@devcoffee/nuxt-core 1.4.0 → 1.4.1

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## v1.4.1
+
+[compare changes](https://github.com/coolkg1412/devcoffee-nuxt-core/compare/v1.4.0...v1.4.1)
+
+### 🩹 Fixes
+
+- Normalize expiresIn to seconds across all session consumers ([2c197ab](https://github.com/coolkg1412/devcoffee-nuxt-core/commit/2c197ab))
+
+### ❤️ Contributors
+
+- Hieu Nguyen <hieu.nguyen@devcoffee.tech>
+
 ## v1.4.0
 
 [compare changes](https://github.com/coolkg1412/devcoffee-nuxt-core/compare/v1.3.0...v1.4.0)

package/dist/module.d.mts

@@ -3,249 +3,255 @@ import { CookieSerializeOptions } from '../dist/runtime/server/adapters/http.js'
 import { OidcUserInfo } from '../dist/runtime/server/adapters/oidc.js';
 import { LogLevel as LogLevel$1, ConsolaOptions, ConsolaInstance } from 'consola';
 
-interface AuthorizedUser {
-  id: string
-  sub: string
-  email: string
-  firstName: string
-  lastName: string
-  locale: string
-  language: string
-  timezone: string
-}
-
-type AuthStatus = 'unauthenticated' | 'authenticated'
-
-type AuthData = {
-  status: AuthStatus
-  tokenSet?: {
-    accessToken: string
-    tokenType: string
-    expiresAt: number
-    idToken: string
-    refreshToken: string
-    scopes: string[]
-  }
-}
-
-type SessionContext<TData = Record<string, unknown>> = {
-  id: string
-  auth: AuthData
-  user: AuthorizedUser
-  data: TData
-  issuedAt: number
-  expiresAt: number
-}
-
-type NuxtAuthOptions = {
-  /**
-   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
-   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
-   * @since 1.0.0
-   */
-  session: (
-    session: Omit<SessionContext, 'auth'>,
-    auth: SessionContext['auth']
-  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
-
-  /**
-   * Maps the OpenID Connect user info response to your local user schema.
-   *
-   * @param user - The raw user info response from the OpenID provider.
-   * @param opts - The token response containing access and ID tokens.
-   * @returns A normalized user object.
-   * @since 1.0.0
-   */
-  userInfo: (
-    user: AuthorizedUser,
-    opts: {
-      openidUser?: OidcUserInfo
-      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
-    }
-  ) => Awaitable<AuthorizedUser>
-}
-
-type NuxtSessionContext<TData = Record<string, unknown>> = {
-  readonly id: string
-  readonly isAuthenticated: boolean
-  readonly user: AuthorizedUser
-  readonly data: TData
-}
-
-type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
-  user: AuthorizedUser
-  data: TData
-}>
-
-/**
- * ⚙️ OpenID Connect configuration options.
- *
- * Defines parameters used for client registration, discovery,
- * and token exchange with the OpenID Provider.
- *
- * @since 1.0.0
- */
-type OpenIdOptions = {
-  /** Client ID registered with the OpenID Provider. */
-  clientId: string
-
-  /** Client secret for token exchange (if applicable). */
-  clientSecret: string
-
-  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
-  usePkce: boolean
-
-  /** Code challenge method, e.g. `S256`. */
-  codeChallengeMethod: string
-
-  /** Scopes requested from the OpenID Provider. */
-  scopes: string[]
-
-  /** Redirect URI used after authorization. */
-  redirectUri: string
-
-  /** The `.well-known/openid-configuration` discovery URL. */
-  wellKnownUrl: string
-
-  /** Whether to automatically fetch user info after login. */
-  autoFetchUser: boolean
-
-  /**
-   * TTL in seconds for caching autoFetchUser results per session.
-   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
-   * Only applies when autoFetchUser is true.
-   * @default 300
-   * @since 1.0.0
-   */
-  autoFetchUserTtl: number
-
-  /** Whether to fetch user info immediately after token grant. */
-  fetchUserOnLogin: boolean
-
-  /**
-   * Window in milliseconds before token expiry at which a refresh is triggered.
-   * Tokens with expiresAt more than this many milliseconds in the future are
-   * considered fresh and the refresh path is skipped entirely.
-   * @default 60000
-   * @since 1.0.0
-   */
-  tokenRefreshBufferMs: number
-
-  /**
-   * When `true`, the token refresh mutex uses an atomic Redis NX write
-   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
-   * true distributed exclusion across multiple server instances. When `false`
-   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
-   *
-   * @remarks Only effective when the Nitro `cache` storage mount is backed by
