@habityzer/nuxt-symfony-kinde-layer 2.1.4 → 2.2.0

package/.env.example

@@ -0,0 +1,17 @@
+# Kinde Authentication Configuration
+# These are required for the @habityzer/nuxt-kinde-auth module
+KINDE_AUTH_DOMAIN=https://your-domain.kinde.com
+KINDE_CLIENT_ID=your_client_id
+KINDE_CLIENT_SECRET=your_client_secret
+KINDE_REDIRECT_URL=http://localhost:3000/api/auth/callback
+KINDE_LOGOUT_REDIRECT_URL=http://localhost:3000
+
+# Auth Cookie and Middleware Configuration
+NUXT_PUBLIC_AUTH_COOKIE_PREFIX=auth_
+NUXT_PUBLIC_AUTH_LOGIN_PATH=/login
+NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS=300
+NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX=Bearer
+NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME=e2e_token
+NUXT_PUBLIC_AUTH_ID_TOKEN_NAME=id_token
+NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME=access_token
+NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME=refresh_token

package/.github/workflows/publish.yml

@@ -38,6 +38,20 @@ jobs:
         run: pnpm install --frozen-lockfile
       
       - name: Prepare Nuxt
+        env:
+          KINDE_AUTH_DOMAIN: https://placeholder.kinde.com
+          KINDE_CLIENT_ID: placeholder_client_id
+          KINDE_CLIENT_SECRET: placeholder_client_secret
+          KINDE_REDIRECT_URL: http://localhost:3000/api/auth/callback
+          KINDE_LOGOUT_REDIRECT_URL: http://localhost:3000
+          NUXT_PUBLIC_AUTH_COOKIE_PREFIX: auth_
+          NUXT_PUBLIC_AUTH_LOGIN_PATH: /login
+          NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS: 300
+          NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX: Bearer
+          NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME: e2e_token
+          NUXT_PUBLIC_AUTH_ID_TOKEN_NAME: id_token
+          NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME: access_token
+          NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME: refresh_token
         run: pnpm nuxt prepare
       
       - name: Run linter

package/.husky/commit-msg

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+# Validate commit message format
+pnpm exec commitlint --edit "$1"

package/.husky/pre-commit

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Pre-commit hook to ensure code quality
+set -e
+
+echo "🔍 Running pre-commit checks..."
+
+# Check if .nuxt directory exists, if not, prepare it
+if [ ! -d ".nuxt" ]; then
+  echo "📦 Preparing Nuxt (first time)..."
+  export KINDE_AUTH_DOMAIN="https://placeholder.kinde.com"
+  export KINDE_CLIENT_ID="placeholder_client_id"
+  export KINDE_CLIENT_SECRET="placeholder_client_secret"
+  export KINDE_REDIRECT_URL="http://localhost:3000/api/auth/callback"
+  export KINDE_LOGOUT_REDIRECT_URL="http://localhost:3000"
+  export NUXT_PUBLIC_AUTH_COOKIE_PREFIX="auth_"
+  export NUXT_PUBLIC_AUTH_LOGIN_PATH="/login"
+  export NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS="300"
+  export NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX="Bearer"
+  export NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME="e2e_token"
+  export NUXT_PUBLIC_AUTH_ID_TOKEN_NAME="id_token"
+  export NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME="access_token"
+  export NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME="refresh_token"
+  
+  pnpm nuxt prepare > /dev/null 2>&1
+fi
+
+# Run linter
+echo "✨ Running ESLint..."
+pnpm lint
+
+echo "✅ Pre-commit checks passed!"

package/CHANGELOG.md

@@ -1,3 +1,11 @@
+# [2.2.0](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.4...v2.2.0) (2026-02-13)
+
+
+### Features
+
+* Enhance Kinde authentication configuration and middleware handling ([d8b722a](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/d8b722a8ba5a126f02c31aea0347fa3e21bb29b9))
+* Refactor Kinde authentication configuration and enhance middleware setup ([c577a2a](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/c577a2a047299f30cb745a91aac82b50c2bfedb1))
+
 ## [2.1.4](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.3...v2.1.4) (2026-01-01)
 
 

