chore: fix lints

Author: phoenix-ru

README.md

@@ -39,7 +39,7 @@ npx nuxi@latest module add sidebase-auth
 <details>
   <summary>Or install manually</summary>
 
-  #### 1. Install the package as a dev dependency
+  ### 1. Install the package as a dev dependency
 
   ```sh
   npm i -D @sidebase/nuxt-auth
@@ -49,7 +49,7 @@ npx nuxi@latest module add sidebase-auth
   yarn add --dev @sidebase/nuxt-auth
   ```
 
-  #### 2. Add the modules to your `nuxt.config.ts`
+  ### 2. Add the modules to your `nuxt.config.ts`
 
   ```ts
   export default defineNuxtConfig({
@@ -174,5 +174,5 @@ Thank you to everyone who has contributed to this project by writing issues or o
 `@sidebase/nuxt-auth` is supported by all of our amazing contributors and the [Nuxt 3+ team](https://nuxters.nuxt.com/)!
 
 <a href="https://github.com/sidebase/nuxt-auth/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=sidebase/nuxt-auth" />
+  <img src="https://contrib.rocks/image?repo=sidebase/nuxt-auth" alt="Contributors" />
 </a>

docs/guide/getting-started/choose-provider.md

@@ -15,7 +15,7 @@ In `v0.9.0` the `refresh` provider was integrated into the `local` provider. Rea
 
 If you are still unsure, below are some tables to help you pick:
 
-### Authentication Methods
+## Authentication Methods
 
 |                                                               |                      authjs provider   | local provider
 |-----------------------------------------------------------    |-------------------------------------:  |---------------:
@@ -24,7 +24,7 @@ If you are still unsure, below are some tables to help you pick:
 | Credentials / Username + Password flow                        | 🚧 (if possible: use `local` instead)  |     ✅
 | Refresh tokens                                                |                                    ✅  |     ✅
 
-### Features
+## Features
 
 |                                                               |                       authjs provider  | local provider
 |-----------------------------------------------------------    |-------------------------------------:  |------:

docs/guide/getting-started/introduction.md

@@ -46,11 +46,11 @@ NextAuth versions under `4.22` are impacted by vulnerability [GHSA-v64w-49xw-qq8
 
 ::: details Further details
 ---
-#### Description of the vulnerability
+### Description of the vulnerability
 The vulnerability [GHSA-v64w-49xw-qq89](https://github.com/advisories/GHSA-v64w-49xw-qq89) only affects applications that rely on the default [Middleware authorization](https://next-auth.js.org/configuration/nextjs#middleware) provided by NextAuth.
 
 The vulnerability allows attackers to create/mock a user, by accessing the JWT from an interrupted OAuth sign-in flow. They can then manually override the session cookie and simulate a login. However, doing this does **not** give access to the users data or permissions, but can allow attackers to view the layouts of protected pages.
 
-#### Why does it not effect NuxtAuth?
+### Why does it not affect NuxtAuth?
 As the affected middleware is written for Next.js, we wrote our own [custom middleware](https://github.com/sidebase/nuxt-auth/blob/main/src/runtime/middleware/auth.ts) for NuxtAuth that is not affected by the vulnerability.
 :::

playground-authjs/pages/custom-signin.vue

@@ -9,8 +9,13 @@ const password = ref('')
 
 const { signIn } = useAuth()
 
-async function mySignInHandler({ username, password, callbackUrl }: { username: string, password: string, callbackUrl: string }) {
-  const { error, url } = await signIn('credentials', { username, password, callbackUrl, redirect: false })
+async function mySignInHandler(callbackUrl: string) {
+  const { error, url } = await signIn('credentials', {
+    username: username.value,
+    password: password.value,
+    callbackUrl,
+    redirect: false
+  })
 
   if (error) {
     // Do your custom error handling here
@@ -39,7 +44,7 @@ async function mySignInHandler({ username, password, callbackUrl }: { username:
       Sign in with username and password
     </button>
     <br>
-    <button @click="mySignInHandler({ username, password, callbackUrl: '/protected/globally' })">
+    <button @click="mySignInHandler('/protected/globally')">
       Sign in with username and password using a custom sign in handler
     </button>
   </div>

playground-local/server/utils/session.ts

@@ -33,7 +33,7 @@ interface TokensByUser {