-   * a Redis driver. Setting `true` with a non-Redis backend falls through to
-   * the optimistic path silently.
-   *
-   * @default false
-   * @since 1.0.0
-   */
-  distributedLock?: boolean
-
-  /** Cache configuration for storing OpenID metadata. */
-  cache: {
-    /** Cache key prefix for the metadata store. */
-    prefix: string
-    /** Expiry time in seconds for cached metadata. */
-    expires: number
-  }
-}
-
-/**
- * 🍪 Session management configuration.
- *
- * Defines session storage, expiration, and cookie behavior
- * for authentication session tracking.
- *
- * @since 1.0.0
- */
-type SessionsOptions = {
-  /** Cookie name mappings used by the session handler. */
-  names: {
-    /** PKCE verifier cookie name. */
-    pkce: string
-    /** State cookie name. */
-    state: string
-    /** Session ID cookie name. */
-    sessionId: string
-    /** Redirect URL cookie name. */
-    redirectUrl: string
-  }
-
-  storage: {
-    name: string
-
-    /** Key prefix for session data in the storage backend. */
-    prefix: string
-  }
-
-  /** Session lifetime in seconds. */
-  expiresIn: number
-
-  /** Options for how session cookies are serialized. */
-  cookieOpts: CookieSerializeOptions
-
-  /**
-   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
-   * for tokenSet encryption. When empty, signing and encryption are skipped.
-   * @since 1.0.0
-   */
-  secret?: string
-}
-
-/**
- * 🔐 Authentication behavior configuration.
- *
- * Defines default redirect paths and URIs used for login/logout flow.
- *
- * @since 1.0.0
- */
-type AuthOptions = {
-  /** Path to the login page. */
-  loginUri: string
-
-  /** Default redirect URI after successful login. */
-  defaultLoginRedirectUri: string
-
-  /** Default redirect URI after logout. */
-  defaultLogoutRedirectUri: string
-
-  /** Default anonymous user object. */
-  anonymousUser: AuthorizedUser
-
-  ignoreRegexPatterns: RegExp[]
-
-  ignoreRegexPatternsDev: RegExp[]
-}
-
-/**
- * 🧩 Main configuration interface for the Nuxt AuthTS module.
- *
- * Combines OpenID Connect, session, and general authentication options.
- *
- * @since 1.0.0
- */
-type AuthtsModuleOptions = {
-  /** Enable or disable the module */
-  enabled: boolean
-  openid: OpenIdOptions
-  sessions: SessionsOptions
-  auth: AuthOptions
-}
-
-interface AuthtsMiddlewareMeta {
-  /** Require authentication to access */
-  required?: boolean
-
-  /** Only accessible if unauthenticated (login/register pages) */
-  unauthenticatedOnly?: boolean
-
-  /** Restrict access to these roles */
-  roles?: string[]
+interface AuthorizedUser {
+  id: string
+  sub: string
+  email: string
+  firstName: string
+  lastName: string
+  locale: string
+  language: string
+  timezone: string
+}
+
+type AuthStatus = 'unauthenticated' | 'authenticated'
+
+type AuthData = {
+  status: AuthStatus
+  tokenSet?: {
+    accessToken: string
+    tokenType: string
+    expiresAt: number
+    idToken: string
+    refreshToken: string
+    scopes: string[]
+  }
+}
+
+type SessionContext<TData = Record<string, unknown>> = {
+  id: string
+  auth: AuthData
+  user: AuthorizedUser
+  data: TData
+  issuedAt: number
+  expiresAt: number
+}
+
+type NuxtAuthOptions = {
+  /**
+   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
+   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
+   * @since 1.0.0
+   */
+  session: (
+    session: Omit<SessionContext, 'auth'>,
+    auth: SessionContext['auth']
+  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
+
+  /**
+   * Maps the OpenID Connect user info response to your local user schema.
+   *
+   * @param user - The raw user info response from the OpenID provider.
+   * @param opts - The token response containing access and ID tokens.
+   * @returns A normalized user object.
+   * @since 1.0.0
+   */
+  userInfo: (
+    user: AuthorizedUser,
+    opts: {
+      openidUser?: OidcUserInfo
+      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
+    }
+  ) => Awaitable<AuthorizedUser>
+}
+
+type NuxtSessionContext<TData = Record<string, unknown>> = {
+  readonly id: string
+  readonly isAuthenticated: boolean
+  readonly user: AuthorizedUser
+  readonly data: TData
+}
+
+type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
+  user: AuthorizedUser
+  data: TData
+}>
+
+/**
+ * OpenID Connect configuration options.
+ *
+ * Defines parameters used for client registration, discovery,
+ * and token exchange with the OpenID Provider.
+ *
+ * @since 1.0.0
+ */
