@peterbud/nuxt-aegis 1.1.0-alpha.2 → 1.1.0-alpha.4

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-aegis",
   "configKey": "nuxtAegis",
-  "version": "1.1.0-alpha.2",
+  "version": "1.1.0-alpha.4",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "unknown"

package/dist/module.mjs

@@ -21,6 +21,8 @@ const module$1 = defineNuxtModule({
     tokenRefresh: {
       enabled: true,
       automaticRefresh: true,
+      rotationEnabled: true,
+      // Enable refresh token rotation by default for security
       cookie: {
         cookieName: "nuxt-aegis-refresh",
         maxAge: 60 * 60 * 24 * 7,
@@ -95,18 +97,18 @@ const module$1 = defineNuxtModule({
       nuxtAegis: options
     });
     const runtimeConfig = nuxt.options.runtimeConfig;
+    const logger = useLogger("nuxt-aegis");
     if (options.enableSSR && nuxt.options.ssr === false) {
-      const logger2 = useLogger("nuxt-aegis");
-      logger2.warn(
+      logger.warn(
         "nuxtAegis.enableSSR is true but Nuxt SSR is disabled. SSR authentication will not work. Set ssr: true in nuxt.config.ts or disable enableSSR."
       );
     }
     const resolver = createResolver(import.meta.url);
     if (options.tokenRefresh?.encryption?.enabled) {
-      const encryptionKey = options.tokenRefresh.encryption.key || process.env.NUXT_AEGIS_ENCRYPTION_KEY;
-      if (!encryptionKey) {
-        throw new Error(
-          "[Nuxt Aegis] Encryption is enabled but no encryption key is configured. Please set tokenRefresh.encryption.key in nuxt.config.ts or NUXT_AEGIS_ENCRYPTION_KEY environment variable."
+      const encryptionKey = options.tokenRefresh.encryption.key;
+      if (!encryptionKey && nuxt.options._prepare !== true) {
+        logger.warn(
+          "[Nuxt Aegis] Encryption is enabled but no encryption key is configured. The application will fail at runtime if encryption is attempted. Please set tokenRefresh.encryption.key in nuxt.config.ts or in the appropriate environment variable."
         );
       }
       if (!runtimeConfig.nuxtAegis) {
@@ -145,6 +147,8 @@ const module$1 = defineNuxtModule({
       { name: "revokeRefreshToken", from: resolver.resolve("./runtime/server/utils/refreshToken") },
       { name: "deleteUserRefreshTokens", from: resolver.resolve("./runtime/server/utils/refreshToken") },
       { name: "hashRefreshToken", from: resolver.resolve("./runtime/server/utils/refreshToken") },
+      // Claims recomputation utilities (from recomputeClaims.ts)
+      { name: "recomputeCustomClaims", from: resolver.resolve("./runtime/server/utils/recomputeClaims") },
       // Cookie utilities (from cookies.ts)
       { name: "setRefreshTokenCookie", from: resolver.resolve("./runtime/server/utils/cookies") },
       // Handler utilities (from handler.ts)
@@ -171,6 +175,11 @@ const module$1 = defineNuxtModule({
       handler: resolver.resolve("./runtime/server/routes/refresh.post"),
       method: "post"
     });
+    addServerHandler({
+      route: `${runtimeConfig.public.nuxtAegis.authPath}/update-claims`,
+      handler: resolver.resolve("./runtime/server/routes/update-claims.post"),
+      method: "post"
+    });
     if (options.impersonation?.enabled) {
       addServerHandler({
         route: `${runtimeConfig.public.nuxtAegis.authPath}/impersonate`,
@@ -211,7 +220,6 @@ const module$1 = defineNuxtModule({
       addPlugin(resolver.resolve("./runtime/app/plugins/api.server"));
       addPlugin(resolver.resolve("./runtime/app/plugins/ssr-state.server"));
     }
-    const logger = useLogger("nuxt-aegis");
     if (options.clientMiddleware?.enabled) {
       const cm = options.clientMiddleware;
       if (cm.global) {

