@devcoffee/nuxt-core 1.3.0 → 1.4.1

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## v1.4.1
+
+[compare changes](https://github.com/coolkg1412/devcoffee-nuxt-core/compare/v1.4.0...v1.4.1)
+
+### 🩹 Fixes
+
+- Normalize expiresIn to seconds across all session consumers ([2c197ab](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/2c197ab))
+
+### ❤️ Contributors
+
+- Hieu Nguyen <hieu.nguyen@devcoffee.tech>
+
+## v1.4.0
+
+[compare changes](https://github.com/coolkg1412/devcoffee-nuxt-core/compare/v1.3.0...v1.4.0)
+
+### 🚀 Enhancements
+
+- Implement writeSessionCookie function and integrate it into NuxtForwardRequestHandler and authts plugin ([e761f6c](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/e761f6c))
+
+### 🩹 Fixes
+
+- Drop return from proxyRequest in NuxtForwardRequestHandler to prevent ERR_HTTP_HEADERS_SENT ([fd3b91c](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/fd3b91c))
+- Prevent sending headers after response has been finalized in beforeResponse hook ([444a012](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/444a012))
+- Update version to 1.3.2 in package.json and package-lock.json ([e6ab449](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/e6ab449))
+
+### 💅 Refactors
+
+- Remove redundant signSessionId checks from authts.sec03.test.ts ([18686f4](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/18686f4))
+
+### ❤️ Contributors
+
+- Hieu Nguyen <hieu.nguyen@devcoffee.tech>
+
 ## v1.3.0
 
 [compare changes](https://github.com/coolkg1412/devcoffee-nuxt-core/compare/v1.2.5...v1.3.0)

package/dist/module.d.mts

@@ -3,249 +3,255 @@ import { CookieSerializeOptions } from '../dist/runtime/server/adapters/http.js'
 import { OidcUserInfo } from '../dist/runtime/server/adapters/oidc.js';
 import { LogLevel as LogLevel$1, ConsolaOptions, ConsolaInstance } from 'consola';
 