+type OpenIdOptions = {
+  /** Client ID registered with the OpenID Provider. */
+  clientId: string
+
+  /** Client secret for token exchange (if applicable). */
+  clientSecret: string
+
+  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
+  usePkce: boolean
+
+  /** Code challenge method, e.g. `S256`. */
+  codeChallengeMethod: string
+
+  /** Scopes requested from the OpenID Provider. */
+  scopes: string[]
+
+  /** Redirect URI used after authorization. */
+  redirectUri: string
+
+  /** The `.well-known/openid-configuration` discovery URL. */
+  wellKnownUrl: string
+
+  /** Whether to automatically fetch user info after login. */
+  autoFetchUser: boolean
+
+  /**
+   * TTL in seconds for caching autoFetchUser results per session.
+   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
+   * Only applies when autoFetchUser is true.
+   * @default 300
+   * @since 1.0.0
+   */
+  autoFetchUserTtl: number
+
+  /** Whether to fetch user info immediately after token grant. */
+  fetchUserOnLogin: boolean
+
+  /**
+   * Window in milliseconds before token expiry at which a refresh is triggered.
+   * Tokens with expiresAt more than this many milliseconds in the future are
+   * considered fresh and the refresh path is skipped entirely.
+   * @default 60000
+   * @since 1.0.0
+   */
+  tokenRefreshBufferMs: number
+
+  /**
+   * When `true`, the token refresh mutex uses an atomic Redis NX write
+   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
+   * true distributed exclusion across multiple server instances. When `false`
+   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
+   *
+   * @remarks Only effective when the Nitro `cache` storage mount is backed by
+   * a Redis driver. Setting `true` with a non-Redis backend falls through to
+   * the optimistic path silently.
+   *
+   * @default false
+   * @since 1.0.0
+   */
+  distributedLock?: boolean
+
+  /** Cache configuration for storing OpenID metadata. */
+  cache: {
+    /** Cache key prefix for the metadata store. */
+    prefix: string
+    /** Expiry time in seconds for cached metadata. */
+    expires: number
+  }
+}
+
+/**
+ * Session management configuration.
+ *
+ * Defines session storage, expiration, and cookie behavior
+ * for authentication session tracking.
+ *
+ * @since 1.0.0
+ */
+type SessionsOptions = {
+  /** Cookie name mappings used by the session handler. */
+  names: {
+    /** PKCE verifier cookie name. */
+    pkce: string
+    /** State cookie name. */
+    state: string
+    /** Session ID cookie name. */
+    sessionId: string
+    /** Redirect URL cookie name. */
+    redirectUrl: string
+  }
+
+  storage: {
+    name: string
+
+    /** Key prefix for session data in the storage backend. */
+    prefix: string
+  }
+
+  /**
+   * Session lifetime in seconds.
+   * Converted to milliseconds internally for Date.now() expiry calculations.
+   * Passed directly as Redis TTL (seconds).
+   * @default 518400 (6 days)
+   * @since 1.0.0
+   */
+  expiresIn: number
+
+  /** Options for how session cookies are serialized. */
+  cookieOpts: CookieSerializeOptions
+
+  /**
+   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
+   * for tokenSet encryption. When empty, signing and encryption are skipped.
+   * @since 1.0.0
+   */
+  secret?: string
+}
+
+/**
+ * Authentication behavior configuration.
+ *
+ * Defines default redirect paths and URIs used for login/logout flow.
+ *
+ * @since 1.0.0
+ */
+type AuthOptions = {
+  /** Path to the login page. */
+  loginUri: string
+
+  /** Default redirect URI after successful login. */
+  defaultLoginRedirectUri: string
+
+  /** Default redirect URI after logout. */
+  defaultLogoutRedirectUri: string
+
+  /** Default anonymous user object. */
+  anonymousUser: AuthorizedUser
+
+  ignoreRegexPatterns: RegExp[]
+
+  ignoreRegexPatternsDev: RegExp[]
+}
+
+/**
+ * Main configuration interface for the Nuxt AuthTS module.
+ *
+ * Combines OpenID Connect, session, and general authentication options.
+ *
+ * @since 1.0.0
+ */
+type AuthtsModuleOptions = {
+  /** Enable or disable the module */
+  enabled: boolean
+  openid: OpenIdOptions
+  sessions: SessionsOptions
+  auth: AuthOptions
+}
+
+interface AuthtsMiddlewareMeta {
+  /** Require authentication to access */
+  required?: boolean
+
+  /** Only accessible if unauthenticated (login/register pages) */
+  unauthenticatedOnly?: boolean
+
+  /** Restrict access to these roles */
+  roles?: string[]
 }
 
