@norriq/nuxt-auth 1.0.0

package/LICENSE

@@ -0,0 +1,8 @@
+Copyright (c) 2026 NORRIQ. All rights reserved.
+
+This software and associated documentation files (the "Software") are the
+proprietary property of NORRIQ. Unauthorized use, copying, modification,
+distribution, or any other exploitation of the Software, in whole or in part,
+is strictly prohibited without the prior written consent of NORRIQ.
+
+For licensing inquiries, contact: info@norriq.com

package/README.md

@@ -0,0 +1,44 @@
+# @norriq/nuxt-auth
+
+Nuxt layer providing CIAM authentication via `@sidebase/nuxt-auth` with NORRIQ.Auth integration.
+
+Adds server routes for OAuth2 flows, token refresh, credential login, and session management.
+
+## Usage
+
+```ts
+// nuxt.config.ts
+export default defineNuxtConfig({
+  extends: ['@norriq/nuxt-auth'],
+})
+```
+
+## Environment variables
+
+| Variable | Scope | Required | Description |
+|----------|-------|----------|-------------|
+| `NUXT_AUTH_SECRET` | Server | Yes | Session encryption secret |
+| `NUXT_AUTH_URL` | Server | Yes | NORRIQ.Auth server URL (internal) |
+| `NUXT_AUTH_URL_INTERNAL` | Server | No | Overrides `authUrl` for server-to-server calls |
+| `NUXT_AUTH_CLIENT_SECRET` | Server | No | OAuth2 client secret |
+| `NUXT_PUBLIC_AUTH_URL` | Public | Yes | NORRIQ.Auth server URL (browser) |
+| `NUXT_PUBLIC_AUTH_CLIENT_ID` | Public | Yes | OAuth2 client ID |
+| `NUXT_PUBLIC_AUTH_AREA_ID` | Public | Yes | NORRIQ.Auth area ID |
+
+## Exports
+
+| Path | Description |
+|------|-------------|
+| `@norriq/nuxt-auth` | Nuxt layer entry (nuxt.config.ts) |
+| `@norriq/nuxt-auth/authorizeRedirect` | Utility to build OAuth2 authorize redirect URLs |
+| `@norriq/nuxt-auth/forceReauth` | Cookie-based force-reauthentication utilities |
+
+## Server routes
+
+| Route | Method | Description |
+|-------|--------|-------------|
+| `/api/auth/authorize` | GET | Initiates OAuth2 flow with PKCE |
+| `/api/auth/credentials-login` | POST | Direct username/password login |
+| `/api/auth/refresh-token` | POST | Refresh access token |
+| `/api/auth/oauth-callback/[connectorKey]` | GET | OAuth2 callback handler |
+| `/api/auth/[...]` | * | NextAuth.js catch-all handler |

package/nuxt.config.ts

@@ -0,0 +1,49 @@
+import { fileURLToPath } from 'node:url'
+import { dirname, resolve } from 'node:path'
+
+declare module 'nuxt/schema' {
+    interface RuntimeConfig {
+        authSecret: string
+        authClientSecret: string
+        authUrl: string
+        authUrlInternal: string
+    }
+    interface PublicRuntimeConfig {
+        authUrl: string
+        authClientId: string
+        authAreaId: string
+    }
+}
+
+const currentDir = dirname(fileURLToPath(import.meta.url))
+
+export default defineNuxtConfig({
+    modules: ['@sidebase/nuxt-auth'],
+
+    auth: {
+        provider: { type: 'authjs' },
+        globalAppMiddleware: { isEnabled: true },
+        sessionRefresh: {
+            handler: resolve(currentDir, './utils/auth/AuthRefreshHandler'),
+            enableOnWindowFocus: true,
+            enablePeriodically: 60 * 2 * 1000,
+        },
+        baseURL: '/api/auth',
+    },
+
+    experimental: {
+        asyncContext: true,
+    },
+
+    runtimeConfig: {
+        authSecret: '',
+        authClientSecret: '',
+        authUrl: '',
+        authUrlInternal: '',
+        public: {
+            authUrl: undefined,
+            authClientId: undefined,
+            authAreaId: undefined,
+        },
+    },
+})

