@norriq/nuxt-auth 1.0.0

package/server/utils/jwtClaims.ts

@@ -0,0 +1,37 @@
+import type { JWTPayload } from 'jose'
+
+interface NorriqJwtClaims {
+    sub: string
+    name: string
+    customerNumber: string
+    roles: string[]
+}
+
+/** Type-safe extraction of custom claims from a decoded JWT. */
+export function extractClaims(decoded: JWTPayload): NorriqJwtClaims {
+    const sub = typeof decoded.sub === 'string' ? decoded.sub : ''
+    const name = typeof decoded.name === 'string' ? decoded.name : ''
+    const customerNumber = typeof decoded.CustomerNumber === 'string' ? decoded.CustomerNumber : ''
+    const roles = extractRoles(decoded.role)
+    return { sub, name, customerNumber, roles }
+}
+
+function extractRoles(role: unknown): string[] {
+    if (Array.isArray(role)) {
+        return role.filter((r): r is string => typeof r === 'string')
+    }
+    if (typeof role === 'string') {
+        return [role]
+    }
+    return []
+}
+
+/** Type guard for errors with a `data` property (e.g. FetchError responses). */
+export function hasErrorData(err: unknown): err is { data: Record<string, unknown> } {
+    return (
+        err !== null &&
+        typeof err === 'object' &&
+        'data' in err &&
+        typeof (err as Record<string, unknown>).data === 'object'
+    )
+}

package/types/next-auth.d.ts

@@ -0,0 +1,52 @@
+import 'next-auth'
+
+declare module 'next-auth' {
+    interface User {
+        accessToken: string
+        refreshToken: string
+        authMethod: 'customer' | 'norriq' | 'credentials'
+        roles: string[]
+        tokenPolicy: {
+            accessToken: { expiresAt: number }
+            refreshToken: {
+                isEnabled: boolean
+                expiresAt: number | null
+            }
+        }
+    }
+
+    interface Session {
+        user: {
+            username: string
+            name: string
+            customerNumber: string
+            roles: string[]
+            authInfo: {
+                accessToken: string
+                refreshToken: string
+                tokenPolicy: User['tokenPolicy']
+                authMethod: User['authMethod']
+            }
+        }
+        roles: string[]
+    }
+}
+
+declare module 'next-auth/jwt' {
+    interface JWT {
+        accessToken: string
+        refreshToken: string
+        authMethod: 'customer' | 'norriq' | 'credentials'
+        name: string
+        username: string
+        customerNumber: string
+        roles: string[]
+        tokenPolicy: {
+            accessToken: { expiresAt: number }
+            refreshToken: {
+                isEnabled: boolean
+                expiresAt: number | null
+            }
+        }
+    }
+}