 type CoreLogLevel = LogLevel$1

package/dist/module.d.ts

@@ -3,249 +3,255 @@ import { CookieSerializeOptions } from '../dist/runtime/server/adapters/http.js'
 import { OidcUserInfo } from '../dist/runtime/server/adapters/oidc.js';
 import { LogLevel as LogLevel$1, ConsolaOptions, ConsolaInstance } from 'consola';
 
-interface AuthorizedUser {
-  id: string
-  sub: string
-  email: string
-  firstName: string
-  lastName: string
-  locale: string
-  language: string
-  timezone: string
-}
-
-type AuthStatus = 'unauthenticated' | 'authenticated'
-
-type AuthData = {
-  status: AuthStatus
-  tokenSet?: {
-    accessToken: string
-    tokenType: string
-    expiresAt: number
-    idToken: string
-    refreshToken: string
-    scopes: string[]
-  }
-}
-
-type SessionContext<TData = Record<string, unknown>> = {
-  id: string
-  auth: AuthData
-  user: AuthorizedUser
-  data: TData
-  issuedAt: number
-  expiresAt: number
-}
-
-type NuxtAuthOptions = {
-  /**
-   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
-   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
-   * @since 1.0.0
-   */
-  session: (
-    session: Omit<SessionContext, 'auth'>,
-    auth: SessionContext['auth']
-  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
-
-  /**
-   * Maps the OpenID Connect user info response to your local user schema.
-   *
-   * @param user - The raw user info response from the OpenID provider.
-   * @param opts - The token response containing access and ID tokens.
-   * @returns A normalized user object.
-   * @since 1.0.0
-   */
-  userInfo: (
-    user: AuthorizedUser,
-    opts: {
-      openidUser?: OidcUserInfo
-      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
-    }
-  ) => Awaitable<AuthorizedUser>
-}
-
-type NuxtSessionContext<TData = Record<string, unknown>> = {
-  readonly id: string
-  readonly isAuthenticated: boolean
-  readonly user: AuthorizedUser
-  readonly data: TData
-}
-
-type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
-  user: AuthorizedUser
-  data: TData
-}>
-
-/**
- * ⚙️ OpenID Connect configuration options.
- *
- * Defines parameters used for client registration, discovery,
- * and token exchange with the OpenID Provider.
- *
- * @since 1.0.0
- */
-type OpenIdOptions = {
-  /** Client ID registered with the OpenID Provider. */
-  clientId: string
-
-  /** Client secret for token exchange (if applicable). */
-  clientSecret: string
-
-  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
-  usePkce: boolean
-
-  /** Code challenge method, e.g. `S256`. */
-  codeChallengeMethod: string
-
-  /** Scopes requested from the OpenID Provider. */
-  scopes: string[]
-
-  /** Redirect URI used after authorization. */
-  redirectUri: string
-
-  /** The `.well-known/openid-configuration` discovery URL. */
-  wellKnownUrl: string
-
-  /** Whether to automatically fetch user info after login. */
-  autoFetchUser: boolean
-
-  /**
-   * TTL in seconds for caching autoFetchUser results per session.
-   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
-   * Only applies when autoFetchUser is true.
-   * @default 300
-   * @since 1.0.0
-   */
-  autoFetchUserTtl: number
-
-  /** Whether to fetch user info immediately after token grant. */
-  fetchUserOnLogin: boolean
-
-  /**