package/dist/runtime/app/composables/useAuth.d.ts

@@ -26,7 +26,9 @@ interface UseAuthReturn<T extends BaseTokenClaims = BaseTokenClaims> {
     /** Method to end the user session */
     logout: (redirectTo?: string) => Promise<void>;
     /** Method to refresh the authentication state */
-    refresh: () => Promise<void>;
+    refresh: (options?: {
+        updateClaims?: boolean;
+    }) => Promise<void>;
     /** Method to impersonate another user (admin only) */
     impersonate: (targetUserId: string, reason?: string) => Promise<void>;
     /** Method to stop impersonation and restore original session */
@@ -58,7 +60,7 @@ interface UseAuthReturn<T extends BaseTokenClaims = BaseTokenClaims> {
  * Methods:
  * - login(provider) - Initiate OAuth flow
  * - logout() - End user session
- * - refresh() - Restore authentication state
+ * - refresh(options?) - Restore authentication state, optionally with updated claims
  *
  * @template T - Custom token payload type extending BaseTokenClaims
  * @returns {UseAuthReturn<T>} Authentication state and methods

package/dist/runtime/app/composables/useAuth.js

@@ -1,5 +1,5 @@
 import { useRuntimeConfig, navigateTo, useState, computed } from "#imports";
-import { clearAccessToken } from "../utils/tokenStore.js";
+import { clearAccessToken, setAccessToken, getAccessToken } from "../utils/tokenStore.js";
 import { createLogger } from "../utils/logger.js";
 import { validateRedirectPath } from "../utils/redirectValidation.js";
 import { filterTimeSensitiveClaims } from "../utils/tokenUtils.js";
@@ -30,16 +30,22 @@ export function useAuth() {
   const loginPath = publicConfig.nuxtAegis?.loginPath || authPath;
   const logoutPath = publicConfig.nuxtAegis?.logoutPath;
   const refreshPath = publicConfig.nuxtAegis?.refreshPath;
-  async function refresh() {
+  async function refresh(options) {
     authState.value.isLoading = true;
     authState.value.error = null;
-    logger.debug("Refreshing authentication state...");
+    logger.debug("Refreshing authentication state...", { updateClaims: options?.updateClaims });
     try {
+      if (options?.updateClaims) {
+        logger.debug("Updating custom claims before refresh...");
+        await $fetch(`${authPath}/update-claims`, {
+          method: "POST"
+        });
+        logger.debug("Claims updated successfully in storage");
+      }
       const response = await $fetch(`${refreshPath}`, {
         method: "POST"
       });
       if (response?.accessToken) {
-        const { setAccessToken } = await import("../utils/tokenStore.js");
         setAccessToken(response.accessToken);
         const tokenParts = response.accessToken.split(".");
         if (tokenParts[1]) {
@@ -57,6 +63,7 @@ export function useAuth() {
       authState.value.error = "Failed to refresh authentication";
       clearAccessToken();
       logger.error("Auth refresh failed:", error);
+      throw error;
     } finally {
       authState.value.isLoading = false;
     }
@@ -95,7 +102,6 @@ export function useAuth() {
       authState.value.error = null;
       authState.value.isLoading = true;
       logger.debug("Starting impersonation...", { targetUserId });
-      const { getAccessToken } = await import("../utils/tokenStore.js");
       const currentToken = getAccessToken();
       if (!currentToken) {
         throw new Error("Must be authenticated to impersonate");
@@ -111,7 +117,6 @@ export function useAuth() {
         }
       });
       if (response?.accessToken) {
-        const { setAccessToken } = await import("../utils/tokenStore.js");
         setAccessToken(response.accessToken);
         const tokenParts = response.accessToken.split(".");
         if (tokenParts[1]) {
@@ -138,7 +143,6 @@ export function useAuth() {
       authState.value.error = null;
       authState.value.isLoading = true;
       logger.debug("Stopping impersonation...");
-      const { getAccessToken } = await import("../utils/tokenStore.js");
       const currentToken = getAccessToken();
       if (!currentToken) {
         throw new Error("No active session");
@@ -150,7 +154,6 @@ export function useAuth() {
         }
       });
       if (response?.accessToken) {
-        const { setAccessToken } = await import("../utils/tokenStore.js");
         setAccessToken(response.accessToken);
         const tokenParts = response.accessToken.split(".");
         if (tokenParts[1]) {