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@norriq/nuxt-auth",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "./nuxt.config.ts",
+  "exports": {
+    ".": "./nuxt.config.ts",
+    "./authorizeRedirect": "./utils/auth/authorizeRedirect.ts",
+    "./forceReauth": "./utils/auth/forceReauth.ts"
+  },
+  "files": [
+    "nuxt.config.ts",
+    "server",
+    "utils",
+    "types"
+  ],
+  "license": "SEE LICENSE IN LICENSE",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@sidebase/nuxt-auth": "^1.1.1",
+    "jose": "^6.1.3",
+    "next-auth": "~4.24.14"
+  },
+  "peerDependencies": {
+    "nuxt": ">=3.0.0"
+  },
+  "devDependencies": {
+    "h3": "^1.15.0",
+    "typescript-eslint": "^8.0.0",
+    "vitest": "^3.2.4"
+  },
+  "scripts": {
+    "lint": "eslint .",
+    "lint:fix": "eslint --fix .",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  }
+}

package/server/api/auth/[...].ts

@@ -0,0 +1,34 @@
+import { NuxtAuthHandler } from '#auth'
+import type { JWT } from 'next-auth/jwt'
+import type { Session } from 'next-auth'
+
+const runtimeConfig = useRuntimeConfig()
+
+export default NuxtAuthHandler({
+    secret: runtimeConfig.authSecret,
+    providers: [],
+
+    callbacks: {
+        jwt: ({ token }): JWT => token,
+        session: ({ session, token }): Session => {
+            session.user = {
+                name: token.name || '',
+                username: token.username || '',
+                customerNumber: token.customerNumber || '',
+                roles: token.roles || [],
+                authInfo: {
+                    accessToken: token.accessToken,
+                    refreshToken: token.refreshToken,
+                    tokenPolicy: token.tokenPolicy,
+                    authMethod: token.authMethod,
+                },
+            }
+            session.roles = token.roles || []
+            return session
+        },
+    },
+
+    pages: {
+        signIn: '/login',
+    },
+})

package/server/api/auth/authorize.get.ts

@@ -0,0 +1,87 @@
+import crypto from 'node:crypto'
+
+const allowedConnectors = ['customer', 'norriq'] as const
+type ConnectorKey = (typeof allowedConnectors)[number]
+
+function isValidConnector(value: string): value is ConnectorKey {
+    return (allowedConnectors as readonly string[]).includes(value)
+}
+
+export default defineEventHandler((event) => {
+    const query = getQuery(event)
+    const connectorKey = typeof query.connector_key === 'string' ? query.connector_key : ''
+    const returnUrl = typeof query.return_url === 'string' ? query.return_url : '/'
+    // Check both query param and cookie — the cookie is set by setForceReauth() on
+    // sign-out, but Nuxt's useCookie() on the client may not relay it as a query param
+    // during SPA navigation. The browser always sends the cookie in the request though.
+    const forceReauthCookie = getCookie(event, 'auth:forceReauth')
+    const forceReauthentication = query.force_reauthentication === 'true' || forceReauthCookie === 'true'
+    if (forceReauthCookie) {
+        deleteCookie(event, 'auth:forceReauth', { path: '/' })
+    }
+
+    if (!isValidConnector(connectorKey)) {
+        throw createError({ statusCode: 400, statusMessage: 'Invalid connector key' })
+    }
+
+    if (!isSafeReturnUrl(returnUrl)) {
+        throw createError({ statusCode: 400, statusMessage: 'Invalid return URL' })
+    }
+
+    const state = crypto.randomBytes(32).toString('base64url')
+    const codeVerifier = crypto.randomBytes(32).toString('base64url')
+    const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url')
+    const secure = isSecureRequest(event)
+
+    setCookie(event, 'auth:state', state, {
+        httpOnly: true,
+        secure,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 60 * 10,
+    })
+
+    setCookie(event, 'auth:codeVerifier', codeVerifier, {
+        httpOnly: true,
+        secure,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 60 * 10,
+    })
+
+    setCookie(event, 'auth:returnUrl', returnUrl, {
+        httpOnly: true,
+        secure,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 60 * 10,
+    })
+
+    const config = useRuntimeConfig()
+    const authUrl = config.public.authUrl
+    const clientId = config.public.authClientId
+    const areaId = config.public.authAreaId
+
+    const requestUrl = getRequestURL(event)
+    const host = getRequestHeader(event, 'host') || requestUrl.host
+    const forwardedProto = getRequestHeader(event, 'x-forwarded-proto')
+    const protocol = forwardedProto ? `${forwardedProto}:` : requestUrl.protocol
+
+    const params = new URLSearchParams({
+        client_id: clientId,
+        response_type: 'code',
+        redirect_uri: `${protocol}//${host}/api/auth/oauth-callback/${connectorKey}`,
+        scope: 'openid offline_access',
+        area_id: areaId,
+        connector_key: connectorKey,
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+    })
+
+    if (forceReauthentication) {
+        params.set('prompt', 'login')
+    }
+
+    return sendRedirect(event, `${authUrl}/connect/authorize?${params}`)
+})