package/README.md

@@ -257,6 +257,83 @@ Add these scripts to your project's `package.json`:
 }
 ```
 
+## Development
+
+### Local Development Setup
+
+1. **Install dependencies:**
+   ```bash
+   pnpm install
+   ```
+
+2. **The project uses Husky for git hooks:**
+   - Pre-commit: Automatically runs `pnpm lint` before each commit
+   - Commit-msg: Validates commit message format (conventional commits)
+
+3. **Run linter manually:**
+   ```bash
+   pnpm lint        # Check for issues
+   pnpm lint:fix    # Auto-fix issues
+   ```
+
+4. **First time setup:**
+   The pre-commit hook will automatically run `nuxt prepare` if needed (with placeholder environment variables).
+
+### Commit Message Format
+
+This project uses [Conventional Commits](https://www.conventionalcommits.org/). Your commits must follow this format:
+
+```
+type(scope): subject
+
+body (optional)
+```
+
+**Types:**
+- `feat`: New feature
+- `fix`: Bug fix
+- `docs`: Documentation changes
+- `style`: Code style changes (formatting, etc.)
+- `refactor`: Code refactoring
+- `test`: Adding or updating tests
+- `chore`: Maintenance tasks
+
+**Examples:**
+```bash
+git commit -m "feat: add authentication middleware"
+git commit -m "fix: resolve cookie prefix conflict"
+git commit -m "docs: update README with CI setup"
+```
+
+## CI/CD Setup
+
+### Required Environment Variables for GitHub Actions
+
+When building or publishing this layer in CI/CD (e.g., GitHub Actions), you need to provide placeholder environment variables for the `nuxt prepare` step. The layer's `nuxt.config.ts` validates these at build time.
+
+Add these to your workflow:
+
+```yaml
+- name: Prepare Nuxt
+  env:
+    KINDE_AUTH_DOMAIN: https://placeholder.kinde.com
+    KINDE_CLIENT_ID: placeholder_client_id
+    KINDE_CLIENT_SECRET: placeholder_client_secret
+    KINDE_REDIRECT_URL: http://localhost:3000/api/auth/callback
+    KINDE_LOGOUT_REDIRECT_URL: http://localhost:3000
+    NUXT_PUBLIC_AUTH_COOKIE_PREFIX: auth_
+    NUXT_PUBLIC_AUTH_LOGIN_PATH: /login
+    NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS: 300
+    NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX: Bearer
+    NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME: e2e_token
+    NUXT_PUBLIC_AUTH_ID_TOKEN_NAME: id_token
+    NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME: access_token
+    NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME: refresh_token
+  run: pnpm nuxt prepare
+```
+
+**Note**: These are placeholder values only used for type generation and validation. Projects consuming this layer will provide their own real credentials at runtime.
+
 ## Troubleshooting
 
 ### Cookie Name Conflicts

package/app/composables/useAuth.ts

@@ -1,6 +1,8 @@
 import { computed, ref, readonly } from 'vue'
 import { E2E_TOKEN_COOKIE_NAME } from '../constants/auth'
 
+const LEGACY_E2E_STORAGE_KEY = 'e2e_app_token'
+
 interface SymfonyUser {
   id: number
   email: string
@@ -105,9 +107,30 @@ export const useAuth = () => {
     // Clear local Symfony state
     userProfile.value = null
 
-    // Clear E2E test token if exists
+    // Clear auth cookies first so route middleware blocks protected pages immediately.
     if (import.meta.client) {
-      localStorage.removeItem('e2e_app_token')
+      const config = useRuntimeConfig()
+      const kindeConfig = config.public.kindeAuth || {}
+      const cookieConfig = kindeConfig.cookie || {}
+      const middlewareConfig = kindeConfig.middleware || {}
+      const cookiePrefix = requireString(cookieConfig.prefix, 'kindeAuth.cookie.prefix')
+      const idTokenName = requireString(cookieConfig.idTokenName, 'kindeAuth.cookie.idTokenName')
+      const accessTokenName = requireString(cookieConfig.accessTokenName, 'kindeAuth.cookie.accessTokenName')
+      const refreshTokenName = requireString(cookieConfig.refreshTokenName, 'kindeAuth.cookie.refreshTokenName')
+      const e2eTokenCookieName = requireString(middlewareConfig.e2eTokenCookieName, 'kindeAuth.middleware.e2eTokenCookieName')
+
+      const authCookies = [idTokenName, accessTokenName, refreshTokenName]
+      const scopedE2eCookieName = `${cookiePrefix}${e2eTokenCookieName}`
+      const scopedE2eStorageKey = `${cookiePrefix}e2e_app_token`
+
+      authCookies.forEach((cookieName) => {
+        document.cookie = `${cookiePrefix}${cookieName}=; path=/; max-age=0`
+      })
+
+      // Remove both scoped and legacy keys for backward compatibility.
+      localStorage.removeItem(scopedE2eStorageKey)
+      localStorage.removeItem(LEGACY_E2E_STORAGE_KEY)