-   * Window in milliseconds before token expiry at which a refresh is triggered.
-   * Tokens with expiresAt more than this many milliseconds in the future are
-   * considered fresh and the refresh path is skipped entirely.
-   * @default 60000
-   * @since 1.0.0
-   */
-  tokenRefreshBufferMs: number
-
-  /**
-   * When `true`, the token refresh mutex uses an atomic Redis NX write
-   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
-   * true distributed exclusion across multiple server instances. When `false`
-   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
-   *
-   * @remarks Only effective when the Nitro `cache` storage mount is backed by
-   * a Redis driver. Setting `true` with a non-Redis backend falls through to
-   * the optimistic path silently.
-   *
-   * @default false
-   * @since 1.0.0
-   */
-  distributedLock?: boolean
-
-  /** Cache configuration for storing OpenID metadata. */
-  cache: {
-    /** Cache key prefix for the metadata store. */
-    prefix: string
-    /** Expiry time in seconds for cached metadata. */
-    expires: number
-  }
-}
-
-/**
- * 🍪 Session management configuration.
- *
- * Defines session storage, expiration, and cookie behavior
- * for authentication session tracking.
- *
- * @since 1.0.0
- */
-type SessionsOptions = {
-  /** Cookie name mappings used by the session handler. */
-  names: {
-    /** PKCE verifier cookie name. */
-    pkce: string
-    /** State cookie name. */
-    state: string
-    /** Session ID cookie name. */
-    sessionId: string
-    /** Redirect URL cookie name. */
-    redirectUrl: string
-  }
-
-  storage: {
-    name: string
-
-    /** Key prefix for session data in the storage backend. */
-    prefix: string
-  }
-
-  /** Session lifetime in seconds. */
-  expiresIn: number
-
-  /** Options for how session cookies are serialized. */
-  cookieOpts: CookieSerializeOptions
-
-  /**
-   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
-   * for tokenSet encryption. When empty, signing and encryption are skipped.
-   * @since 1.0.0
-   */
-  secret?: string
-}
-
-/**
- * 🔐 Authentication behavior configuration.
- *
- * Defines default redirect paths and URIs used for login/logout flow.
- *
- * @since 1.0.0
- */
-type AuthOptions = {
-  /** Path to the login page. */
-  loginUri: string
-
-  /** Default redirect URI after successful login. */
-  defaultLoginRedirectUri: string
-
-  /** Default redirect URI after logout. */
-  defaultLogoutRedirectUri: string
-
-  /** Default anonymous user object. */
-  anonymousUser: AuthorizedUser
-
-  ignoreRegexPatterns: RegExp[]
-
-  ignoreRegexPatternsDev: RegExp[]
-}
-
-/**
- * 🧩 Main configuration interface for the Nuxt AuthTS module.
- *
- * Combines OpenID Connect, session, and general authentication options.
- *
- * @since 1.0.0
- */
-type AuthtsModuleOptions = {
-  /** Enable or disable the module */
-  enabled: boolean
-  openid: OpenIdOptions
-  sessions: SessionsOptions
-  auth: AuthOptions
-}
-
-interface AuthtsMiddlewareMeta {
-  /** Require authentication to access */
-  required?: boolean
-
-  /** Only accessible if unauthenticated (login/register pages) */
-  unauthenticatedOnly?: boolean
-
-  /** Restrict access to these roles */
-  roles?: string[]
+interface AuthorizedUser {
+  id: string