-interface AuthorizedUser {
-  id: string
-  sub: string
-  email: string
-  firstName: string
-  lastName: string
-  locale: string
-  language: string
-  timezone: string
-}
-
-type AuthStatus = 'unauthenticated' | 'authenticated'
-
-type AuthData = {
-  status: AuthStatus
-  tokenSet?: {
-    accessToken: string
-    tokenType: string
-    expiresAt: number
-    idToken: string
-    refreshToken: string
-    scopes: string[]
-  }
-}
-
-type SessionContext<TData = Record<string, unknown>> = {
-  id: string
-  auth: AuthData
-  user: AuthorizedUser
-  data: TData
-  issuedAt: number
-  expiresAt: number
-}
-
-type NuxtAuthOptions = {
-  /**
-   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
-   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
-   * @since 1.0.0
-   */
-  session: (
-    session: Omit<SessionContext, 'auth'>,
-    auth: SessionContext['auth']
-  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
-
-  /**
-   * Maps the OpenID Connect user info response to your local user schema.
-   *
-   * @param user - The raw user info response from the OpenID provider.
-   * @param opts - The token response containing access and ID tokens.
-   * @returns A normalized user object.
-   * @since 1.0.0
-   */
-  userInfo: (
-    user: AuthorizedUser,
-    opts: {
-      openidUser?: OidcUserInfo
-      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
-    }
-  ) => Awaitable<AuthorizedUser>
-}
-
-type NuxtSessionContext<TData = Record<string, unknown>> = {
-  readonly id: string
-  readonly isAuthenticated: boolean
-  readonly user: AuthorizedUser
-  readonly data: TData
-}
-
-type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
-  user: AuthorizedUser
-  data: TData
-}>
-
-/**
- * ⚙️ OpenID Connect configuration options.
- *
- * Defines parameters used for client registration, discovery,
- * and token exchange with the OpenID Provider.
- *
- * @since 1.0.0
- */
-type OpenIdOptions = {
-  /** Client ID registered with the OpenID Provider. */
-  clientId: string
-
-  /** Client secret for token exchange (if applicable). */
-  clientSecret: string
-
-  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
-  usePkce: boolean
-
-  /** Code challenge method, e.g. `S256`. */
-  codeChallengeMethod: string
-
-  /** Scopes requested from the OpenID Provider. */
-  scopes: string[]
-
-  /** Redirect URI used after authorization. */
-  redirectUri: string
-
-  /** The `.well-known/openid-configuration` discovery URL. */
-  wellKnownUrl: string
-
-  /** Whether to automatically fetch user info after login. */
-  autoFetchUser: boolean
-
-  /**
-   * TTL in seconds for caching autoFetchUser results per session.
-   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
-   * Only applies when autoFetchUser is true.
-   * @default 300
-   * @since 1.0.0
-   */
-  autoFetchUserTtl: number
-
-  /** Whether to fetch user info immediately after token grant. */
-  fetchUserOnLogin: boolean
-
-  /**
-   * Window in milliseconds before token expiry at which a refresh is triggered.
-   * Tokens with expiresAt more than this many milliseconds in the future are
-   * considered fresh and the refresh path is skipped entirely.
-   * @default 60000
-   * @since 1.0.0
-   */
-  tokenRefreshBufferMs: number
-
-  /**
-   * When `true`, the token refresh mutex uses an atomic Redis NX write
-   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
-   * true distributed exclusion across multiple server instances. When `false`
-   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
-   *
-   * @remarks Only effective when the Nitro `cache` storage mount is backed by
-   * a Redis driver. Setting `true` with a non-Redis backend falls through to
-   * the optimistic path silently.
-   *
-   * @default false
-   * @since 1.0.0
-   */
-  distributedLock?: boolean
-
-  /** Cache configuration for storing OpenID metadata. */
-  cache: {
-    /** Cache key prefix for the metadata store. */
-    prefix: string
-    /** Expiry time in seconds for cached metadata. */
-    expires: number
-  }
-}
-
-/**
- * 🍪 Session management configuration.
- *
- * Defines session storage, expiration, and cookie behavior
- * for authentication session tracking.
- *
- * @since 1.0.0
- */
-type SessionsOptions = {
-  /** Cookie name mappings used by the session handler. */
-  names: {
-    /** PKCE verifier cookie name. */
-    pkce: string
-    /** State cookie name. */
-    state: string
-    /** Session ID cookie name. */
-    sessionId: string
-    /** Redirect URL cookie name. */
-    redirectUrl: string
-  }
-
-  storage: {
-    name: string
-
-    /** Key prefix for session data in the storage backend. */
-    prefix: string
-  }
-
-  /** Session lifetime in seconds. */
-  expiresIn: number
-
-  /** Options for how session cookies are serialized. */
-  cookieOpts: CookieSerializeOptions
-
-  /**
-   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
-   * for tokenSet encryption. When empty, signing and encryption are skipped.
-   * @since 1.0.0
-   */
-  secret?: string
-}
-
-/**
- * 🔐 Authentication behavior configuration.
- *
- * Defines default redirect paths and URIs used for login/logout flow.
- *
- * @since 1.0.0
- */
-type AuthOptions = {
-  /** Path to the login page. */
-  loginUri: string
-
-  /** Default redirect URI after successful login. */
-  defaultLoginRedirectUri: string
-
-  /** Default redirect URI after logout. */
-  defaultLogoutRedirectUri: string
-
-  /** Default anonymous user object. */
-  anonymousUser: AuthorizedUser
-
-  ignoreRegexPatterns: RegExp[]
-
-  ignoreRegexPatternsDev: RegExp[]
-}
-
-/**
- * 🧩 Main configuration interface for the Nuxt AuthTS module.
- *
- * Combines OpenID Connect, session, and general authentication options.
- *
- * @since 1.0.0
- */
-type AuthtsModuleOptions = {
-  /** Enable or disable the module */
-  enabled: boolean
-  openid: OpenIdOptions
-  sessions: SessionsOptions
-  auth: AuthOptions
-}
-
-interface AuthtsMiddlewareMeta {
-  /** Require authentication to access */
-  required?: boolean
-
-  /** Only accessible if unauthenticated (login/register pages) */
-  unauthenticatedOnly?: boolean
-
-  /** Restrict access to these roles */
-  roles?: string[]
+interface AuthorizedUser {
+  id: string
+  sub: string
+  email: string
+  firstName: string