+      document.cookie = `${scopedE2eCookieName}=; path=/; max-age=0`
       document.cookie = `${E2E_TOKEN_COOKIE_NAME}=; path=/; max-age=0`
     }
 
@@ -137,3 +160,11 @@ export const useAuth = () => {
     fetchUserProfile
   }
 }
+
+function requireString(value: unknown, key: string): string {
+  if (typeof value === 'string' && value.trim().length > 0) {
+    return value
+  }
+
+  throw new Error(`[useAuth] Missing required config: ${key}`)
+}

package/app/constants/auth.ts

@@ -1,26 +1,9 @@
-/**
- * Authentication constants shared across the application
- */
-
-/**
- * Cookie name for E2E test authentication token
- * Used by automated tests to bypass Kinde OAuth flow
- */
-export const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
-
-/**
- * Prefix for Symfony app tokens (used in E2E tests)
- * These are long-lived tokens generated by `php bin/console app:token:manage create`
- */
-export const APP_TOKEN_PREFIX = 'app_'
-
-/**
- * Kinde authentication cookie names
- * These cookies are managed by the @habityzer/nuxt-kinde-auth module
- * The prefix is configured per-project in nuxt.config.ts
- *
- * Note: These constants use placeholder names. The actual cookie names
- * will have the project-specific prefix (e.g., 'ew-id_token', 'habityzer_id_token')
- */
-export const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
-export const KINDE_ACCESS_TOKEN_COOKIE_NAME = 'access_token'
+export {
+  APP_TOKEN_PREFIX,
+  CLOCK_SKEW_SECONDS,
+  DEFAULT_LOGIN_PATH,
+  E2E_TOKEN_COOKIE_NAME,
+  KINDE_ACCESS_TOKEN_COOKIE_NAME,
+  KINDE_ID_TOKEN_COOKIE_NAME,
+  KINDE_REFRESH_TOKEN_COOKIE_NAME
+} from '../../shared/auth-constants'

package/app/plugins/auth-guard.client.ts

@@ -0,0 +1,134 @@
+export default defineNuxtPlugin(() => {
+  const router = useRouter()
+  const config = useRuntimeConfig()
+  const kindeConfig = config.public.kindeAuth || {}
+  const middlewareConfig = kindeConfig.middleware || {}
+  const cookieConfig = kindeConfig.cookie || {}
+  // @ts-expect-error - cookie property exists in runtime config but not in module types
+  const cookiePrefix = requireString(cookieConfig.prefix, 'kindeAuth.cookie.prefix')
+  const idTokenBaseName = requireString(cookieConfig.idTokenName, 'kindeAuth.cookie.idTokenName')
+  const accessTokenBaseName = requireString(cookieConfig.accessTokenName, 'kindeAuth.cookie.accessTokenName')
+  const e2eTokenCookieName = requireString(middlewareConfig.e2eTokenCookieName, 'kindeAuth.middleware.e2eTokenCookieName')
+  const appTokenPrefix = requireString(middlewareConfig.appTokenPrefix, 'kindeAuth.middleware.appTokenPrefix')
+  const clockSkewSeconds = requireNonNegativeNumber(middlewareConfig.clockSkewSeconds, 'kindeAuth.middleware.clockSkewSeconds')
+  const idToken = useCookie<string | null>(`${cookiePrefix}${idTokenBaseName}`)
+  const accessToken = useCookie<string | null>(`${cookiePrefix}${accessTokenBaseName}`)
+  const e2eToken = useCookie<string | null>(`${cookiePrefix}${e2eTokenCookieName}`)
+  const publicRoutes: string[] = middlewareConfig.publicRoutes || ['/']
+  const loginPath = requireString(middlewareConfig.loginPath, 'kindeAuth.middleware.loginPath')
+
+  router.beforeEach((to) => {
+    if (to.path.startsWith('/api') || to.path.startsWith('/_nuxt')) {
+      return true
+    }
+
+    const isPublicRoute = publicRoutes.some(route => to.path === route || to.path.startsWith(`${route}/`))
+    logClient('route-check', { path: to.path, isPublicRoute })
+    if (isPublicRoute) {
+      return true
+    }
+
+    const hasIdToken = !!idToken.value
+    const hasAccessToken = !!accessToken.value
+    const e2eTokenValue = e2eToken.value
+
+    logClient('cookie-state', {
+      path: to.path,
+      cookiePrefix,
+      hasIdToken,
+      hasAccessToken,
+      hasScopedE2eToken: !!e2eTokenValue
+    })
+
+    if (e2eTokenValue && e2eTokenValue.startsWith(appTokenPrefix)) {
+      logClient('allow-e2e-app-token', { path: to.path })
+      return true
+    }
+
+    if (!hasIdToken && !hasAccessToken) {
+      logClient('redirect-missing-auth-cookies', { path: to.path })
+      window.location.href = loginPath
+      return false
+    }
+
+    const idTokenUsable = hasIdToken ? isUsableToken(idToken.value as string, appTokenPrefix, clockSkewSeconds) : false
+    const accessTokenUsable = hasAccessToken ? isUsableToken(accessToken.value as string, appTokenPrefix, clockSkewSeconds) : false
+    const isUnauthorized = !idTokenUsable && !accessTokenUsable
+
+    logClient('token-evaluation', {
+      path: to.path,