package/dist/runtime/app/plugins/api.client.js

@@ -5,88 +5,91 @@ import { isRouteMatch } from "../utils/routeMatching.js";
 import { createLogger } from "../utils/logger.js";
 import { validateRedirectPath } from "../utils/redirectValidation.js";
 const logger = createLogger("API:Client");
-export default defineNuxtPlugin(async (nuxtApp) => {
-  let isRefreshing = false;
-  let refreshPromise = null;
-  let isInitialized = false;
-  const autoRefreshEnabled = nuxtApp.$config.public.nuxtAegis.tokenRefresh.automaticRefresh ?? true;
-  async function attemptTokenRefresh() {
-    if (isRefreshing) return refreshPromise;
-    logger.debug("Attempting token refresh...");
-    isRefreshing = true;
-    refreshPromise = nuxtApp.runWithContext(async () => {
-      const auth = useAuth();
-      try {
-        await auth.refresh();
-        return getAccessToken();
-      } catch (error) {
-        logger.error("Token refresh failed:", error);
-        return null;
-      } finally {
-        isRefreshing = false;
-        refreshPromise = null;
-      }
-    });
-    return refreshPromise;
-  }
-  const api = $fetch.create({
-    onRequest({ options }) {
-      const token = getAccessToken();
-      if (token) {
-        options.headers.set("Authorization", `Bearer ${token}`);
-      }
-    },
-    async onResponseError({ options, response }) {
-      if (response.status === 401 && autoRefreshEnabled) {
-        const newToken = await attemptTokenRefresh();
-        if (newToken) {
-          options.headers.set("Authorization", `Bearer ${newToken}`);
-          return;
+export default defineNuxtPlugin({
+  name: "nuxt-aegis-api-client",
+  async setup(nuxtApp) {
+    let isRefreshing = false;
+    let refreshPromise = null;
+    let isInitialized = false;
+    const autoRefreshEnabled = nuxtApp.$config.public.nuxtAegis.tokenRefresh.automaticRefresh ?? true;
+    async function attemptTokenRefresh() {
+      if (isRefreshing) return refreshPromise;
+      logger.debug("Attempting token refresh...");
+      isRefreshing = true;
+      refreshPromise = nuxtApp.runWithContext(async () => {
+        const auth = useAuth();
+        try {
+          await auth.refresh();
+          return getAccessToken();
+        } catch (error) {
+          logger.error("Token refresh failed:", error);
+          return null;
+        } finally {
+          isRefreshing = false;
+          refreshPromise = null;
         }
-        clearAccessToken();
-        const config = useRuntimeConfig();
-        const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
-        await nuxtApp.runWithContext(() => navigateTo(`${errorUrl}?error=token_refresh_failed&error_description=${encodeURIComponent("Session expired. Please log in again.")}`));
-      }
-    },
-    retry: autoRefreshEnabled ? 1 : 0,
-    retryStatusCodes: [401]
-  });
-  const result = {
-    provide: {
-      api
+      });
+      return refreshPromise;
     }
-  };
-  if (!isInitialized && autoRefreshEnabled) {
-    isInitialized = true;
-    logger.debug("Initializing auth state on startup...");
-    nuxtApp.hook("app:mounted", async () => {
-      await nuxtApp.runWithContext(async () => {
-        const callbackPath = nuxtApp.$config.public.nuxtAegis.callbackPath;
-        if (typeof window !== "undefined" && window.location.pathname === callbackPath) {
-          logger.debug("On auth callback page, skipping refresh");
-          return;
+    const api = $fetch.create({
+      onRequest({ options }) {
+        const token = getAccessToken();
+        if (token) {
+          options.headers.set("Authorization", `Bearer ${token}`);
         }
-        if (typeof window !== "undefined") {
-          const publicRoutes = nuxtApp.$config.public.nuxtAegis?.clientMiddleware?.publicRoutes || [];
-          const currentPath = window.location.pathname;
-          if (isRouteMatch(currentPath, publicRoutes)) {
-            logger.debug("On public route, skipping refresh on startup");
+      },
+      async onResponseError({ options, response }) {
+        if (response.status === 401 && autoRefreshEnabled) {
+          const newToken = await attemptTokenRefresh();
+          if (newToken) {
+            options.headers.set("Authorization", `Bearer ${newToken}`);
             return;
           }
+          clearAccessToken();
+          const config = useRuntimeConfig();
+          const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
+          await nuxtApp.runWithContext(() => navigateTo(`${errorUrl}?error=token_refresh_failed&error_description=${encodeURIComponent("Session expired. Please log in again.")}`));
         }
-        const currentToken = getAccessToken();
-        if (currentToken) {
-          logger.debug("Access token already present, skipping refresh on startup");
-          return;
-        }
-        try {
-          await useAuth().refresh();
-        } catch {
-          logger.debug("No valid refresh token found on startup");
-        }
-      });
+      },
+      retry: autoRefreshEnabled ? 1 : 0,
+      retryStatusCodes: [401]
     });
+    const result = {
+      provide: {
+        api
+      }
+    };
+    if (!isInitialized && autoRefreshEnabled) {
+      isInitialized = true;
+      logger.debug("Initializing auth state on startup...");
+      nuxtApp.hook("app:mounted", async () => {
+        await nuxtApp.runWithContext(async () => {
+          const callbackPath = nuxtApp.$config.public.nuxtAegis.callbackPath;
+          if (typeof window !== "undefined" && window.location.pathname === callbackPath) {
+            logger.debug("On auth callback page, skipping refresh");
+            return;
+          }
+          if (typeof window !== "undefined") {
+            const publicRoutes = nuxtApp.$config.public.nuxtAegis?.clientMiddleware?.publicRoutes || [];
+            const currentPath = window.location.pathname;
+            if (isRouteMatch(currentPath, publicRoutes)) {
+              logger.debug("On public route, skipping refresh on startup");
+              return;
+            }
+          }
+          const currentToken = getAccessToken();
+          if (currentToken) {
+            logger.debug("Access token already present, skipping refresh on startup");
+            return;
+          }
+          try {
+            await useAuth().refresh();
+          } catch {
+            logger.debug("No valid refresh token found on startup");
+          }
+        });
+      });
+    }
+    return result;
   }
-  return result;
 });