+  lastName: string
+  locale: string
+  language: string
+  timezone: string
+}
+
+type AuthStatus = 'unauthenticated' | 'authenticated'
+
+type AuthData = {
+  status: AuthStatus
+  tokenSet?: {
+    accessToken: string
+    tokenType: string
+    expiresAt: number
+    idToken: string
+    refreshToken: string
+    scopes: string[]
+  }
+}
+
+type SessionContext<TData = Record<string, unknown>> = {
+  id: string
+  auth: AuthData
+  user: AuthorizedUser
+  data: TData
+  issuedAt: number
+  expiresAt: number
+}
+
+type NuxtAuthOptions = {
+  /**
+   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
+   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
+   * @since 1.0.0
+   */
+  session: (
+    session: Omit<SessionContext, 'auth'>,
+    auth: SessionContext['auth']
+  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
+
+  /**
+   * Maps the OpenID Connect user info response to your local user schema.
+   *
+   * @param user - The raw user info response from the OpenID provider.
+   * @param opts - The token response containing access and ID tokens.
+   * @returns A normalized user object.
+   * @since 1.0.0
+   */
+  userInfo: (
+    user: AuthorizedUser,
+    opts: {
+      openidUser?: OidcUserInfo
+      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
+    }
+  ) => Awaitable<AuthorizedUser>
+}
+
+type NuxtSessionContext<TData = Record<string, unknown>> = {
+  readonly id: string
+  readonly isAuthenticated: boolean
+  readonly user: AuthorizedUser
+  readonly data: TData
+}
+
+type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
+  user: AuthorizedUser
+  data: TData
+}>
+
+/**
+ * OpenID Connect configuration options.
+ *
+ * Defines parameters used for client registration, discovery,
+ * and token exchange with the OpenID Provider.
+ *
+ * @since 1.0.0
+ */
+type OpenIdOptions = {
+  /** Client ID registered with the OpenID Provider. */
+  clientId: string
+
+  /** Client secret for token exchange (if applicable). */
+  clientSecret: string
+
+  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
+  usePkce: boolean
+
+  /** Code challenge method, e.g. `S256`. */
+  codeChallengeMethod: string
+
+  /** Scopes requested from the OpenID Provider. */
+  scopes: string[]
+
+  /** Redirect URI used after authorization. */
+  redirectUri: string
+
+  /** The `.well-known/openid-configuration` discovery URL. */
+  wellKnownUrl: string
+
+  /** Whether to automatically fetch user info after login. */
+  autoFetchUser: boolean
+
+  /**
+   * TTL in seconds for caching autoFetchUser results per session.
+   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
+   * Only applies when autoFetchUser is true.
+   * @default 300
+   * @since 1.0.0
+   */
+  autoFetchUserTtl: number
+
+  /** Whether to fetch user info immediately after token grant. */
+  fetchUserOnLogin: boolean
+
+  /**
+   * Window in milliseconds before token expiry at which a refresh is triggered.
+   * Tokens with expiresAt more than this many milliseconds in the future are
+   * considered fresh and the refresh path is skipped entirely.
+   * @default 60000
+   * @since 1.0.0
+   */
+  tokenRefreshBufferMs: number
+
+  /**
+   * When `true`, the token refresh mutex uses an atomic Redis NX write
+   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
+   * true distributed exclusion across multiple server instances. When `false`
+   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
+   *
+   * @remarks Only effective when the Nitro `cache` storage mount is backed by
+   * a Redis driver. Setting `true` with a non-Redis backend falls through to
+   * the optimistic path silently.
+   *
+   * @default false
+   * @since 1.0.0
+   */
+  distributedLock?: boolean
+
+  /** Cache configuration for storing OpenID metadata. */
+  cache: {
+    /** Cache key prefix for the metadata store. */
+    prefix: string
+    /** Expiry time in seconds for cached metadata. */
+    expires: number
+  }
+}
+
+/**
+ * Session management configuration.
+ *
+ * Defines session storage, expiration, and cookie behavior
+ * for authentication session tracking.
+ *
+ * @since 1.0.0
+ */
+type SessionsOptions = {
+  /** Cookie name mappings used by the session handler. */
+  names: {
+    /** PKCE verifier cookie name. */
+    pkce: string
+    /** State cookie name. */
+    state: string
+    /** Session ID cookie name. */
+    sessionId: string
+    /** Redirect URL cookie name. */
+    redirectUrl: string
+  }
+
+  storage: {
+    name: string
+
+    /** Key prefix for session data in the storage backend. */
+    prefix: string
+  }
+
+  /**
+   * Session lifetime in seconds.
+   * Converted to milliseconds internally for Date.now() expiry calculations.
+   * Passed directly as Redis TTL (seconds).
+   * @default 518400 (6 days)
+   * @since 1.0.0
+   */
+  expiresIn: number
+
+  /** Options for how session cookies are serialized. */
+  cookieOpts: CookieSerializeOptions
+
+  /**
+   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
+   * for tokenSet encryption. When empty, signing and encryption are skipped.
+   * @since 1.0.0
+   */
+  secret?: string
+}
+
+/**
+ * Authentication behavior configuration.
+ *
+ * Defines default redirect paths and URIs used for login/logout flow.
+ *
+ * @since 1.0.0
+ */
+type AuthOptions = {
+  /** Path to the login page. */
+  loginUri: string
+
+  /** Default redirect URI after successful login. */
+  defaultLoginRedirectUri: string
+
+  /** Default redirect URI after logout. */
+  defaultLogoutRedirectUri: string
+
+  /** Default anonymous user object. */
+  anonymousUser: AuthorizedUser
+
+  ignoreRegexPatterns: RegExp[]
+
+  ignoreRegexPatternsDev: RegExp[]
+}
+
+/**
+ * Main configuration interface for the Nuxt AuthTS module.
+ *
+ * Combines OpenID Connect, session, and general authentication options.
+ *
+ * @since 1.0.0
+ */
+type AuthtsModuleOptions = {
+  /** Enable or disable the module */
+  enabled: boolean
+  openid: OpenIdOptions
+  sessions: SessionsOptions
+  auth: AuthOptions
+}
+
+interface AuthtsMiddlewareMeta {
+  /** Require authentication to access */
+  required?: boolean
+
+  /** Only accessible if unauthenticated (login/register pages) */
+  unauthenticatedOnly?: boolean
+
+  /** Restrict access to these roles */
+  roles?: string[]
 }
 