+      idTokenUsable,
+      accessTokenUsable
+    })
+
+    if (isUnauthorized) {
+      idToken.value = null
+      accessToken.value = null
+      logClient('redirect-all-auth-tokens-invalid-or-expired', { path: to.path })
+      window.location.href = loginPath
+      return false
+    }
+
+    logClient('allow-protected-route', { path: to.path })
+    return true
+  })
+})
+
+function isUsableToken(token: string, appTokenPrefix: string, clockSkewSeconds: number): boolean {
+  if (token.startsWith(appTokenPrefix)) {
+    return true
+  }
+
+  const payload = decodeJwtPayload(token)
+  if (!payload || typeof payload.exp !== 'number') {
+    return false
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000)
+  return payload.exp > nowSeconds + clockSkewSeconds
+}
+
+function decodeJwtPayload(token: string): Record<string, unknown> | null {
+  const parts = token.split('.')
+  if (parts.length !== 3) {
+    return null
+  }
+
+  const payloadPart = parts[1]
+  if (!payloadPart) {
+    return null
+  }
+
+  try {
+    const padded = payloadPart.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(payloadPart.length / 4) * 4, '=')
+    const decoded = atob(padded)
+    const parsed = JSON.parse(decoded)
+    return parsed && typeof parsed === 'object' ? parsed as Record<string, unknown> : null
+  } catch {
+    return null
+  }
+}
+
+function logClient(event: string, details: Record<string, unknown>) {
+  if (!import.meta.dev) {
+    return
+  }
+
+  console.warn(`[AUTH GUARD CLIENT] ${event}`, details)
+}
+
+function requireString(value: unknown, key: string): string {
+  if (typeof value === 'string' && value.trim().length > 0) {
+    return value
+  }
+
+  throw new Error(`[AUTH GUARD CLIENT] Missing required config: ${key}`)
+}
+
+function requireNonNegativeNumber(value: unknown, key: string): number {
+  if (typeof value === 'number' && Number.isFinite(value) && value >= 0) {
+    return value
+  }
+
+  throw new Error(`[AUTH GUARD CLIENT] Invalid required numeric config: ${key}`)
+}

package/nuxt.config.ts

@@ -1,6 +1,26 @@
 // https://nuxt.com/docs/guide/going-further/layers
-export default defineNuxtConfig({
+import {
+  APP_TOKEN_PREFIX,
+  CLOCK_SKEW_SECONDS,
+  DEFAULT_LOGIN_PATH,
+  E2E_TOKEN_COOKIE_NAME,
+  KINDE_ACCESS_TOKEN_COOKIE_NAME,
+  KINDE_ID_TOKEN_COOKIE_NAME,
+  KINDE_REFRESH_TOKEN_COOKIE_NAME
+} from './shared/auth-constants'
+
+const AUTH_COOKIE_PREFIX = process.env.NUXT_PUBLIC_AUTH_COOKIE_PREFIX
+const AUTH_LOGIN_PATH = process.env.NUXT_PUBLIC_AUTH_LOGIN_PATH || DEFAULT_LOGIN_PATH
+const AUTH_CLOCK_SKEW_SECONDS = process.env.NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS
+  ? Number(process.env.NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS)
+  : CLOCK_SKEW_SECONDS
+const AUTH_APP_TOKEN_PREFIX = process.env.NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX || APP_TOKEN_PREFIX
+const AUTH_E2E_TOKEN_COOKIE_NAME = process.env.NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME || E2E_TOKEN_COOKIE_NAME
+const AUTH_ID_TOKEN_NAME = process.env.NUXT_PUBLIC_AUTH_ID_TOKEN_NAME || KINDE_ID_TOKEN_COOKIE_NAME
+const AUTH_ACCESS_TOKEN_NAME = process.env.NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME || KINDE_ACCESS_TOKEN_COOKIE_NAME
+const AUTH_REFRESH_TOKEN_NAME = process.env.NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME || KINDE_REFRESH_TOKEN_COOKIE_NAME
 
+export default defineNuxtConfig({
   // Pre-configure shared modules that all projects will use
   modules: [
     '@nuxt/eslint',
@@ -24,17 +44,57 @@ export default defineNuxtConfig({
 
       // Expose kindeAuth config for middleware (will be merged with project config)
       kindeAuth: {
-        // @ts-expect-error - cookie property exists in runtime but not in Kinde module types
         cookie: {
-          prefix: 'app_' // Default, projects override this
+          prefix: AUTH_COOKIE_PREFIX,
+          idTokenName: AUTH_ID_TOKEN_NAME,
+          accessTokenName: AUTH_ACCESS_TOKEN_NAME,
+          refreshTokenName: AUTH_REFRESH_TOKEN_NAME
         },
         middleware: {
-          publicRoutes: [] // Default, projects override this
+          publicRoutes: [], // Default, projects override this
+          loginPath: AUTH_LOGIN_PATH,
+          clockSkewSeconds: AUTH_CLOCK_SKEW_SECONDS,
+          appTokenPrefix: AUTH_APP_TOKEN_PREFIX,
+          e2eTokenCookieName: AUTH_E2E_TOKEN_COOKIE_NAME
         }
-      }
+      } as Record<string, unknown>
     }
   },
   compatibilityDate: '2025-01-17',
+  hooks: {
+    ready(nuxt) {