package/server/api/auth/authorize.test.ts

@@ -0,0 +1,128 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import type { EventHandler } from 'h3'
+import { fakeEvent, stubCreateError, catchHttpError, lastRedirectUrl } from '../../test-helpers'
+
+const mockGetQuery = vi.fn()
+const mockGetCookie = vi.fn()
+const mockDeleteCookie = vi.fn()
+const mockSetCookie = vi.fn()
+const mockSendRedirect = vi.fn()
+const mockGetRequestHeader = vi.fn()
+
+vi.stubGlobal('defineEventHandler', <T>(fn: T): T => fn)
+stubCreateError()
+vi.stubGlobal('getQuery', (event: unknown) => mockGetQuery(event))
+vi.stubGlobal('getCookie', (_event: unknown, name: string) => mockGetCookie(name))
+vi.stubGlobal('deleteCookie', (_event: unknown, name: string, opts?: unknown) => mockDeleteCookie(name, opts))
+vi.stubGlobal('setCookie', (_event: unknown, name: string, value: string, opts?: unknown) =>
+    mockSetCookie(name, value, opts)
+)
+vi.stubGlobal('sendRedirect', (_event: unknown, url: string) => mockSendRedirect(url))
+vi.stubGlobal('getRequestURL', () => new URL('https://app.example.com/api/auth/authorize'))
+vi.stubGlobal('getRequestHeader', (_event: unknown, header: string) => mockGetRequestHeader(header))
+vi.stubGlobal('useRuntimeConfig', () => ({
+    public: {
+        authUrl: 'https://auth.example.com',
+        authClientId: 'test-client-id',
+        authAreaId: 'test-area',
+    },
+}))
+vi.stubGlobal('isSafeReturnUrl', (url: string) => url.startsWith('/') && !url.startsWith('//') && !url.includes('\\'))
+vi.stubGlobal('isSecureRequest', () => true)
+
+describe('authorize.get', () => {
+    let handler: EventHandler
+
+    beforeEach(async () => {
+        vi.clearAllMocks()
+        mockGetRequestHeader.mockImplementation((header: string) => {
+            if (header === 'host') return 'app.example.com'
+            if (header === 'x-forwarded-proto') return 'https'
+            return undefined
+        })
+
+        vi.resetModules()
+        const mod = await import('./authorize.get')
+        handler = mod.default
+    })
+
+    it('rejects invalid connector key', async () => {
+        mockGetQuery.mockReturnValue({ connector_key: 'evil', return_url: '/' })
+
+        const err = await catchHttpError(() => handler(fakeEvent()))
+        expect(err.statusCode).toBe(400)
+        expect(err.message).toBe('Invalid connector key')
+    })
+
+    it('rejects unsafe return URL', async () => {
+        mockGetQuery.mockReturnValue({ connector_key: 'customer', return_url: '//evil.com' })
+
+        const err = await catchHttpError(() => handler(fakeEvent()))
+        expect(err.statusCode).toBe(400)
+        expect(err.message).toBe('Invalid return URL')
+    })
+
+    it('sets state, codeVerifier, and returnUrl cookies', async () => {
+        mockGetQuery.mockReturnValue({ connector_key: 'customer', return_url: '/dashboard' })
+
+        await handler(fakeEvent())
+
+        const cookieNames = mockSetCookie.mock.calls.map((c: unknown[]) => c[0])
+        expect(cookieNames).toContain('auth:state')
+        expect(cookieNames).toContain('auth:codeVerifier')
+        expect(cookieNames).toContain('auth:returnUrl')
+
+        const returnUrlCall = mockSetCookie.mock.calls.find((c: unknown[]) => c[0] === 'auth:returnUrl')
+        expect(returnUrlCall[1]).toBe('/dashboard')
+    })
+
+    it('redirects to auth server with PKCE params', async () => {
+        mockGetQuery.mockReturnValue({ connector_key: 'customer', return_url: '/' })
+
+        await handler(fakeEvent())
+
+        expect(mockSendRedirect).toHaveBeenCalledTimes(1)
+        const url = lastRedirectUrl(mockSendRedirect)
+        expect(url).toContain('https://auth.example.com/connect/authorize')
+        expect(url).toContain('client_id=test-client-id')
+        expect(url).toContain('response_type=code')
+        expect(url).toContain('code_challenge_method=S256')
+        expect(url).toContain('code_challenge=')
+        expect(url).toContain('state=')
+        expect(url).toContain('connector_key=customer')
+    })
+
+    it('adds prompt=login when force reauthentication is set', async () => {
+        mockGetQuery.mockReturnValue({
+            connector_key: 'norriq',
+            return_url: '/',
+            force_reauthentication: 'true',
+        })
+
+        await handler(fakeEvent())
+
+        expect(lastRedirectUrl(mockSendRedirect)).toContain('prompt=login')
+    })
+
+    it('reads force reauth from cookie and deletes it', async () => {
+        mockGetQuery.mockReturnValue({ connector_key: 'customer', return_url: '/' })
+        mockGetCookie.mockImplementation((name: string) => {
+            if (name === 'auth:forceReauth') return 'true'
+            return undefined
+        })
+
+        await handler(fakeEvent())
+
+        expect(mockDeleteCookie).toHaveBeenCalledWith('auth:forceReauth', { path: '/' })
+        expect(lastRedirectUrl(mockSendRedirect)).toContain('prompt=login')
+    })
+
+    it('defaults return_url to / when not provided', async () => {
+        mockGetQuery.mockReturnValue({ connector_key: 'customer' })
+
+        await handler(fakeEvent())
+
+        const returnUrlCall = mockSetCookie.mock.calls.find((c: unknown[]) => c[0] === 'auth:returnUrl')
+        expect(returnUrlCall[1]).toBe('/')
+    })
+})