package/dist/runtime/app/plugins/api.server.js

@@ -1,6 +1,6 @@
 import { defineNuxtPlugin, useRequestEvent } from "#app";
 export default defineNuxtPlugin({
-  name: "api-server",
+  name: "nuxt-aegis-api-server",
   enforce: "pre",
   async setup() {
     const api = $fetch.create({

package/dist/runtime/app/plugins/ssr-state.server.js

@@ -1,13 +1,16 @@
 import { defineNuxtPlugin, useState, useRequestEvent } from "#app";
 import { filterTimeSensitiveClaims } from "../utils/tokenUtils.js";
-export default defineNuxtPlugin(() => {
-  const event = useRequestEvent();
-  if (event?.context.user) {
-    const user = event.context.user;
-    useState("auth-state", () => ({
-      user: filterTimeSensitiveClaims(user),
-      isLoading: false,
-      error: null
-    }));
+export default defineNuxtPlugin({
+  name: "nuxt-aegis-ssr-state",
+  async setup() {
+    const event = useRequestEvent();
+    if (event?.context.user) {
+      const user = event.context.user;
+      useState("auth-state", () => ({
+        user: filterTimeSensitiveClaims(user),
+        isLoading: false,
+        error: null
+      }));
+    }
   }
 });

package/dist/runtime/server/middleware/auth.js

@@ -18,21 +18,20 @@ export default defineEventHandler(async (event) => {
   const routeRules = await getRouteRules(event);
   const authConfig = routeRules.nuxtAegis?.auth;
   const shouldProtect = authConfig === true || authConfig === "required" || authConfig === "protected";
-  const shouldSkip = authConfig === false || authConfig === "public" || authConfig === "skip";
-  if (!shouldProtect || shouldSkip) {
-    return;
-  }
   let token;
   const authHeader = getHeader(event, "authorization");
   if (authHeader?.startsWith("Bearer ")) {
     token = authHeader.substring(7);
   }
   if (!token) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Unauthorized",
-      message: "Authentication required"
-    });
+    if (shouldProtect) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Authentication required"
+      });
+    }
+    return;
   }
   if (!tokenConfig || !tokenConfig.secret) {
     logger.error("Token configuration is missing");
@@ -45,29 +44,38 @@ export default defineEventHandler(async (event) => {
   const payload = await verifyToken(token, tokenConfig.secret);
   if (!payload) {
     logger.debug("Token verification failed for path:", requestURL.pathname);
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Unauthorized",
-      message: "Invalid or expired token"
-    });
+    if (shouldProtect) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Invalid or expired token"
+      });
+    }
+    return;
   }
   if (tokenConfig.issuer && payload.iss !== tokenConfig.issuer) {
     logger.debug("Token issuer mismatch. Expected:", tokenConfig.issuer, "Got:", payload.iss);
-    throw createError({
-      statusCode: 401,
-      statusMessage: "Unauthorized",
-      message: "Invalid token issuer"
-    });
+    if (shouldProtect) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Invalid token issuer"
+      });
+    }
+    return;
   }
   if (tokenConfig.audience && payload.aud) {
     const audienceMatch = Array.isArray(payload.aud) ? payload.aud.includes(tokenConfig.audience) : payload.aud === tokenConfig.audience;
     if (!audienceMatch) {
       logger.debug("Token audience mismatch. Expected:", tokenConfig.audience, "Got:", payload.aud);
-      throw createError({
-        statusCode: 401,
-        statusMessage: "Unauthorized",
-        message: "Invalid token audience"
-      });
+      if (shouldProtect) {
+        throw createError({
+          statusCode: 401,
+          statusMessage: "Unauthorized",
+          message: "Invalid token audience"
+        });
+      }
+      return;
     }
   }
   const { iat, exp, iss, aud, ...userData } = payload;