+  sub: string
+  email: string
+  firstName: string
+  lastName: string
+  locale: string
+  language: string
+  timezone: string
+}
+
+type AuthStatus = 'unauthenticated' | 'authenticated'
+
+type AuthData = {
+  status: AuthStatus
+  tokenSet?: {
+    accessToken: string
+    tokenType: string
+    expiresAt: number
+    idToken: string
+    refreshToken: string
+    scopes: string[]
+  }
+}
+
+type SessionContext<TData = Record<string, unknown>> = {
+  id: string
+  auth: AuthData
+  user: AuthorizedUser
+  data: TData
+  issuedAt: number
+  expiresAt: number
+}
+
+type NuxtAuthOptions = {
+  /**
+   * Default Devcoffee Nuxt AuthTS option callbacks for session and user mapping.
+   * These can be overridden by passing custom callbacks to `NuxtAuthtsHandler()`.
+   * @since 1.0.0
+   */
+  session: (
+    session: Omit<SessionContext, 'auth'>,
+    auth: SessionContext['auth']
+  ) => Awaitable<Omit<SessionContext, 'auth' | 'issuedAt' | 'expiresAt'> & { isAuthenticated: boolean }>
+
+  /**
+   * Maps the OpenID Connect user info response to your local user schema.
+   *
+   * @param user - The raw user info response from the OpenID provider.
+   * @param opts - The token response containing access and ID tokens.
+   * @returns A normalized user object.
+   * @since 1.0.0
+   */
+  userInfo: (
+    user: AuthorizedUser,
+    opts: {
+      openidUser?: OidcUserInfo
+      tokenSet: Exclude<SessionContext['auth']['tokenSet'], undefined>
+    }
+  ) => Awaitable<AuthorizedUser>
+}
+
+type NuxtSessionContext<TData = Record<string, unknown>> = {
+  readonly id: string
+  readonly isAuthenticated: boolean
+  readonly user: AuthorizedUser
+  readonly data: TData
+}
+
+type NuxtSessionUpdateContext<TData = Record<string, unknown>> = DeepPartial<{
+  user: AuthorizedUser
+  data: TData
+}>
+
+/**
+ * OpenID Connect configuration options.
+ *
+ * Defines parameters used for client registration, discovery,
+ * and token exchange with the OpenID Provider.
+ *
+ * @since 1.0.0
+ */
+type OpenIdOptions = {
+  /** Client ID registered with the OpenID Provider. */
+  clientId: string
+
+  /** Client secret for token exchange (if applicable). */
+  clientSecret: string
+
+  /** Whether to use Proof Key for Code Exchange (PKCE) flow. */
+  usePkce: boolean
+
+  /** Code challenge method, e.g. `S256`. */
+  codeChallengeMethod: string
+
+  /** Scopes requested from the OpenID Provider. */
+  scopes: string[]
+
+  /** Redirect URI used after authorization. */
+  redirectUri: string
+
+  /** The `.well-known/openid-configuration` discovery URL. */
+  wellKnownUrl: string
+
+  /** Whether to automatically fetch user info after login. */
+  autoFetchUser: boolean
+
+  /**
+   * TTL in seconds for caching autoFetchUser results per session.
+   * A GET_SESSION within the TTL window does not trigger an OIDC provider call.
+   * Only applies when autoFetchUser is true.
+   * @default 300
+   * @since 1.0.0
+   */
+  autoFetchUserTtl: number
+
+  /** Whether to fetch user info immediately after token grant. */
+  fetchUserOnLogin: boolean
+
+  /**
+   * Window in milliseconds before token expiry at which a refresh is triggered.
+   * Tokens with expiresAt more than this many milliseconds in the future are
+   * considered fresh and the refresh path is skipped entirely.