  * Tokens storage.
  * You will need to implement your own, connect with DB/etc.
  */
-const tokensByUser: Map<string, TokensByUser> = new Map()
+const tokensByUserMap: Map<string, TokensByUser> = new Map()
 
 /**
  * We use a fixed password for demo purposes.
@@ -72,13 +72,13 @@ export async function createUserTokens(user: User): Promise<UserTokens> {
   const refreshToken = await createSignedJwt(tokenData, /* 1 day */ 60 * 60 * 24)
 
   // Naive implementation - please implement properly yourself!
-  const userTokens: TokensByUser = tokensByUser.get(user.username) ?? {
+  const userTokens: TokensByUser = tokensByUserMap.get(user.username) ?? {
     access: new Map(),
     refresh: new Map()
   }
   userTokens.access.set(accessToken, refreshToken)
   userTokens.refresh.set(refreshToken, accessToken)
-  tokensByUser.set(user.username, userTokens)
+  tokensByUserMap.set(user.username, userTokens)
 
   return {
     accessToken,
@@ -99,7 +99,7 @@ export async function decodeToken(token: string): Promise<JWTPayload> {
  * Your implementation will likely never need this and will rely on User ID and DB.
  */
 export function getTokensByUser(username: string): TokensByUser | undefined {
-  return tokensByUser.get(username)
+  return tokensByUserMap.get(username)
 }
 
 type CheckUserTokensResult = { valid: true, knownAccessToken: string } | { valid: false, knownAccessToken: undefined }

src/module.ts

@@ -102,6 +102,8 @@ const defaultsByBackend: {
 const PACKAGE_NAME = 'sidebase-auth'
 const MIDDLEWARE_NAME = PACKAGE_NAME
 
+const TS_ENDS_RE = /\.ts$/
+
 export default defineNuxtModule<ModuleOptions>({
   meta: {
     name: PACKAGE_NAME,
@@ -224,7 +226,7 @@ export default defineNuxtModule<ModuleOptions>({
       filename: './refreshHandler.ts',
       async getContents() {
         if (options.sessionRefresh.handler) {
-          const path = (await resolvePath(options.sessionRefresh.handler)).replace(/\.ts$/, '')
+          const path = (await resolvePath(options.sessionRefresh.handler)).replace(TS_ENDS_RE, '')
           return `export { default as _refreshHandler } from '${path}'`
         }
 

src/runtime/composables/authjs/useAuth.ts

@@ -8,7 +8,7 @@ import { _fetch } from '../../utils/fetch'
 import { isNonEmptyObject } from '../../utils/checkSessionResult'
 import type { CommonUseAuthReturn, GetSessionOptions, SecondarySignInOptions, SignOutOptions } from '../../types'
 import { useTypedBackendConfig } from '../../helpers'
-import { getRequestURLWN } from '../common/getRequestURL'
+import { getRequestURL } from '../common/getRequestURL'
 import { determineCallbackUrl } from '../../utils/callbackUrl'
 import type { SessionData } from './useAuthState'
 import { navigateToAuthPageWN } from './utils/navigateToAuthPage'
@@ -147,7 +147,7 @@ export function useAuth(): UseAuthReturn {
 
     const action: 'callback' | 'signin' = isCredentials ? 'callback' : 'signin'
 
-    const csrfToken = await getCsrfTokenWithNuxt(nuxt)
+    const csrfToken = await getCsrfToken()
 
     const headers: { 'Content-Type': string, 'cookie'?: string, 'host'?: string } = {
       'Content-Type': 'application/x-www-form-urlencoded',
@@ -175,10 +175,10 @@ export function useAuth(): UseAuthReturn {
     )
       .catch<Record<string, any>>((error: { data: any }) => error.data)
 
-    const data = await callWithNuxt(nuxt, fetchSignIn)
+    const signInData = await callWithNuxt(nuxt, fetchSignIn)
 
     if (redirect || !isSupportingReturn) {
-      const href = data.url ?? callbackUrl
+      const href = signInData.url ?? callbackUrl
       const navigationResult = await navigateToAuthPageWN(nuxt, href)
 
       // We use `http://_` as a base to allow relative URLs in `callbackUrl`. We only need the `error` query param
@@ -194,14 +194,14 @@ export function useAuth(): UseAuthReturn {
     }
 
     // At this point the request succeeded (i.e., it went through)
-    const error = new URL(data.url).searchParams.get('error')
-    await getSessionWithNuxt(nuxt)
+    const error = new URL(signInData.url).searchParams.get('error')
+    await getSession()
 
     return {
       error,
       status: 200,
       ok: true,
-      url: error ? null : data.url,
+      url: error ? null : signInData.url,
       navigationResult: undefined,
     }
   }
@@ -226,73 +226,72 @@ export function useAuth(): UseAuthReturn {