 type CoreLogLevel = LogLevel$1

package/dist/module.d.ts

@@ -3,249 +3,255 @@ import { CookieSerializeOptions } from '../dist/runtime/server/adapters/http.js'
 import { OidcUserInfo } from '../dist/runtime/server/adapters/oidc.js';
 import { LogLevel as LogLevel$1, ConsolaOptions, ConsolaInstance } from 'consola';
 
-interface AuthorizedUser {
-  id: string
-  sub: string
-  email: string
-  firstName: string
-  lastName: string
-  locale: string
-  language: string
-  timezone: string
-}
-
-type AuthStatus = 'unauthenticated' | 'authenticated'
-
-type AuthData = {
-  status: AuthStatus
-  tokenSet?: {
-    accessToken: string
-    tokenType: string
-    expiresAt: number
-    idToken: string
-    refreshToken: string
-    scopes: string[]
-  }
-}
-
-type SessionContext<TData = Record<string, unknown>> = {
-  id: string
-  auth: AuthData
-  user: AuthorizedUser
-  data: TData
-  issuedAt: number
-  expiresAt: number
-}
-
-type NuxtAuthOptions = {
-  /**
-   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
-   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
-   * @since 1.0.0
-   */
-  session: (
-    session: Omit<SessionContext, 'auth'>,
-    auth: SessionContext['auth']
-  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
-
-  /**
-   * Maps the OpenID Connect user info response to your local user schema.
-   *
-   * @param user - The raw user info response from the OpenID provider.
-   * @param opts - The token response containing access and ID tokens.
-   * @returns A normalized user object.
-   * @since 1.0.0
-   */
-  userInfo: (
-    user: AuthorizedUser,
-    opts: {
-      openidUser?: OidcUserInfo
-      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
-    }
-  ) => Awaitable<AuthorizedUser>
-}
-
-type NuxtSessionContext<TData = Record<string, unknown>> = {
-  readonly id: string
-  readonly isAuthenticated: boolean
-  readonly user: AuthorizedUser
-  readonly data: TData
-}
-
-type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
-  user: AuthorizedUser
-  data: TData
-}>
-
-/**
- * ⚙️ OpenID Connect configuration options.
- *
- * Defines parameters used for client registration, discovery,
- * and token exchange with the OpenID Provider.
- *
- * @since 1.0.0
- */
-type OpenIdOptions = {
-  /** Client ID registered with the OpenID Provider. */
-  clientId: string
-
-  /** Client secret for token exchange (if applicable). */
-  clientSecret: string
-
-  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
-  usePkce: boolean
-
-  /** Code challenge method, e.g. `S256`. */
-  codeChallengeMethod: string
-
-  /** Scopes requested from the OpenID Provider. */
-  scopes: string[]
-
-  /** Redirect URI used after authorization. */
-  redirectUri: string
-
-  /** The `.well-known/openid-configuration` discovery URL. */
-  wellKnownUrl: string
-
-  /** Whether to automatically fetch user info after login. */
-  autoFetchUser: boolean
-
-  /**
-   * TTL in seconds for caching autoFetchUser results per session.
-   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
-   * Only applies when autoFetchUser is true.
-   * @default 300
-   * @since 1.0.0
-   */
-  autoFetchUserTtl: number
-
-  /** Whether to fetch user info immediately after token grant. */
-  fetchUserOnLogin: boolean
-
-  /**
-   * Window in milliseconds before token expiry at which a refresh is triggered.
-   * Tokens with expiresAt more than this many milliseconds in the future are
-   * considered fresh and the refresh path is skipped entirely.
-   * @default 60000
-   * @since 1.0.0
-   */
-  tokenRefreshBufferMs: number
-
-  /**
-   * When `true`, the token refresh mutex uses an atomic Redis NX write
-   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
-   * true distributed exclusion across multiple server instances. When `false`
-   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
-   *
-   * @remarks Only effective when the Nitro `cache` storage mount is backed by
-   * a Redis driver. Setting `true` with a non-Redis backend falls through to
-   * the optimistic path silently.
-   *
-   * @default false
-   * @since 1.0.0
-   */
-  distributedLock?: boolean
-
-  /** Cache configuration for storing OpenID metadata. */
-  cache: {
-    /** Cache key prefix for the metadata store. */
-    prefix: string