+   * @default 60000
+   * @since 1.0.0
+   */
+  tokenRefreshBufferMs: number
+
+  /**
+   * When `true`, the token refresh mutex uses an atomic Redis NX write
+   * (`SET key value NX EX ttl`) via the IORedis native client accessor for
+   * true distributed exclusion across multiple server instances. When `false`
+   * (default), the existing optimistic lock (`hasItem` + `setItem`) is used.
+   *
+   * @remarks Only effective when the Nitro `cache` storage mount is backed by
+   * a Redis driver. Setting `true` with a non-Redis backend falls through to
+   * the optimistic path silently.
+   *
+   * @default false
+   * @since 1.0.0
+   */
+  distributedLock?: boolean
+
+  /** Cache configuration for storing OpenID metadata. */
+  cache: {
+    /** Cache key prefix for the metadata store. */
+    prefix: string
+    /** Expiry time in seconds for cached metadata. */
+    expires: number
+  }
+}
+
+/**
+ * Session management configuration.
+ *
+ * Defines session storage, expiration, and cookie behavior
+ * for authentication session tracking.
+ *
+ * @since 1.0.0
+ */
+type SessionsOptions = {
+  /** Cookie name mappings used by the session handler. */
+  names: {
+    /** PKCE verifier cookie name. */
+    pkce: string
+    /** State cookie name. */
+    state: string
+    /** Session ID cookie name. */
+    sessionId: string
+    /** Redirect URL cookie name. */
+    redirectUrl: string
+  }
+
+  storage: {
+    name: string
+
+    /** Key prefix for session data in the storage backend. */
+    prefix: string
+  }
+
+  /**
+   * Session lifetime in seconds.
+   * Converted to milliseconds internally for Date.now() expiry calculations.
+   * Passed directly as Redis TTL (seconds).
+   * @default 518400 (6 days)
+   * @since 1.0.0
+   */
+  expiresIn: number
+
+  /** Options for how session cookies are serialized. */
+  cookieOpts: CookieSerializeOptions
+
+  /**
+   * Secret used to HMAC-sign session ID cookies and derive the AES-256-GCM key
+   * for tokenSet encryption. When empty, signing and encryption are skipped.
+   * @since 1.0.0
+   */
+  secret?: string
+}
+
+/**
+ * Authentication behavior configuration.
+ *
+ * Defines default redirect paths and URIs used for login/logout flow.
+ *
+ * @since 1.0.0
+ */
+type AuthOptions = {
+  /** Path to the login page. */
+  loginUri: string
+
+  /** Default redirect URI after successful login. */
+  defaultLoginRedirectUri: string
+
+  /** Default redirect URI after logout. */
+  defaultLogoutRedirectUri: string
+
+  /** Default anonymous user object. */
+  anonymousUser: AuthorizedUser
+
+  ignoreRegexPatterns: RegExp[]
+
+  ignoreRegexPatternsDev: RegExp[]
+}
+
+/**
+ * Main configuration interface for the Nuxt AuthTS module.
+ *
+ * Combines OpenID Connect, session, and general authentication options.
+ *
+ * @since 1.0.0
+ */
+type AuthtsModuleOptions = {
+  /** Enable or disable the module */
+  enabled: boolean
+  openid: OpenIdOptions
+  sessions: SessionsOptions
+  auth: AuthOptions
+}
+
+interface AuthtsMiddlewareMeta {
+  /** Require authentication to access */
+  required?: boolean
+
+  /** Only accessible if unauthenticated (login/register pages) */
+  unauthenticatedOnly?: boolean
+
+  /** Restrict access to these roles */
+  roles?: string[]
 }
 