package/server/api/auth/credentials-login.post.ts

@@ -0,0 +1,63 @@
+import { decodeJwt } from 'jose'
+
+export default defineEventHandler(async (event) => {
+    const { username, password, areaId } = await readBody<{
+        username: string
+        password: string
+        areaId: string
+    }>(event)
+
+    if (!username || !password) {
+        throw createError({ statusCode: 400, message: 'Username and password are required' })
+    }
+
+    try {
+        const tokens = await exchangeToken({
+            grant_type: 'password',
+            username,
+            password,
+            area_id: areaId,
+            connector_key: 'stored-users',
+            scope: 'openid offline_access',
+        })
+
+        const decoded = decodeJwt(tokens.access_token)
+        const claims = extractClaims(decoded)
+        const expiresAt = decoded.exp ?? Math.floor(Date.now() / 1000) + (tokens.expires_in ?? 3600)
+
+        await setSessionCookie(event, {
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token || '',
+            authMethod: 'credentials',
+            name: claims.name,
+            username: claims.sub,
+            customerNumber: claims.customerNumber,
+            roles: claims.roles,
+            tokenPolicy: {
+                accessToken: { expiresAt },
+                refreshToken: {
+                    isEnabled: !!tokens.refresh_token,
+                    expiresAt: null,
+                },
+            },
+        })
+
+        deleteCookie(event, 'auth:impersonateToken')
+
+        return { ok: true }
+    } catch (err: unknown) {
+        // Translate NORRIQ.Auth error responses to match the existing LoginExceptionResponse shape
+        // so the UI error handling in userStore.login() works unchanged
+        if (hasErrorData(err)) {
+            throw createError({
+                statusCode: 401,
+                data: err.data,
+            })
+        }
+
+        throw createError({
+            statusCode: 401,
+            data: { type: 'AuthenticationFailed', message: 'Authentication failed' },
+        })
+    }
+})