package/dist/runtime/server/routes/refresh.post.js

@@ -8,6 +8,8 @@ import {
 } from "../utils/refreshToken.js";
 import { setRefreshTokenCookie } from "../utils/cookies.js";
 import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../utils/logger.js";
+const logger = createLogger("Refresh");
 export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig(event);
   const cookieConfig = config.nuxtAegis?.tokenRefresh?.cookie;
@@ -65,22 +67,29 @@ export default defineEventHandler(async (event) => {
       // Include provider name in JWT payload
     };
     const newToken = await generateToken(payload, tokenConfig, customClaims);
-    const newRefreshToken = await generateAndStoreRefreshToken(
-      providerUserInfo,
-      // RS-2: Store complete OAuth provider user data
-      provider,
-      // Store provider name
-      tokenRefreshConfig,
-      hashedRefreshToken,
-      // Pass previous token hash for rotation tracking
-      customClaims,
-      // Preserve custom claims in new refresh token
-      event
-    );
-    if (newRefreshToken) {
-      setRefreshTokenCookie(event, newRefreshToken, cookieConfig);
+    const rotationEnabled = tokenRefreshConfig?.rotationEnabled ?? true;
+    if (rotationEnabled) {
+      logger.debug("Rotating refresh token for user:", payload.sub);
+      const newRefreshToken = await generateAndStoreRefreshToken(
+        providerUserInfo,
+        // RS-2: Store complete OAuth provider user data
+        provider,
+        // Store provider name
+        tokenRefreshConfig,
+        hashedRefreshToken,
+        // Pass previous token hash for rotation tracking
+        customClaims,
+        // Preserve custom claims in new refresh token
+        event
+      );
+      if (newRefreshToken) {
+        setRefreshTokenCookie(event, newRefreshToken, cookieConfig);
+      }
+      await revokeRefreshToken(hashedRefreshToken, event);
+    } else {
+      logger.debug("Reusing existing refresh token for user:", payload.sub);
+      setRefreshTokenCookie(event, refreshToken, cookieConfig);
     }
-    await revokeRefreshToken(hashedRefreshToken, event);
     return {
       success: true,
       message: "Token refreshed successfully",

package/dist/runtime/server/routes/update-claims.post.d.ts

@@ -0,0 +1,33 @@
+/**
+ * POST /auth/update-claims
+ *
+ * Recomputes custom JWT claims based on current user data.
+ * Useful when user data changes (role, permissions, etc.) and claims need updating
+ * without requiring the user to logout and login again.
+ *
+ * Process:
+ * 1. Validates refresh token from cookie
+ * 2. Verifies user owns the refresh token (authorization check)
+ * 3. Re-executes global handler's customClaims callback
+ * 4. Optionally re-executes onUserPersist for fresh DB data (if configured)
+ * 5. Updates stored refresh token data with new claims
+ * 6. User must call refresh() afterward to get a new JWT with updated claims
+ *
+ * Configuration:
+ * - Requires: tokenRefresh.enableClaimsUpdate = true (default)
+ * - Optional: tokenRefresh.recomputeOnUserPersist = true (fetch fresh DB data)
+ *
+ * Security:
+ * - Requires valid refresh token cookie
+ * - Users can only update their own claims
+ * - Claims are recomputed via the same handler used during initial auth
+ *
+ * @returns Success response with message
+ * @throws 401 if no refresh token or invalid token
+ * @throws 403 if feature is disabled
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    message: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/update-claims.post.js

