chore: fetch cached session from cookie to ensure latest user state (#314)

jd-solanki · onmax · web-flow · commit bbf5b35611f5 · 2026-04-23T13:27:09.000+02:00
Co-authored-by: onmax &lt;maximogarciamtnez@gmail.com&gt;
diff --git a/src/runtime/app/middleware/auth.global.ts b/src/runtime/app/middleware/auth.global.ts
@@ -48,8 +48,10 @@ export default defineNuxtRouteMiddleware(async (to) => {
   const config = useRuntimeConfig().public.auth as AuthRuntimeConfig | undefined
   const { fetchSession, user, loggedIn } = useUserSession()
 
-  // Always fetch session if not logged in - state may not have synced yet
-  if (!loggedIn.value) {
+  const mode: AuthMode = typeof auth === 'string' ? auth : auth?.only ?? 'user'
+  const redirectTo = typeof auth === 'object' ? auth.redirectTo : undefined
+
+  if (!loggedIn.value || mode === 'guest') {
     const headers = import.meta.server ? useRequestHeaders(['cookie']) : undefined
     const isHydratedPrerenderPayload
       = (import.meta.client || !import.meta.server)
@@ -58,9 +60,6 @@ export default defineNuxtRouteMiddleware(async (to) => {
     await fetchSession({ headers, ...(isHydratedPrerenderPayload ? { force: true } : {}) })
   }
 
-  const mode: AuthMode = typeof auth === 'string' ? auth : auth?.only ?? 'user'
-  const redirectTo = typeof auth === 'object' ? auth.redirectTo : undefined
-
   if (mode === 'guest') {
     if (loggedIn.value)
       return navigateTo(redirectTo ?? config?.redirects?.guest ?? '/')
diff --git a/test/auth-global-middleware.test.ts b/test/auth-global-middleware.test.ts
@@ -97,6 +97,25 @@ describe('auth.global middleware', () => {
     expect(navigateTo).toHaveBeenCalledWith('/app')
   })
 
+  it('does not redirect from guest routes when session refresh resolves as logged out', async () => {
+    loggedIn.value = true
+    getRouteRules.mockResolvedValueOnce({ auth: { only: 'guest' } })
+    fetchSession.mockImplementationOnce(async () => {
+      loggedIn.value = false
+      user.value = null
+    })
+
+    const middleware = await loadMiddleware()
+    await middleware({
+      path: '/login',
+      fullPath: '/login',
+      meta: {},
+    })
+
+    expect(fetchSession).toHaveBeenCalledTimes(1)
+    expect(navigateTo).not.toHaveBeenCalled()
+  })
+
   it('checks protected routes and attempts redirect when unauthenticated', async () => {
     getRouteRules.mockResolvedValueOnce({ auth: 'user' })
 
@@ -107,6 +126,7 @@ describe('auth.global middleware', () => {
       meta: {},
     })
 
+    expect(fetchSession).toHaveBeenCalledTimes(1)
     expect(navigateTo).toHaveBeenCalledTimes(1)
   })
 
@@ -122,6 +142,8 @@ describe('auth.global middleware', () => {
       meta: {},
     })
 
+    expect(fetchSession).toHaveBeenCalledTimes(1)
+    expect(fetchSession).toHaveBeenCalledWith({ headers: undefined, force: true })
     expect(navigateTo).toHaveBeenCalledTimes(1)
   })
 