    * @param getSessionOptions - Options for getting the session, e.g., set `required: true` to enforce that a session _must_ exist, the user will be directed to a login page otherwise.
    */
   async function getSession(getSessionOptions?: GetSessionOptions): Promise<SessionData | null> {
-    const callbackUrlFallback = await getRequestURLWN(nuxt)
-    const { required, callbackUrl, onUnauthenticated } = defu(getSessionOptions || {}, {
-      required: false,
-      callbackUrl: undefined,
-      onUnauthenticated: () => signIn(undefined, {
-        callbackUrl: getSessionOptions?.callbackUrl || callbackUrlFallback
+    return callWithNuxt(nuxt, async () => {
+      const callbackUrlFallback = getRequestURL()
+      const { required, callbackUrl, onUnauthenticated } = defu(getSessionOptions || {}, {
+        required: false,
+        callbackUrl: undefined,
+        onUnauthenticated: () => signIn(undefined, {
+          callbackUrl: getSessionOptions?.callbackUrl || callbackUrlFallback
+        })
       })
-    })
-
-    function onError() {
-      loading.value = false
-    }
 
-    const headers = await getRequestHeaders(nuxt)
-
-    return _fetch<SessionData>(nuxt, '/session', {
-      onResponse: ({ response }) => {
-        const sessionData = response._data
+      function onError() {
+        loading.value = false
+      }
 
-        // Add any new cookie to the server-side event for it to be present on the app-side after
-        // initial load, see sidebase/nuxt-auth/issues/200 for more information.
-        if (import.meta.server) {
-          const setCookieValues = response.headers.getSetCookie ? response.headers.getSetCookie() : [response.headers.get('set-cookie')]
-          if (setCookieValues && nuxt.ssrContext) {
-            for (const value of setCookieValues) {
-              if (!value) {
-                continue
+      const headers = await getRequestHeaders(nuxt)
+
+      return _fetch<SessionData>(nuxt, '/session', {
+        onResponse: ({ response }) => {
+          const sessionData = response._data
+
+          // Add any new cookie to the server-side event for it to be present on the app-side after
+          // initial load, see sidebase/nuxt-auth/issues/200 for more information.
+          if (import.meta.server) {
+            const setCookieValues = response.headers.getSetCookie ? response.headers.getSetCookie() : [response.headers.get('set-cookie')]
+            if (setCookieValues && nuxt.ssrContext) {
+              for (const value of setCookieValues) {
+                if (!value) {
+                  continue
+                }
+                appendHeader(nuxt.ssrContext.event, 'set-cookie', value)
               }
-              appendHeader(nuxt.ssrContext.event, 'set-cookie', value)
             }
           }
-        }
 
-        data.value = isNonEmptyObject(sessionData) ? sessionData : null
-        loading.value = false
+          data.value = isNonEmptyObject(sessionData) ? sessionData : null
+          loading.value = false
 
-        if (required && status.value === 'unauthenticated') {
-          return onUnauthenticated()
-        }
+          if (required && status.value === 'unauthenticated') {
+            return onUnauthenticated()
+          }
 
-        return sessionData
-      },
-      onRequest: ({ options }) => {
-        lastRefreshedAt.value = new Date()
+          return sessionData
+        },
+        onRequest: ({ options }) => {
+          lastRefreshedAt.value = new Date()
 
-        options.params = {
-          ...options.params,
-          callbackUrl: callbackUrl || callbackUrlFallback
-        }
-      },
-      onRequestError: onError,
-      onResponseError: onError,
-      headers
-    }, /* proxyCookies = */ true)
-  }
-  function getSessionWithNuxt(nuxt: NuxtApp) {
-    return callWithNuxt(nuxt, getSession)
+          options.params = {
+            ...options.params,
+            callbackUrl: callbackUrl || callbackUrlFallback
+          }
+        },
+        onRequestError: onError,
+        onResponseError: onError,
+        headers
+      }, /* proxyCookies = */ true)
+    })
   }
 
   /**
    * Sign out the current user.
    *
-   * @param options - Options for sign out, e.g., to `redirect` the user to a specific page after sign out has completed
+   * @param signOutOptions - Options for sign out, e.g., to `redirect` the user to a specific page after sign out has completed