 type CoreLogLevel = LogLevel$1

package/dist/module.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-core",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "configKey": "nuxtCore",
   "compatibility": {
     "nuxt": "^4.0.0"

package/dist/module.mjs

@@ -2,7 +2,7 @@ import { addCustomTab } from '@nuxt/devtools-kit';
 import { defineNuxtModule, useLogger, createResolver, addTemplate, addServerImports, addServerImportsDir, addServerPlugin, addImportsDir, addPlugin, addRouteMiddleware, addServerHandler } from '@nuxt/kit';
 import { deepMerge, pick } from '../dist/runtime/utils.js';
 
-const version = "1.4.0";
+const version = "1.4.1";
 
 const defaultLocale = "vi-VN";
 const defaultLanguage = "vi";
@@ -50,7 +50,7 @@ const authtsDefaults = {
     },
     storage: { name: "sessions", prefix: "session" },
     expiresIn: 60 * 60 * 24 * 6,
-    // 6 days
+    // 6 days in seconds
     cookieOpts: {
       path: "/",
       sameSite: "lax",

package/dist/runtime/server/core/helpers.d.ts

@@ -71,7 +71,7 @@ export declare function validateSession(sessionCookieId: string | undefined, opt
  *
  * @param sessionId - The session ID.
  * @param input - Partial update fields for the session (excluding ID, issuedAt, expiresAt).
- * @param opts - Expiration configuration (in milliseconds).
+ * @param opts - Expiration configuration (expiresIn in seconds).
  * @returns The updated {@link SessionContext}.
  * @throws {Error} If session cannot be found in storage.
  * @since 1.0.0

package/dist/runtime/server/core/helpers.js

@@ -106,7 +106,7 @@ function newSession(sessionId, expiresAt) {
 }
 export async function validateSession(sessionCookieId, opts) {
   const now = Date.now();
-  const expiresAt = now + opts.expiresIn;
+  const expiresAt = now + opts.expiresIn * 1e3;
   let sessionId = void 0;
   let sessionKey = void 0;
   let deleteSessionKey = void 0;
@@ -133,7 +133,7 @@ export async function validateSession(sessionCookieId, opts) {
   if (deleteSessionKey && deleteSessionKey !== sessionKey) {
     await removeSessionData(opts.storageName, deleteSessionKey);
   }
-  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn / 1e3 | 0);
+  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn);
   if (session.auth?.tokenSet && session.auth.tokenSet.encrypted === true) {
     if (opts.secret) {
       const decrypted = decryptTokenSet(session.auth.tokenSet, opts.secret);
@@ -160,7 +160,7 @@ export async function updateSession(sessionId, input, opts) {
     });
   }
   session = deepMerge({}, session, normalizedInput);
-  session.expiresAt = now + opts.expiresIn;
+  session.expiresAt = now + opts.expiresIn * 1e3;
   const sessionToStore = { ...session };
   if (opts.secret && sessionToStore.auth?.tokenSet) {
     sessionToStore.auth = {
@@ -171,7 +171,7 @@ export async function updateSession(sessionId, input, opts) {
       )
     };
   }
-  await setSessionData(opts.storageName, serverKey, sessionToStore, opts.expiresIn / 1e3 | 0);
+  await setSessionData(opts.storageName, serverKey, sessionToStore, opts.expiresIn);
   return session;
 }
 export async function renewSession(sessionId, opts) {
@@ -179,9 +179,9 @@ export async function renewSession(sessionId, opts) {
   if (await hasSessionData(opts.storageName, sessionKey)) {
     await removeSessionData(opts.storageName, sessionKey);
   }
-  const session = newSession(generateSessionId(), Date.now() + opts.expiresIn);
+  const session = newSession(generateSessionId(), Date.now() + opts.expiresIn * 1e3);
   sessionKey = getSessionStorageKey(opts.storagePrefix, session.id);
-  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn / 1e3 | 0);
+  await setSessionData(opts.storageName, sessionKey, session, opts.expiresIn);
   return session;
 }
 export async function deleteSession(sessionId, opts) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devcoffee/nuxt-core",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "publishConfig": {
     "access": "public"
   },
@@ -53,7 +53,7 @@
     "cleanup": "nuxi cleanup && nuxi cleanup playground",
     "dev:build": "nuxi build playground",
     "prepack": "nuxt-module-build build",
-    "release": "npm run lint && npm run test:all && npm run prepack && changelogen --release && npm publish && git push --follow-tags",
+    "release": "npm run lint && npm run test:all && npm run prepack && npm publish && git push --follow-tags",
     "lint": "eslint",
     "lint:fix": "eslint --fix",
     "test": "cross-env NODE_OPTIONS=--no-deprecation vitest run test/unit",