what I am trying to do. I am not sure if it was clear in my question that this is a question specifically about the Nuxt/Auth package. – Alfredo GC Aug 10 '21 at 15:26
  • The `refresh_token` can be found in your browser. Either in cookies or localStorage, depending of your settings. Just remove it from there. – kissu Aug 10 '21 at 15:33
  • Yes, Nuxt/Auth already automatically performs the deletion of the token from cookies/localstorage for me. However, it provides an API call for logout that from what I read in the documentation, it appears to be designed to send back the refresh token to the API "delete" endpoint (refreshToken.data property). I can always get the token from the cookie, but I was hoping not to have to make 2 API calls when it can all be done in the one provided by Nuxt/Auth. – Alfredo GC Aug 10 '21 at 16:03
  • The simplest way to debug this is to logout in your Nuxt app, let `nuxt/auth` send the payload to the `/logout` path on your API and see the result there, in the router or in a controller. No need to make 2 API calls. – kissu Aug 10 '21 at 16:07
  • Yes, that is what I have been doing and what prompted me to ask the question. I am getting the accessToken in the authorization header in the backend, but the refreshToken is nowhere to be found. Nuxt/Auth is sending an empty body in the delete request. I also tried changing the request from 'delete' to 'post' to no avail. – Alfredo GC Aug 10 '21 at 17:23
  • @AlfredoGC I guess that the module is sending what you just need. Can't you determine the other token from the header? Aren't both tokens somehow linked? And also, isn't invalidating the one you get enough? – kissu Aug 10 '21 at 17:32
  • I guess I can link them in the db when I create them, or get it from the cookie and send it in a subsequent request, but the Nuxt/Auth documentation and config property seem to suggest that it is sent with the logout request (presumably in the body). I'd rather take advantage of the package functionality if I can get it to work. – Alfredo GC Aug 10 '21 at 17:37
  • @AlfredoGC not sure if the lib is supposed to do more. Feel free to post a github issue here: https://github.com/nuxt-community/auth-module/issues/new/choose Or to ask in the Nuxt discussions: https://github.com/nuxt/nuxt.js/discussions/new – kissu Aug 11 '21 at 08:47
  • I'll check that out. Thank you! – Alfredo GC Aug 12 '21 at 02:44
0

after alot of debugging and console logging here is my solution: change this.$auth.logout() (basically you call this method when you press on logout button), to this :

this.$auth.logout({
  data: {
    refreshToken: this.$auth.strategies.local.refreshToken.get(),
  },
})

PS: if you call your strategy(in nuxt.config.js) to other name than 'local', you should change also this.$auth.strategies.local.refreshToken.get(), to: this.$auth.strategies.'your strategy name'.refreshToken.get()

Ranomoh
  • 1