    */
-  async function signOut(options?: SignOutOptions) {
-    const { callbackUrl: userCallbackUrl, redirect = true } = options ?? {}
-    const csrfToken = await getCsrfTokenWithNuxt(nuxt)
+  async function signOut(signOutOptions?: SignOutOptions) {
+    const { callbackUrl: userCallbackUrl, redirect = true } = signOutOptions ?? {}
+    const csrfToken = await getCsrfToken()
 
     // Determine the correct callback URL
     const callbackUrl = await determineCallbackUrl(
@@ -325,35 +324,20 @@ export function useAuth(): UseAuthReturn {
       return navigateToAuthPageWN(nuxt, url)
     }
 
-    await getSessionWithNuxt(nuxt)
+    await getSession()
     return signoutData
   }
 
-  /**
-   * Utilities to make nested async composable calls play nicely with nuxt.
-   *
-   * Calling nested async composable can lead to "nuxt instance unavailable" errors. See more details here: https://github.com/nuxt/framework/issues/5740#issuecomment-1229197529. To resolve this we can manually ensure that the nuxt-context is set. This module contains `callWithNuxt` helpers for some of the methods that are frequently called in nested `useAuth` composable calls.
-   */
-  async function getRequestHeaders(nuxt: NuxtApp, includeCookie = true): Promise<{ cookie?: string, host?: string }> {
-  // `useRequestHeaders` is sync, so we narrow it to the awaited return type here
-    const headers = await callWithNuxt(nuxt, () => useRequestHeaders(['cookie', 'host']))
-    if (includeCookie && headers.cookie) {
-      return headers
-    }
-    return { host: headers.host }
-  }
-
   /**
    * Get the current Cross-Site Request Forgery token.
    *
    * You can use this to pass along for certain requests, most of the time you will not need it.
    */
   async function getCsrfToken() {
-    const headers = await getRequestHeaders(nuxt)
-    return _fetch<{ csrfToken: string }>(nuxt, '/csrf', { headers }).then(response => response.csrfToken)
-  }
-  function getCsrfTokenWithNuxt(nuxt: NuxtApp) {
-    return callWithNuxt(nuxt, getCsrfToken)
+    return callWithNuxt(nuxt, async () => {
+      const headers = await getRequestHeaders(nuxt)
+      return _fetch<{ csrfToken: string }>(nuxt, '/csrf', { headers }).then(response => response.csrfToken)
+    })
   }
 
   return {
@@ -369,3 +353,17 @@ export function useAuth(): UseAuthReturn {
   }
 }
 export default useAuth
+
+/**
+ * Utilities to make nested async composable calls play nicely with nuxt.
+ *
+ * Calling nested async composable can lead to "nuxt instance unavailable" errors. See more details here: https://github.com/nuxt/framework/issues/5740#issuecomment-1229197529. To resolve this we can manually ensure that the nuxt-context is set. This module contains `callWithNuxt` helpers for some of the methods that are frequently called in nested `useAuth` composable calls.
+ */
+async function getRequestHeaders(nuxt: NuxtApp, includeCookie = true): Promise<{ cookie?: string, host?: string }> {
+  // `useRequestHeaders` is sync, so we narrow it to the awaited return type here
+  const headers = await callWithNuxt(nuxt, () => useRequestHeaders(['cookie', 'host']))
+  if (includeCookie && headers.cookie) {
+    return headers
+  }
+  return { host: headers.host }
+}

src/runtime/helpers.ts

@@ -5,6 +5,11 @@ import type { useRuntimeConfig } from '#imports'
 
 export const isProduction = process.env.NODE_ENV === 'production'
 
+const DIGIT_OR_DASH_RE = /^\d+|-$/
+const SLASH_RE = /\//
+const TILDE_1_RE = /~1/g
+const TILDE_0_RE = /~0/g
+
 // We use `DeepRequired` here because options are actually enriched using `defu`
 // but due to a build error we can't use `DeepRequired` inside runtime config definition.
 type RuntimeConfig = ReturnType<typeof useRuntimeConfig>
@@ -90,7 +95,7 @@ export function jsonPointerSet(
     nextTok = refTokens[i + 1]
 
     if (!(tok in obj)) {
-      if (nextTok.match(/^(\d+|-)$/)) {
+      if (DIGIT_OR_DASH_RE.test(nextTok)) {
         obj[tok] = []
       }
       else {
@@ -129,5 +134,5 @@ function jsonPointerParse(pointer: string): string[] {
   if (pointer.charAt(0) !== '/') {
     throw new Error(`Invalid JSON pointer: ${pointer}`)
   }
-  return pointer.substring(1).split(/\//).map(s => s.replace(/~1/g, '/').replace(/~0/g, '~'))
+  return pointer.substring(1).split(SLASH_RE).map(s => s.replace(TILDE_1_RE, '/').replace(TILDE_0_RE, '~'))
 }