-    /** Expiry time in seconds for cached metadata. */
-    expires: number
-  }
-}
-
-/**
- * 🍪 Session management configuration.
- *
- * Defines session storage, expiration, and cookie behavior
- * for authentication session tracking.
- *
- * @since 1.0.0
- */
-type SessionsOptions = {
-  /** Cookie name mappings used by the session handler. */
-  names: {
-    /** PKCE verifier cookie name. */
-    pkce: string
-    /** State cookie name. */
-    state: string
-    /** Session ID cookie name. */
-    sessionId: string
-    /** Redirect URL cookie name. */
-    redirectUrl: string
-  }
-
-  storage: {
-    name: string
-
-    /** Key prefix for session data in the storage backend. */
-    prefix: string
-  }
-
-  /** Session lifetime in seconds. */
-  expiresIn: number
-
-  /** Options for how session cookies are serialized. */
-  cookieOpts: CookieSerializeOptions
-
-  /**
-   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
-   * for tokenSet encryption. When empty, signing and encryption are skipped.
-   * @since 1.0.0
-   */
-  secret?: string
-}
-
-/**
- * 🔐 Authentication behavior configuration.
- *
- * Defines default redirect paths and URIs used for login/logout flow.
- *
- * @since 1.0.0
- */
-type AuthOptions = {
-  /** Path to the login page. */
-  loginUri: string
-
-  /** Default redirect URI after successful login. */
-  defaultLoginRedirectUri: string
-
-  /** Default redirect URI after logout. */
-  defaultLogoutRedirectUri: string
-
-  /** Default anonymous user object. */
-  anonymousUser: AuthorizedUser
-
-  ignoreRegexPatterns: RegExp[]
-
-  ignoreRegexPatternsDev: RegExp[]
-}
-
-/**
- * 🧩 Main configuration interface for the Nuxt AuthTS module.
- *
- * Combines OpenID Connect, session, and general authentication options.
- *
- * @since 1.0.0
- */
-type AuthtsModuleOptions = {
-  /** Enable or disable the module */
-  enabled: boolean
-  openid: OpenIdOptions
-  sessions: SessionsOptions
-  auth: AuthOptions
-}
-
-interface AuthtsMiddlewareMeta {
-  /** Require authentication to access */
-  required?: boolean
-
-  /** Only accessible if unauthenticated (login/register pages) */
-  unauthenticatedOnly?: boolean
-
-  /** Restrict access to these roles */
-  roles?: string[]
+interface AuthorizedUser {
+  id: string
+  sub: string
+  email: string
+  firstName: string
+  lastName: string
+  locale: string
+  language: string
+  timezone: string
+}
+
+type AuthStatus = 'unauthenticated' | 'authenticated'
+
+type AuthData = {
+  status: AuthStatus
+  tokenSet?: {
+    accessToken: string
+    tokenType: string
+    expiresAt: number
+    idToken: string
+    refreshToken: string
+    scopes: string[]
+  }
+}
+
+type SessionContext<TData = Record<string, unknown>> = {
+  id: string
+  auth: AuthData
+  user: AuthorizedUser
+  data: TData
+  issuedAt: number
+  expiresAt: number
+}
+
+type NuxtAuthOptions = {
+  /**
+   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
+   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
+   * @since 1.0.0
+   */
+  session: (
+    session: Omit<SessionContext, 'auth'>,
+    auth: SessionContext['auth']
+  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
+
+  /**
+   * Maps the OpenID Connect user info response to your local user schema.
+   *
+   * @param user - The raw user info response from the OpenID provider.
+   * @param opts - The token response containing access and ID tokens.
+   * @returns A normalized user object.
+   * @since 1.0.0
+   */
+  userInfo: (
+    user: AuthorizedUser,
+    opts: {
+      openidUser?: OidcUserInfo
+      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
+    }
+  ) => Awaitable<AuthorizedUser>
+}
+
+type NuxtSessionContext<TData = Record<string, unknown>> = {
+  readonly id: string
+  readonly isAuthenticated: boolean
+  readonly user: AuthorizedUser
+  readonly data: TData
+}
+
+type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
+  user: AuthorizedUser
+  data: TData
+}>
+
+/**
+ * OpenID Connect configuration options.
+ *
+ * Defines parameters used for client registration, discovery,
+ * and token exchange with the OpenID Provider.
+ *
+ * @since 1.0.0
+ */
+type OpenIdOptions = {
+  /** Client ID registered with the OpenID Provider. */
+  clientId: string
+
+  /** Client secret for token exchange (if applicable). */