+      const publicConfig = nuxt.options.runtimeConfig.public as Record<string, unknown>
+      const runtimeKindeAuth = (publicConfig.kindeAuth || {}) as Record<string, unknown>
+      const runtimeCookie = (runtimeKindeAuth.cookie || {}) as Record<string, unknown>
+      const runtimeMiddleware = (runtimeKindeAuth.middleware || {}) as Record<string, unknown>
+      const kindeModuleConfig = (nuxt.options.kindeAuth || {}) as Record<string, unknown>
+      const kindeModuleCookie = (kindeModuleConfig.cookie || {}) as Record<string, unknown>
+      const kindeModuleMiddleware = (kindeModuleConfig.middleware || {}) as Record<string, unknown>
+
+      // Keep layer reusable: if app defines values only in kindeAuth module config,
+      // mirror them into runtime config used by guards/composables.
+      if (!isNonEmptyString(runtimeCookie.prefix) && isNonEmptyString(kindeModuleCookie.prefix)) {
+        runtimeCookie.prefix = kindeModuleCookie.prefix
+      }
+      if (!Array.isArray(runtimeMiddleware.publicRoutes) && Array.isArray(kindeModuleMiddleware.publicRoutes)) {
+        runtimeMiddleware.publicRoutes = kindeModuleMiddleware.publicRoutes
+      }
+
+      runtimeKindeAuth.cookie = runtimeCookie
+      runtimeKindeAuth.middleware = runtimeMiddleware
+      publicConfig.kindeAuth = runtimeKindeAuth
+
+      assertRequiredString(runtimeCookie.prefix, 'runtimeConfig.public.kindeAuth.cookie.prefix')
+      // Optional values are defaulted in the layer; only validate final resolved values.
+      assertRequiredNumber(runtimeMiddleware.clockSkewSeconds, 'runtimeConfig.public.kindeAuth.middleware.clockSkewSeconds')
+      assertRequiredString(kindeModuleCookie.prefix, 'kindeAuth.cookie.prefix')
+      assertRequiredString(kindeModuleConfig.authDomain, 'kindeAuth.authDomain')
+      assertRequiredString(kindeModuleConfig.clientId, 'kindeAuth.clientId')
+      assertRequiredString(kindeModuleConfig.clientSecret, 'kindeAuth.clientSecret')
+      assertRequiredString(kindeModuleConfig.redirectURL, 'kindeAuth.redirectURL')
+      assertRequiredString(kindeModuleConfig.logoutRedirectURL, 'kindeAuth.logoutRedirectURL')
+    }
+  },
 
   // ESLint configuration
   eslint: {
@@ -48,14 +108,14 @@ export default defineNuxtConfig({
 
   // Default Kinde configuration (projects MUST override with their credentials)
   kindeAuth: {
-    authDomain: process.env.KINDE_AUTH_DOMAIN || 'https://dummy.kinde.com', // Project must provide, dummy for build
-    clientId: process.env.KINDE_CLIENT_ID || 'dummy-client-id', // Project must provide, dummy for build
-    clientSecret: process.env.KINDE_CLIENT_SECRET || 'dummy-secret', // Project must provide, dummy for build
-    redirectURL: process.env.KINDE_REDIRECT_URL || 'http://localhost:3000/api/auth/kinde_callback', // Project must provide, dummy for build
-    logoutRedirectURL: process.env.KINDE_LOGOUT_REDIRECT_URL || 'http://localhost:3000', // Project must provide, dummy for build
+    authDomain: process.env.KINDE_AUTH_DOMAIN,
+    clientId: process.env.KINDE_CLIENT_ID,
+    clientSecret: process.env.KINDE_CLIENT_SECRET,
+    redirectURL: process.env.KINDE_REDIRECT_URL,
+    logoutRedirectURL: process.env.KINDE_LOGOUT_REDIRECT_URL,
     postLoginRedirectURL: '/dashboard', // Default, can be overridden
     cookie: {
-      prefix: 'app_', // Projects MUST override this
+      prefix: AUTH_COOKIE_PREFIX,
       httpOnly: false, // Allow client-side deletion for logout
       secure: process.env.NODE_ENV === 'production',
       sameSite: 'lax' as const,
@@ -75,3 +135,19 @@ export default defineNuxtConfig({
   // Pinia configuration
   pinia: {}
 })
+
+function assertRequiredString(value: unknown, key: string) {
+  if (typeof value !== 'string' || value.trim().length === 0) {
+    throw new Error(`[nuxt-symfony-kinde-layer] Missing required config: ${key}`)
+  }
+}
+
+function assertRequiredNumber(value: unknown, key: string) {
+  if (typeof value !== 'number' || !Number.isFinite(value) || value < 0) {
+    throw new Error(`[nuxt-symfony-kinde-layer] Missing or invalid required numeric config: ${key}`)
+  }
+}
+
+function isNonEmptyString(value: unknown): value is string {
+  return typeof value === 'string' && value.trim().length > 0
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@habityzer/nuxt-symfony-kinde-layer",
-  "version": "2.1.4",
+  "version": "2.2.0",
   "description": "Shared Nuxt layer for Symfony + Kinde authentication integration",
   "type": "module",
   "main": "./nuxt.config.ts",
@@ -9,7 +9,9 @@
     "build": "nuxt build",