package/utils/auth/AuthRefreshHandler.ts

@@ -0,0 +1,86 @@
+import type { RefreshHandler } from '@sidebase/nuxt-auth'
+
+const REFRESH_THRESHOLD_SECONDS = 60 * 5
+const REFRESH_INTERVAL_MS = 60 * 1000 * 2
+
+class CustomRefreshHandler implements RefreshHandler {
+    private auth: ReturnType<typeof useAuth> | null = null
+    private intervalId: ReturnType<typeof setInterval> | null = null
+    private boundVisibilityHandler = this.visibilityHandler.bind(this)
+
+    init(): void {
+        this.auth = useAuth()
+
+        if (typeof document !== 'undefined') {
+            document.addEventListener('visibilitychange', this.boundVisibilityHandler)
+        }
+
+        this.intervalId = setInterval(() => this.refreshTokenIfNeeded(), REFRESH_INTERVAL_MS)
+        this.refreshTokenIfNeeded()
+    }
+
+    destroy(): void {
+        if (typeof document !== 'undefined') {
+            document.removeEventListener('visibilitychange', this.boundVisibilityHandler)
+        }
+        if (this.intervalId) {
+            clearInterval(this.intervalId)
+            this.intervalId = null
+        }
+    }
+
+    private visibilityHandler(): void {
+        if (document.visibilityState === 'visible') {
+            this.refreshTokenIfNeeded()
+        }
+    }
+
+    async refreshTokenIfNeeded(): Promise<void> {
+        if (!this.auth?.data.value) return
+        if (this.auth.status.value !== 'authenticated') return
+
+        const authInfo = this.auth.data.value.user?.authInfo
+        if (!authInfo?.tokenPolicy) return
+
+        if (!authInfo.tokenPolicy.refreshToken?.isEnabled) {
+            const expiresIn = authInfo.tokenPolicy.accessToken.expiresAt - Math.floor(Date.now() / 1000)
+            if (expiresIn <= 0) {
+                this.signOutWithReturnUrl()
+            }
+            return
+        }
+
+        const tokenExpiresAt = authInfo.tokenPolicy.accessToken.expiresAt
+        const tokenExpiresIn = tokenExpiresAt - Math.floor(Date.now() / 1000)
+
+        if (tokenExpiresIn > REFRESH_THRESHOLD_SECONDS) {
+            return
+        }
+
+        try {
+            await this.performRefresh()
+        } catch (error) {
+            console.error('Token refresh failed, logging out:', error)
+            this.signOutWithReturnUrl()
+        }
+    }
+
+    private signOutWithReturnUrl(): void {
+        const currentPath = typeof window !== 'undefined' ? window.location.pathname + window.location.search : '/'
+        this.auth?.signOut({ callbackUrl: currentPath })
+    }
+
+    private async performRefresh(): Promise<void> {
+        const response = await $fetch<{ success: boolean }>('/api/auth/refresh-token', {
+            method: 'POST',
+        })
+
+        if (!response.success) {
+            throw new Error('Token refresh failed')
+        }
+
+        await this.auth?.getSession()
+    }
+}
+
+export default new CustomRefreshHandler()

package/utils/auth/authorizeRedirect.ts

@@ -0,0 +1,33 @@
+import { consumeForceReauth } from './forceReauth'
+
+/**
+ * Builds the authorize URL and navigates to it.
+ * Auto-redirects to CIAM. Use ?connector=norriq for NORRIQ staff login.
+ *
+ * If the route has an `error` query param (from a failed OAuth callback),
+ * returns the error instead of redirecting — preventing an infinite loop.
+ */
+export function useAuthorizeRedirect(defaultReturnUrl: string) {
+    const route = useRoute()
+
+    const error = typeof route.query.error === 'string' ? route.query.error : undefined
+    const errorDescription = typeof route.query.error_description === 'string' ? route.query.error_description : undefined
+
+    if (error) {
+        return { error, errorDescription }
+    }
+
+    const returnUrl = typeof route.query.redirect === 'string' ? route.query.redirect : defaultReturnUrl
+    const connector = route.query.connector === 'norriq' ? 'norriq' : 'customer'
+
+    const params = new URLSearchParams({
+        connector_key: connector,
+        return_url: returnUrl,
+    })
+    if (consumeForceReauth(route.query.forceReauthentication)) {
+        params.set('force_reauthentication', 'true')
+    }
+
+    navigateTo(`/api/auth/authorize?${params}`, { external: true })
+    return { error: undefined, errorDescription: undefined }
+}

package/utils/auth/forceReauth.ts

@@ -0,0 +1,28 @@
+const FORCE_REAUTHENTICATION_COOKIE = 'auth:forceReauth'
+
+/**
+ * Sets a cookie that forces CIAM reauthentication on the next login.
+ * Call this on sign-out so the user gets a fresh credential prompt
+ * instead of CIAM auto-signing them back in.
+ *
+ * Uses document.cookie directly because useCookie() batches writes
+ * reactively — signOut() can navigate away before the write flushes.
+ */
+export function setForceReauth() {
+    if (import.meta.client) {
+        const maxAge = 60 * 10
+        document.cookie = `${FORCE_REAUTHENTICATION_COOKIE}=true; path=/; max-age=${maxAge}`
+    }
+}
+
+/**
+ * Checks and consumes the force-reauthentication cookie.
+ * Returns true if reauthentication should be forced (from cookie or query param).
+ * Clears the cookie after reading.
+ */
+export function consumeForceReauth(queryValue: unknown): boolean {
+    const cookie = useCookie(FORCE_REAUTHENTICATION_COOKIE)
+    const force = queryValue === 'true' || cookie.value === 'true'
+    if (force) cookie.value = null
+    return force
+}