+  clientSecret: string
+
+  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
+  usePkce: boolean
+
+  /** Code challenge method, e.g. `S256`. */
+  codeChallengeMethod: string
+
+  /** Scopes requested from the OpenID Provider. */
+  scopes: string[]
+
+  /** Redirect URI used after authorization. */
+  redirectUri: string
+
+  /** The `.well-known/openid-configuration` discovery URL. */
+  wellKnownUrl: string
+
+  /** Whether to automatically fetch user info after login. */
+  autoFetchUser: boolean
+
+  /**
+   * TTL in seconds for caching autoFetchUser results per session.
+   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
+   * Only applies when autoFetchUser is true.
+   * @default 300
+   * @since 1.0.0
+   */
+  autoFetchUserTtl: number
+
+  /** Whether to fetch user info immediately after token grant. */
+  fetchUserOnLogin: boolean
+
+  /**
+   * Window in milliseconds before token expiry at which a refresh is triggered.
+   * Tokens with expiresAt more than this many milliseconds in the future are
+   * considered fresh and the refresh path is skipped entirely.
+   * @default 60000
+   * @since 1.0.0
+   */
+  tokenRefreshBufferMs: number
+
+  /**
+   * When `true`, the token refresh mutex uses an atomic Redis NX write
+   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
+   * true distributed exclusion across multiple server instances. When `false`
+   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
+   *
+   * @remarks Only effective when the Nitro `cache` storage mount is backed by
+   * a Redis driver. Setting `true` with a non-Redis backend falls through to
+   * the optimistic path silently.
+   *
+   * @default false
+   * @since 1.0.0
+   */
+  distributedLock?: boolean
+
+  /** Cache configuration for storing OpenID metadata. */
+  cache: {
+    /** Cache key prefix for the metadata store. */
+    prefix: string
+    /** Expiry time in seconds for cached metadata. */
+    expires: number
+  }
+}
+
+/**
+ * Session management configuration.
+ *
+ * Defines session storage, expiration, and cookie behavior
+ * for authentication session tracking.
+ *
+ * @since 1.0.0
+ */
+type SessionsOptions = {
+  /** Cookie name mappings used by the session handler. */
+  names: {
+    /** PKCE verifier cookie name. */
+    pkce: string
+    /** State cookie name. */
+    state: string
+    /** Session ID cookie name. */
+    sessionId: string
+    /** Redirect URL cookie name. */
+    redirectUrl: string
+  }
+
+  storage: {
+    name: string
+
+    /** Key prefix for session data in the storage backend. */
+    prefix: string
+  }
+
+  /**
+   * Session lifetime in seconds.
+   * Converted to milliseconds internally for Date.now() expiry calculations.
+   * Passed directly as Redis TTL (seconds).
+   * @default 518400 (6 days)
+   * @since 1.0.0
+   */
+  expiresIn: number
+
+  /** Options for how session cookies are serialized. */
+  cookieOpts: CookieSerializeOptions
+
+  /**
+   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
+   * for tokenSet encryption. When empty, signing and encryption are skipped.
+   * @since 1.0.0
+   */
+  secret?: string
+}
+
+/**
+ * Authentication behavior configuration.
+ *
+ * Defines default redirect paths and URIs used for login/logout flow.
+ *
+ * @since 1.0.0
+ */
+type AuthOptions = {
+  /** Path to the login page. */
+  loginUri: string
+
+  /** Default redirect URI after successful login. */
+  defaultLoginRedirectUri: string
+
+  /** Default redirect URI after logout. */
+  defaultLogoutRedirectUri: string
+
+  /** Default anonymous user object. */
+  anonymousUser: AuthorizedUser
+
+  ignoreRegexPatterns: RegExp[]
+
+  ignoreRegexPatternsDev: RegExp[]
+}
+
+/**
+ * Main configuration interface for the Nuxt AuthTS module.
+ *
+ * Combines OpenID Connect, session, and general authentication options.
+ *
+ * @since 1.0.0
+ */
+type AuthtsModuleOptions = {
+  /** Enable or disable the module */
+  enabled: boolean
+  openid: OpenIdOptions
+  sessions: SessionsOptions
+  auth: AuthOptions
+}
+
+interface AuthtsMiddlewareMeta {
+  /** Require authentication to access */
+  required?: boolean
+
+  /** Only accessible if unauthenticated (login/register pages) */
+  unauthenticatedOnly?: boolean
+
+  /** Restrict access to these roles */
+  roles?: string[]
 }
 