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
-    "release": " HUSKY=0 semantic-release"
+    "prepare": "husky || true",
+    "prepare:ci": "pnpm install && KINDE_AUTH_DOMAIN=https://placeholder.kinde.com KINDE_CLIENT_ID=placeholder KINDE_CLIENT_SECRET=placeholder KINDE_REDIRECT_URL=http://localhost:3000/api/auth/callback KINDE_LOGOUT_REDIRECT_URL=http://localhost:3000 NUXT_PUBLIC_AUTH_COOKIE_PREFIX=auth_ NUXT_PUBLIC_AUTH_LOGIN_PATH=/login NUXT_PUBLIC_AUTH_CLOCK_SKEW_SECONDS=300 NUXT_PUBLIC_AUTH_APP_TOKEN_PREFIX=Bearer NUXT_PUBLIC_AUTH_E2E_TOKEN_COOKIE_NAME=e2e_token NUXT_PUBLIC_AUTH_ID_TOKEN_NAME=id_token NUXT_PUBLIC_AUTH_ACCESS_TOKEN_NAME=access_token NUXT_PUBLIC_AUTH_REFRESH_TOKEN_NAME=refresh_token pnpm nuxt prepare",
+    "release": "HUSKY=0 semantic-release"
   },
   "keywords": [
     "nuxt",
@@ -45,7 +47,8 @@
     "openapi-typescript": "^7.10.0",
     "typescript": "^5.9.3",
     "eslint": "^9.37.0",
-    "semantic-release": "^24.2.9"
+    "semantic-release": "^24.2.9",
+    "husky": "^9.0.0"
   },
   "peerDependencies": {
     "nuxt": "^3.0.0 || ^4.0.0"

package/server/api/symfony/[...].ts

@@ -12,13 +12,14 @@
  * @see .cursorrules for proxy best practices
  */
 
-// Auth constants (defined inline to avoid import issues during Nitro bundling)
-const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
-const APP_TOKEN_PREFIX = 'app_'
-const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
-
 export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig()
+  const kindeConfig = config.public.kindeAuth || {}
+  const middlewareConfig = kindeConfig.middleware || {}
+  const cookieConfig = kindeConfig.cookie || {}
+  const appTokenPrefix = requireString(middlewareConfig.appTokenPrefix, 'kindeAuth.middleware.appTokenPrefix')
+  const e2eTokenCookieName = requireString(middlewareConfig.e2eTokenCookieName, 'kindeAuth.middleware.e2eTokenCookieName')
+  const idTokenBaseName = requireString(cookieConfig.idTokenName, 'kindeAuth.cookie.idTokenName')
 
   // Get the path (remove /api/symfony prefix)
   let path
@@ -50,8 +51,11 @@ export default defineEventHandler(async (event) => {
   } else {
     // Check for E2E test token first (from cookie)
     // Only use E2E token if it's a valid app token (starts with APP_TOKEN_PREFIX)
-    const e2eToken = getCookie(event, E2E_TOKEN_COOKIE_NAME)
-    if (e2eToken && e2eToken.startsWith(APP_TOKEN_PREFIX)) {
+    // Prefer scoped cookie name to avoid collisions between projects on localhost.
+    const cookiePrefix = requireString(cookieConfig.prefix, 'kindeAuth.cookie.prefix')
+    const scopedE2eCookieName = `${cookiePrefix}${e2eTokenCookieName}`
+    const e2eToken = getCookie(event, scopedE2eCookieName)
+    if (e2eToken && e2eToken.startsWith(appTokenPrefix)) {
       token = e2eToken
     } else {
       // Use Kinde authentication from the module
@@ -79,7 +83,7 @@ export default defineEventHandler(async (event) => {
         // If access token is not available, try id_token as fallback
         if (!accessToken || accessToken.trim() === '') {
           const idToken = (await sessionManager.getSessionItem(
-            KINDE_ID_TOKEN_COOKIE_NAME
+            idTokenBaseName
           )) as string | undefined
 
           if (idToken) {
@@ -220,3 +224,11 @@ export default defineEventHandler(async (event) => {
     })
   }
 })
+
+function requireString(value: unknown, key: string): string {
+  if (typeof value === 'string' && value.trim().length > 0) {
+    return value
+  }
+
+  throw new Error(`[SYMFONY PROXY] Missing required config: ${key}`)
+}

package/server/middleware/auth-guard.ts

@@ -0,0 +1,144 @@
+export default defineEventHandler((event) => {
+  if (!isHtmlNavigationRequest(event)) {
+    return
+  }
+
+  const path = getRequestURL(event).pathname
+  if (!path || path.startsWith('/api') || path.startsWith('/_nuxt') || path.startsWith('/__nuxt') || path.startsWith('/_ipx')) {
+    return
+  }
+
+  const config = useRuntimeConfig(event)
+  const kindeConfig = config.public.kindeAuth || {}
+  const middlewareConfig = kindeConfig.middleware || {}
+  const cookieConfig = kindeConfig.cookie || {}
+  const publicRoutes: string[] = middlewareConfig.publicRoutes || ['/']
+  const loginPath = requireString(middlewareConfig.loginPath, 'kindeAuth.middleware.loginPath')
+  const appTokenPrefix = requireString(middlewareConfig.appTokenPrefix, 'kindeAuth.middleware.appTokenPrefix')
+  const e2eTokenCookieName = requireString(middlewareConfig.e2eTokenCookieName, 'kindeAuth.middleware.e2eTokenCookieName')