package/server/api/auth/oauth-callback/[connectorKey].ts

@@ -0,0 +1,99 @@
+import type { H3Event } from 'h3'
+import type { User } from 'next-auth'
+import { decodeJwt } from 'jose'
+
+function isAuthMethod(value: string): value is User['authMethod'] {
+    return value === 'customer' || value === 'norriq'
+}
+
+export default defineEventHandler(async (event: H3Event) => {
+    const query = getQuery(event)
+    const code = typeof query.code === 'string' ? query.code : undefined
+    const error = typeof query.error === 'string' ? query.error : undefined
+    const errorDescription = typeof query.error_description === 'string' ? query.error_description : undefined
+    const connectorKeyRaw = getRouterParam(event, 'connectorKey') || ''
+
+    if (error) {
+        console.error('[oauth-cb] Auth server error:', error, errorDescription)
+        return sendRedirect(
+            event,
+            `/login?error=${encodeURIComponent(error)}&error_description=${encodeURIComponent(errorDescription || '')}`
+        )
+    }
+
+    // Validate CSRF state
+    const stateParam = typeof query.state === 'string' ? query.state : undefined
+    const stateCookie = getCookie(event, 'auth:state')
+    deleteCookie(event, 'auth:state')
+
+    // Retrieve PKCE code_verifier for token exchange
+    const codeVerifier = getCookie(event, 'auth:codeVerifier')
+    deleteCookie(event, 'auth:codeVerifier')
+
+    if (!stateParam || !stateCookie || stateParam !== stateCookie) {
+        return sendRedirect(event, '/login?error=invalid_state')
+    }
+
+    if (!codeVerifier) {
+        return sendRedirect(event, '/login?error=missing_code_verifier')
+    }
+
+    if (!isAuthMethod(connectorKeyRaw)) {
+        return sendRedirect(event, '/login?error=invalid_connector')
+    }
+
+    if (!code) {
+        return sendRedirect(event, '/login?error=no-code')
+    }
+
+    try {
+        const requestUrl = getRequestURL(event)
+        const host = getRequestHeader(event, 'host') || requestUrl.host
+        const protocol = isSecureRequest(event) ? 'https:' : 'http:'
+        const callbackUrl = `${protocol}//${host}/api/auth/oauth-callback/${connectorKeyRaw}`
+
+        const tokens = await exchangeToken({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: callbackUrl,
+            code_verifier: codeVerifier,
+        })
+
+        const accessToken = tokens.access_token
+        const refreshToken = tokens.refresh_token || ''
+        const expiresAt = tokens.expires_in
+            ? Math.floor(Date.now() / 1000) + tokens.expires_in
+            : Math.floor(Date.now() / 1000) + 3600
+
+        const decoded = decodeJwt(accessToken)
+        const claims = extractClaims(decoded)
+
+        await setSessionCookie(event, {
+            accessToken,
+            refreshToken,
+            authMethod: connectorKeyRaw,
+            name: claims.name,
+            username: claims.sub,
+            customerNumber: claims.customerNumber,
+            roles: claims.roles,
+            tokenPolicy: {
+                accessToken: { expiresAt },
+                refreshToken: {
+                    isEnabled: !!refreshToken,
+                    expiresAt,
+                },
+            },
+        })
+
+        const returnUrl = getCookie(event, 'auth:returnUrl') || '/'
+        deleteCookie(event, 'auth:returnUrl')
+        const safeReturnUrl = isSafeReturnUrl(returnUrl) ? returnUrl : '/'
+
+        return sendRedirect(event, safeReturnUrl)
+    } catch (err: unknown) {
+        const msg = err instanceof Error ? err.message : String(err)
+        const data = (err as { data?: unknown })?.data
+        console.error('[oauth-cb] Token exchange failed:', msg, data ? JSON.stringify(data) : '')
+        return sendRedirect(event, '/login?error=token-exchange-failed')
+    }
+})