 type CoreLogLevel = LogLevel$1

package/dist/module.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-core",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "configKey": "nuxtCore",
   "compatibility": {
     "nuxt": "^4.0.0"

package/dist/module.mjs

@@ -2,7 +2,7 @@ import { addCustomTab } from '@nuxt/devtools-kit';
 import { defineNuxtModule, useLogger, createResolver, addTemplate, addServerImports, addServerImportsDir, addServerPlugin, addImportsDir, addPlugin, addRouteMiddleware, addServerHandler } from '@nuxt/kit';
 import { deepMerge, pick } from '../dist/runtime/utils.js';
 
-const version = "1.3.0";
+const version = "1.4.1";
 
 const defaultLocale = "vi-VN";
 const defaultLanguage = "vi";
@@ -50,7 +50,7 @@ const authtsDefaults = {
     },
     storage: { name: "sessions", prefix: "session" },
     expiresIn: 60 * 60 * 24 * 6,
-    // 6 days
+    // 6 days in seconds
     cookieOpts: {
       path: "/",
       sameSite: "lax",

package/dist/runtime/server/core/helpers.d.ts

@@ -1,4 +1,5 @@
 import type { SessionContext } from '@devcoffee/nuxt-core';
+import type { CookieSerializeOptions, H3Event } from '#devcoffee-core/server/adapters/http';
 import type { ClientMetadata, ServerMetadata, TokenEndpointResponse } from '#devcoffee-core/server/adapters/oidc';
 /** Options used for session creation and validation. */
 type SessionCreateOptions = {
@@ -19,6 +20,28 @@ type SessionCreateOptions = {
  * @since 1.0.0
  */
 export declare function isSameOrigin(redirectUrl: string, requestUrl: URL): boolean;
+/**
+ * Write the session cookie to the response.
+ *
+ * Shared by the `beforeResponse` Nitro hook (buffered responses) and the
+ * `proxyRequest` `onResponse` callback (streaming proxy responses). Calling
+ * it in both places ensures the cookie is always refreshed regardless of
+ * whether `headersSent` is true by the time `beforeResponse` fires.
+ *
+ * @param event - The H3 event for the current request.
+ * @param session - The resolved session context to encode into the cookie.
+ * @param sessionsConfig - Session cookie options from `nuxtCore.authts.sessions`.
+ * @since 1.3.3
+ */
+export declare function writeSessionCookie(event: H3Event, session: SessionContext, sessionsConfig: {
+    cookieOpts: Omit<CookieSerializeOptions, 'sameSite'> & {
+        sameSite?: string | boolean;
+    };
+    secret?: string;
+    names: {
+        sessionId: string;
+    };
+}): void;
 /**
  * Retrieve an existing session from storage.
  *
@@ -48,7 +71,7 @@ export declare function validateSession(sessionCookieId: string | undefined, opt
  *
  * @param sessionId - The session ID.
  * @param input - Partial update fields for the session (excluding ID, issuedAt, expiresAt).
- * @param opts - Expiration configuration (in milliseconds).
+ * @param opts - Expiration configuration (expiresIn in seconds).
  * @returns The updated {@link SessionContext}.
  * @throws {Error} If session cannot be found in storage.
  * @since 1.0.0

package/dist/runtime/server/core/helpers.js

@@ -1,4 +1,4 @@
-import { createError } from "#devcoffee-core/server/adapters/http";
+import { createError, setCookie } from "#devcoffee-core/server/adapters/http";
 import {
   allowInsecureRequests,
   authorizationCodeGrant as authorizationCodeGrantOidc,
@@ -22,7 +22,14 @@ import { deepMerge, omit } from "#devcoffee-core/server/adapters/utils";
 import useServerLogger from "#devcoffee-core/server/composables/useServerLogger";
 import { useRuntimeConfig } from "#imports";
 import { useStorage } from "nitropack/runtime";
-import { decryptTokenSet, encryptTokenSet, generateSessionId, isValidSessionId, verifySessionId } from "./crypto.js";
+import {
+  decryptTokenSet,
+  encryptTokenSet,
+  generateSessionId,
+  isValidSessionId,
+  signSessionId,
+  verifySessionId
+} from "./crypto.js";
 import { tryAcquireLock } from "./mutex.js";
 function getAnonymousUser(extras) {
   const anonymous = useRuntimeConfig().nuxtCore.authts.auth.anonymousUser;
@@ -56,6 +63,18 @@ export function isSameOrigin(redirectUrl, requestUrl) {
     return false;
   }
 }
+export function writeSessionCookie(event, session, sessionsConfig) {
+  const {
+    cookieOpts,
+    secret = "",
+    names: { sessionId: cookieName }
+  } = sessionsConfig;
+  const cookieValue = secret ? signSessionId(session.id, secret) : session.id;
+  setCookie(event, cookieName, cookieValue, {
+    ...cookieOpts,
+    expires: new Date(session.expiresAt)
+  });
+}
 export async function getSession(sessionId, opts) {
   const sessingKey = getSessionStorageKey(opts.storagePrefix, sessionId);
   if (!await hasSessionData(opts.storageName, sessingKey)) return null;
@@ -87,7 +106,7 @@ function newSession(sessionId, expiresAt) {
 }
 export async function validateSession(sessionCookieId, opts) {
   const now = Date.now();
-  const expiresAt = now + opts.expiresIn;
+  const expiresAt = now + opts.expiresIn * 1e3;
   let sessionId = void 0;
   let sessionKey = void 0;
   let deleteSessionKey = void 0;
@@ -114,7 +133,7 @@ export async function validateSession(sessionCookieId, opts) {
   if (deleteSessionKey && deleteSessionKey !== sessionKey) {
     await removeSessionData(opts.storageName, deleteSessionKey);
   }
-  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn / 1e3 | 0);
+  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn);
   if (session.auth?.tokenSet && session.auth.tokenSet.encrypted === true) {
     if (opts.secret) {
       const decrypted = decryptTokenSet(session.auth.tokenSet, opts.secret);
@@ -141,7 +160,7 @@ export async function updateSession(sessionId, input, opts) {
     });
   }
   session = deepMerge({}, session, normalizedInput);
-  session.expiresAt = now + opts.expiresIn;
+  session.expiresAt = now + opts.expiresIn * 1e3;
   const sessionToStore = { ...session };
   if (opts.secret && sessionToStore.auth?.tokenSet) {
     sessionToStore.auth = {
@@ -152,7 +171,7 @@ export async function updateSession(sessionId, input, opts) {
       )
     };
   }
-  await setSessionData(opts.storageName, serverKey, sessionToStore, opts.expiresIn / 1e3 | 0);
+  await setSessionData(opts.storageName, serverKey, sessionToStore, opts.expiresIn);
   return session;
 }
 export async function renewSession(sessionId, opts) {
@@ -160,9 +179,9 @@ export async function renewSession(sessionId, opts) {
   if (await hasSessionData(opts.storageName, sessionKey)) {
     await removeSessionData(opts.storageName, sessionKey);
   }
-  const session = newSession(generateSessionId(), Date.now() + opts.expiresIn);
+  const session = newSession(generateSessionId(), Date.now() + opts.expiresIn * 1e3);
   sessionKey = getSessionStorageKey(opts.storagePrefix, session.id);
-  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn / 1e3 | 0);
+  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn);
   return session;
 }
 export async function deleteSession(sessionId, opts) {