+  const clockSkewSeconds = requireNonNegativeNumber(middlewareConfig.clockSkewSeconds, 'kindeAuth.middleware.clockSkewSeconds')
+  const idTokenBaseName = requireString(cookieConfig.idTokenName, 'kindeAuth.cookie.idTokenName')
+  const accessTokenBaseName = requireString(cookieConfig.accessTokenName, 'kindeAuth.cookie.accessTokenName')
+  const isPublicRoute = publicRoutes.some(route => path === route || path.startsWith(`${route}/`))
+
+  logServer('route-check', { path, isPublicRoute })
+  if (isPublicRoute) {
+    return
+  }
+
+  const cookiePrefix = requireString(cookieConfig.prefix, 'kindeAuth.cookie.prefix')
+  const idTokenName = `${cookiePrefix}${idTokenBaseName}`
+  const accessTokenName = `${cookiePrefix}${accessTokenBaseName}`
+  const e2eTokenName = `${cookiePrefix}${e2eTokenCookieName}`
+
+  const idToken = getCookie(event, idTokenName)
+  const accessToken = getCookie(event, accessTokenName)
+  const e2eToken = getCookie(event, e2eTokenName)
+
+  const hasIdToken = !!idToken
+  const hasAccessToken = !!accessToken
+  logServer('cookie-state', {
+    path,
+    cookiePrefix,
+    hasIdToken,
+    hasAccessToken,
+    hasScopedE2eToken: !!e2eToken
+  })
+
+  if (e2eToken && e2eToken.startsWith(appTokenPrefix)) {
+    logServer('allow-e2e-app-token', { path })
+    return
+  }
+
+  if (!hasIdToken && !hasAccessToken) {
+    logServer('redirect-missing-auth-cookies', { path })
+    return sendRedirect(event, loginPath, 302)
+  }
+
+  const idTokenUsable = hasIdToken ? isUsableToken(idToken as string, appTokenPrefix, clockSkewSeconds) : false
+  const accessTokenUsable = hasAccessToken ? isUsableToken(accessToken as string, appTokenPrefix, clockSkewSeconds) : false
+  const isUnauthorized = !idTokenUsable && !accessTokenUsable
+
+  logServer('token-evaluation', {
+    path,
+    idTokenUsable,
+    accessTokenUsable
+  })
+
+  if (isUnauthorized) {
+    setCookie(event, idTokenName, '', { path: '/', maxAge: 0 })
+    setCookie(event, accessTokenName, '', { path: '/', maxAge: 0 })
+    logServer('redirect-all-auth-tokens-invalid-or-expired', { path })
+    return sendRedirect(event, loginPath, 302)
+  }
+
+  logServer('allow-protected-route', { path })
+})
+
+function isHtmlNavigationRequest(event: Parameters<typeof defineEventHandler>[0]): boolean {
+  if (event.method !== 'GET' && event.method !== 'HEAD') {
+    return false
+  }
+
+  const accept = getHeader(event, 'accept') || ''
+  return accept.includes('text/html') || accept.includes('*/*')
+}
+
+function isUsableToken(token: string, appTokenPrefix: string, clockSkewSeconds: number): boolean {
+  if (token.startsWith(appTokenPrefix)) {
+    return true
+  }
+
+  const payload = decodeJwtPayload(token)
+  if (!payload || typeof payload.exp !== 'number') {
+    return false
+  }
+
+  const nowSeconds = Math.floor(Date.now() / 1000)
+  return payload.exp > nowSeconds + clockSkewSeconds
+}
+
+function decodeJwtPayload(token: string): Record<string, unknown> | null {
+  const parts = token.split('.')
+  if (parts.length !== 3) {
+    return null
+  }
+
+  const payloadPart = parts[1]
+  if (!payloadPart) {
+    return null
+  }
+
+  try {
+    const padded = payloadPart.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(payloadPart.length / 4) * 4, '=')
+    const decoded = Buffer.from(padded, 'base64').toString('utf8')
+    const parsed = JSON.parse(decoded)
+    return parsed && typeof parsed === 'object' ? parsed as Record<string, unknown> : null
+  } catch {
+    return null
+  }
+}
+
+function logServer(event: string, details: Record<string, unknown>) {
+  if (process.env.NODE_ENV === 'production') {
+    return
+  }
+
+  console.warn(`[AUTH GUARD SERVER] ${event}`, details)
+}
+
+function requireString(value: unknown, key: string): string {
+  if (typeof value === 'string' && value.trim().length > 0) {
+    return value
+  }
+
+  throw new Error(`[AUTH GUARD SERVER] Missing required config: ${key}`)
+}
+
+function requireNonNegativeNumber(value: unknown, key: string): number {
+  if (typeof value === 'number' && Number.isFinite(value) && value >= 0) {
+    return value
+  }
+
+  throw new Error(`[AUTH GUARD SERVER] Invalid required numeric config: ${key}`)
+}

package/server/utils/auth-constants.ts

@@ -1,23 +1,9 @@
-/**
- * Authentication constants for server-side code
- * These are duplicated from app/constants/auth.ts to avoid import issues in Nitro bundling
- */
-
-/**
- * Cookie name for E2E test authentication token
- * Used by automated tests to bypass Kinde OAuth flow
- */