@@ -0,0 +1,66 @@
+import { defineEventHandler, getCookie, createError } from "h3";
+import { hashRefreshToken, getRefreshTokenData, storeRefreshTokenData } from "../utils/refreshToken.js";
+import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../utils/logger.js";
+import { recomputeCustomClaims } from "../utils/recomputeClaims.js";
+const logger = createLogger("UpdateClaims");
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const cookieConfig = config.nuxtAegis?.tokenRefresh?.cookie;
+  const tokenRefreshConfig = config.nuxtAegis?.tokenRefresh;
+  const enableClaimsUpdate = tokenRefreshConfig?.enableClaimsUpdate ?? true;
+  if (!enableClaimsUpdate) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Forbidden",
+      message: "Claims update feature is disabled"
+    });
+  }
+  const cookieName = cookieConfig?.cookieName || "nuxt-aegis-refresh";
+  const refreshToken = getCookie(event, cookieName);
+  if (!refreshToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No refresh token found"
+    });
+  }
+  try {
+    const hashedRefreshToken = hashRefreshToken(refreshToken);
+    const storedRefreshToken = await getRefreshTokenData(hashedRefreshToken, event);
+    const isRevoked = storedRefreshToken?.isRevoked || false;
+    const isExpired = storedRefreshToken?.expiresAt ? Date.now() > storedRefreshToken.expiresAt : true;
+    if (!storedRefreshToken || isRevoked || isExpired) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Invalid or expired refresh token"
+      });
+    }
+    logger.debug(`Updating claims for user: ${storedRefreshToken.sub}`);
+    const newCustomClaims = await recomputeCustomClaims(storedRefreshToken, event);
+    await storeRefreshTokenData(
+      hashedRefreshToken,
+      {
+        ...storedRefreshToken,
+        customClaims: newCustomClaims
+      },
+      event
+    );
+    logger.debug("Claims updated successfully. User should call refresh() to get new JWT.");
+    return {
+      success: true,
+      message: "Claims updated successfully. Call refresh() to receive a new access token with updated claims."
+    };
+  } catch (error) {
+    if (error && typeof error === "object" && "statusCode" in error) {
+      throw error;
+    }
+    logger.error("Claims update failed:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to update claims"
+    });
+  }
+});

package/dist/runtime/server/utils/recomputeClaims.d.ts

@@ -0,0 +1,20 @@
+import type { H3Event } from 'h3';
+import type { RefreshTokenData } from '../../types/index.js';
+/**
+ * Recompute custom claims for a user based on current data
+ *
+ * Uses the global handler's customClaims callback to generate fresh claims.
+ * Optionally re-executes onUserPersist to fetch fresh database data.
+ *
+ * @param refreshTokenData - Stored refresh token data containing user info
+ * @param event - H3 event for context
+ * @returns Updated custom claims object
+ *
+ * @example
+ * ```typescript
+ * const storedData = await getRefreshTokenData(hashedToken, event)
+ * const newClaims = await recomputeCustomClaims(storedData, event)
+ * // newClaims now contains fresh data from database
+ * ```
+ */
+export declare function recomputeCustomClaims(refreshTokenData: RefreshTokenData, event: H3Event): Promise<Record<string, unknown>>;

package/dist/runtime/server/utils/recomputeClaims.js

@@ -0,0 +1,50 @@
+import { useRuntimeConfig } from "#imports";
+import { useAegisHandler } from "./handler.js";
+import { processCustomClaims } from "./customClaims.js";
+import { createLogger } from "./logger.js";
+const logger = createLogger("RecomputeClaims");
+export async function recomputeCustomClaims(refreshTokenData, event) {
+  const config = useRuntimeConfig(event);
+  const tokenRefreshConfig = config.nuxtAegis?.tokenRefresh;
+  const handler = useAegisHandler();
+  if (!handler) {
+    logger.warn("No Aegis handler registered. Cannot recompute custom claims.");
+    return refreshTokenData.customClaims || {};
+  }
+  let userData = refreshTokenData.providerUserInfo;
+  const provider = refreshTokenData.provider;
+  if (tokenRefreshConfig?.recomputeOnUserPersist && handler.onUserPersist) {
+    logger.debug(`Re-executing onUserPersist for provider: ${provider}`);
+    const persistContext = {
+      provider,
+      event
+    };
+    try {
+      const enrichedData = await handler.onUserPersist(userData, persistContext);
+      if (enrichedData) {
+        userData = {
+          ...userData,
+          ...enrichedData
+        };
+      }
+    } catch (error) {
+      logger.error("Error re-executing onUserPersist:", error);
+    }
+  }
+  if (!handler.customClaims) {
+    logger.debug("No customClaims callback defined in handler. Returning existing claims.");
+    return refreshTokenData.customClaims || {};
+  }
+  try {
+    logger.debug(`Recomputing custom claims for user: ${refreshTokenData.sub}`);
+    const newClaims = await processCustomClaims(
+      userData,
+      handler.customClaims
+    );
+    logger.debug("Custom claims recomputed successfully");
+    return newClaims;
+  } catch (error) {
+    logger.error("Error recomputing custom claims:", error);
+    return refreshTokenData.customClaims || {};
+  }
+}