package/dist/runtime/server/core/nuxtForwardHandler.js

@@ -7,7 +7,7 @@ import {
 } from "#devcoffee-core/server/adapters/http";
 import { deepMerge } from "#devcoffee-core/server/adapters/utils";
 import useServerLogger from "#devcoffee-core/server/composables/useServerLogger";
-import { getOpenIdConfiguration } from "./helpers.js";
+import { getOpenIdConfiguration, writeSessionCookie } from "./helpers.js";
 const defaultOpts = {
   logLevel: 2,
   proxyPrefix: ""
@@ -51,6 +51,15 @@ export default function NuxtForwardRequestHandler(opts) {
     };
     logger.info(`from '${event.path}' to '${defaultForwardInit.forwardUrl}' - auth stt='${session?.auth?.status}'`);
     const { forwardUrl, ...proxyOption } = await onBeforeRequest?.(defaultForwardInit, params) || defaultForwardInit;
-    return await proxyRequest(event, forwardUrl, proxyOption);
+    const { sessions } = useRuntimeConfig(event).nuxtCore.authts;
+    await proxyRequest(event, forwardUrl, {
+      ...proxyOption,
+      onResponse(proxyEvent, _upstreamResponse) {
+        const session2 = proxyEvent.context.session;
+        if (session2) {
+          writeSessionCookie(proxyEvent, session2, sessions);
+        }
+      }
+    });
   });
 }

package/dist/runtime/server/plugins/authts.js

@@ -1,7 +1,11 @@
-import { defineNitroPlugin, getCookie, setCookie, useRuntimeConfig } from "#devcoffee-core/server/adapters/http";
+import { defineNitroPlugin, getCookie, useRuntimeConfig } from "#devcoffee-core/server/adapters/http";
 import useServerLogger from "#devcoffee-core/server/composables/useServerLogger";
-import { signSessionId } from "#devcoffee-core/server/core/crypto";
-import { refreshTokenIfNeeded, updateSession, validateSession } from "#devcoffee-core/server/core/helpers";
+import {
+  refreshTokenIfNeeded,
+  updateSession,
+  validateSession,
+  writeSessionCookie
+} from "#devcoffee-core/server/core/helpers";
 import { useNitroApp, useStorage } from "nitropack/runtime";
 export default defineNitroPlugin((nitroApp) => {
   nitroApp.hooks.hook("request", async (event) => {
@@ -65,18 +69,10 @@ export default defineNitroPlugin((nitroApp) => {
     event.context.session = session;
   });
   nitroApp.hooks.hook("beforeResponse", async (event) => {
-    const {
-      cookieOpts,
-      secret = "",
-      names: { sessionId: cookieName }
-    } = useRuntimeConfig(event).nuxtCore.authts.sessions;
+    if (event.node.res.headersSent) return;
     const session = event.context.session;
     if (session) {
-      const cookieValue = secret ? signSessionId(session.id, secret) : session.id;
-      setCookie(event, cookieName, cookieValue, {
-        ...cookieOpts,
-        expires: new Date(session.expiresAt)
-      });
+      writeSessionCookie(event, session, useRuntimeConfig(event).nuxtCore.authts.sessions);
     }
   });
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devcoffee/nuxt-core",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "publishConfig": {
     "access": "public"
   },
@@ -53,7 +53,7 @@
     "cleanup": "nuxi cleanup && nuxi cleanup playground",
     "dev:build": "nuxi build playground",
     "prepack": "nuxt-module-build build",
-    "release": "npm run lint && npm run test:all && npm run prepack && changelogen --release && npm publish && git push --follow-tags",
+    "release": "npm run lint && npm run test:all && npm run prepack && npm publish && git push --follow-tags",
     "lint": "eslint",
     "lint:fix": "eslint --fix",
     "test": "cross-env NODE_OPTIONS=--no-deprecation vitest run test/unit",