-export const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
-
-/**
- * Prefix for Symfony app tokens (used in E2E tests)
- * These are long-lived tokens generated by `php bin/console app:token:manage create`
- */
-export const APP_TOKEN_PREFIX = 'app_'
-
-/**
- * Kinde authentication cookie names (base names without prefix)
- * The prefix is configured per-project in nuxt.config.ts and applied dynamically
- */
-export const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
-export const KINDE_ACCESS_TOKEN_COOKIE_NAME = 'access_token'
+export {
+  APP_TOKEN_PREFIX,
+  CLOCK_SKEW_SECONDS,
+  DEFAULT_LOGIN_PATH,
+  E2E_TOKEN_COOKIE_NAME,
+  KINDE_ACCESS_TOKEN_COOKIE_NAME,
+  KINDE_ID_TOKEN_COOKIE_NAME,
+  KINDE_REFRESH_TOKEN_COOKIE_NAME
+} from '../../shared/auth-constants'

package/shared/auth-constants.ts

@@ -0,0 +1,12 @@
+/**
+ * Shared authentication constants for both app and server code.
+ */
+export const DEFAULT_LOGIN_PATH = '/api/kinde/login'
+export const CLOCK_SKEW_SECONDS = 30
+
+export const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
+export const APP_TOKEN_PREFIX = 'app_'
+
+export const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
+export const KINDE_ACCESS_TOKEN_COOKIE_NAME = 'access_token'
+export const KINDE_REFRESH_TOKEN_COOKIE_NAME = 'refresh_token'

package/app/middleware/auth.global.ts

@@ -1,82 +0,0 @@
-import { E2E_TOKEN_COOKIE_NAME, KINDE_ID_TOKEN_COOKIE_NAME, KINDE_ACCESS_TOKEN_COOKIE_NAME } from '../constants/auth'
-
-/**
- * Global auth middleware - checks authentication on route navigation
- * Redirects to login if accessing protected routes without authentication
- *
- * Note: This middleware works alongside the nuxt-kinde-auth module.
- * It handles E2E testing tokens and uses the module's login endpoints.
- *
- * Projects should configure publicRoutes in their nuxt.config.ts:
- * kindeAuth: {
- *   middleware: {
- *     publicRoutes: ['/', '/blog', '/help']
- *   }
- * }
- */
-export default defineNuxtRouteMiddleware(async (to) => {
-  // Get public routes from runtime config (configured per-project)
-  const config = useRuntimeConfig()
-  const kindeConfig = config.public.kindeAuth || {}
-  const publicRoutes: string[] = kindeConfig.middleware?.publicRoutes || ['/']
-
-  // Check if the route is public or a child of public routes
-  const isPublicRoute = publicRoutes.some(route =>
-    to.path === route || to.path.startsWith(`${route}/`)
-  )
-
-  // If it's a public route, allow access
-  if (isPublicRoute) {
-    return
-  }
-
-  // For protected routes, check authentication
-  if (import.meta.server) {
-    // Server-side: Check for auth cookies using Nuxt's useCookie
-    // Note: Cookie names include the project-specific prefix
-    const config = useRuntimeConfig()
-    // @ts-expect-error - cookie property exists in runtime config but not in Kinde module types
-    const cookiePrefix = config.public.kindeAuth?.cookie?.prefix || 'app_'
-
-    const idTokenName = `${cookiePrefix}${KINDE_ID_TOKEN_COOKIE_NAME}`
-    const accessTokenName = `${cookiePrefix}${KINDE_ACCESS_TOKEN_COOKIE_NAME}`
-
-    const idToken = useCookie(idTokenName)
-    const accessToken = useCookie(accessTokenName)
-    const e2eToken = useCookie(E2E_TOKEN_COOKIE_NAME) // E2E test token
-
-    // Allow access if any valid auth token exists
-    if (!idToken.value && !accessToken.value && !e2eToken.value) {
-      // Redirect to module's login endpoint
-      return navigateTo('/api/kinde/login', { external: true })
-    }
-  } else {
-    // Client-side: Check for E2E token first (for tests)
-    const e2eToken = useCookie(E2E_TOKEN_COOKIE_NAME)
-
-    // If E2E token exists, allow access (for automated tests)
-    if (e2eToken.value) {
-      return
-    }
-
-    // Check for auth cookies directly (more reliable than reactive state)
-    const config = useRuntimeConfig()
-    // @ts-expect-error - cookie property exists in runtime config but not in Kinde module types
-    const cookiePrefix = config.public.kindeAuth?.cookie?.prefix || 'app_'
-
-    const idTokenName = `${cookiePrefix}${KINDE_ID_TOKEN_COOKIE_NAME}`
-    const accessTokenName = `${cookiePrefix}${KINDE_ACCESS_TOKEN_COOKIE_NAME}`
-
-    const idToken = useCookie(idTokenName)
-    const accessToken = useCookie(accessTokenName)
-
-    // Allow access if any valid auth token cookie exists
-    if (!idToken.value && !accessToken.value) {
-      // Redirect to module's login endpoint
-      if (import.meta.client) {
-        window.location.href = '/api/kinde/login'
-      }
-      return
-    }
-  }
-})