package/dist/runtime/types/refresh.d.ts

@@ -50,6 +50,12 @@ export interface TokenRefreshConfig {
     enabled?: boolean;
     /** Automatically refresh tokens in the background (default: true) */
     automaticRefresh?: boolean;
+    /** Enable refresh token rotation on every refresh (default: true) */
+    rotationEnabled?: boolean;
+    /** Enable claims update endpoint and functionality (default: true) */
+    enableClaimsUpdate?: boolean;
+    /** Re-execute onUserPersist hook when updating claims for fresh database data (default: false) */
+    recomputeOnUserPersist?: boolean;
     /** Refresh token cookie configuration */
     cookie?: CookieConfig;
     /** Encryption configuration for stored user data */

package/dist/runtime/types/routes.d.ts

@@ -23,8 +23,8 @@ export interface ClientMiddlewareConfig {
     global?: boolean;
     /** Redirect destination for unauthenticated users (required when enabled) */
     redirectTo: string;
-    /** Redirect destination for authenticated users on logged-out pages (required when enabled) */
-    loggedOutRedirectTo: string;
+    /** Redirect destination for authenticated users on logged-out pages */
+    loggedOutRedirectTo?: string;
     /** Array of route patterns excluded from authentication (glob patterns supported) */
     publicRoutes?: string[];
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@peterbud/nuxt-aegis",
-  "version": "1.1.0-alpha.2",
+  "version": "1.1.0-alpha.4",
   "description": "Nuxt module for authentication with JWT token generation and session management.",
   "publishConfig": {
     "access": "public"
@@ -39,9 +39,9 @@
   "scripts": {
     "build": "nuxt-module-build prepare && nuxt-module-build build",
     "prepack": "nuxt-module-build build",
-    "dev": "pnpm run dev:prepare && nuxi dev playground",
-    "dev:build": "nuxi build playground",
-    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
+    "dev": "pnpm run dev:prepare && nuxt dev playground",
+    "dev:build": "nuxt build playground",
+    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt prepare playground",
     "docs:dev": "pnpm --filter docs docs:dev",
     "docs:build": "pnpm --filter docs docs:build",
     "release": "pnpm run lint && pnpm run test && pnpm run prepack && changelogen --release && npm publish && git push --follow-tags",
@@ -52,25 +52,25 @@
     "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit"
   },
   "dependencies": {
-    "@nuxt/kit": "^4.2.1",
+    "@nuxt/kit": "^4.3.0",
     "consola": "^3.4.2",
     "defu": "^6.1.4",
     "jose": "^6.1.3",
-    "ufo": "^1.6.1"
+    "ufo": "^1.6.3"
   },
   "devDependencies": {
     "@nuxt/devtools": "^3.1.1",
-    "@nuxt/eslint-config": "^1.11.0",
+    "@nuxt/eslint-config": "^1.13.0",
     "@nuxt/module-builder": "^1.0.2",
-    "@nuxt/schema": "^4.2.1",
-    "@nuxt/test-utils": "^3.21.0",
+    "@nuxt/schema": "^4.3.0",
+    "@nuxt/test-utils": "^3.23.0",
     "@types/node": "latest",
     "changelogen": "^0.6.2",
-    "eslint": "^9.39.1",
-    "nuxt": "^4.2.1",
+    "eslint": "^9.39.2",
+    "nuxt": "^4.3.0",
     "typescript": "~5.9.3",
     "vitest": "^3.2.4",
-    "vue-tsc": "^3.1.5"
+    "vue-tsc": "^3.2.3"
   },
   "pnpm": {
     "overrides": {