@peterbud/nuxt-aegis 1.1.0-alpha.3 → 1.1.0-alpha.4

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-aegis",
   "configKey": "nuxtAegis",
-  "version": "1.1.0-alpha.3",
+  "version": "1.1.0-alpha.4",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "unknown"

package/dist/module.mjs

@@ -106,7 +106,7 @@ const module$1 = defineNuxtModule({
     const resolver = createResolver(import.meta.url);
     if (options.tokenRefresh?.encryption?.enabled) {
       const encryptionKey = options.tokenRefresh.encryption.key;
-      if (!encryptionKey) {
+      if (!encryptionKey && nuxt.options._prepare !== true) {
         logger.warn(
           "[Nuxt Aegis] Encryption is enabled but no encryption key is configured. The application will fail at runtime if encryption is attempted. Please set tokenRefresh.encryption.key in nuxt.config.ts or in the appropriate environment variable."
         );
@@ -147,6 +147,8 @@ const module$1 = defineNuxtModule({
       { name: "revokeRefreshToken", from: resolver.resolve("./runtime/server/utils/refreshToken") },
       { name: "deleteUserRefreshTokens", from: resolver.resolve("./runtime/server/utils/refreshToken") },
       { name: "hashRefreshToken", from: resolver.resolve("./runtime/server/utils/refreshToken") },
+      // Claims recomputation utilities (from recomputeClaims.ts)
+      { name: "recomputeCustomClaims", from: resolver.resolve("./runtime/server/utils/recomputeClaims") },
       // Cookie utilities (from cookies.ts)
       { name: "setRefreshTokenCookie", from: resolver.resolve("./runtime/server/utils/cookies") },
       // Handler utilities (from handler.ts)
@@ -173,6 +175,11 @@ const module$1 = defineNuxtModule({
       handler: resolver.resolve("./runtime/server/routes/refresh.post"),
       method: "post"
     });
+    addServerHandler({
+      route: `${runtimeConfig.public.nuxtAegis.authPath}/update-claims`,
+      handler: resolver.resolve("./runtime/server/routes/update-claims.post"),
+      method: "post"
+    });
     if (options.impersonation?.enabled) {
       addServerHandler({
         route: `${runtimeConfig.public.nuxtAegis.authPath}/impersonate`,

package/dist/runtime/app/composables/useAuth.d.ts

@@ -26,7 +26,9 @@ interface UseAuthReturn<T extends BaseTokenClaims = BaseTokenClaims> {
     /** Method to end the user session */
     logout: (redirectTo?: string) => Promise<void>;
     /** Method to refresh the authentication state */
-    refresh: () => Promise<void>;
+    refresh: (options?: {
+        updateClaims?: boolean;
+    }) => Promise<void>;
     /** Method to impersonate another user (admin only) */
     impersonate: (targetUserId: string, reason?: string) => Promise<void>;
     /** Method to stop impersonation and restore original session */
@@ -58,7 +60,7 @@ interface UseAuthReturn<T extends BaseTokenClaims = BaseTokenClaims> {
  * Methods:
  * - login(provider) - Initiate OAuth flow
  * - logout() - End user session
- * - refresh() - Restore authentication state
+ * - refresh(options?) - Restore authentication state, optionally with updated claims
  *
  * @template T - Custom token payload type extending BaseTokenClaims
  * @returns {UseAuthReturn<T>} Authentication state and methods

package/dist/runtime/app/composables/useAuth.js

@@ -30,11 +30,18 @@ export function useAuth() {
   const loginPath = publicConfig.nuxtAegis?.loginPath || authPath;
   const logoutPath = publicConfig.nuxtAegis?.logoutPath;
   const refreshPath = publicConfig.nuxtAegis?.refreshPath;
-  async function refresh() {
+  async function refresh(options) {
     authState.value.isLoading = true;
     authState.value.error = null;
-    logger.debug("Refreshing authentication state...");
+    logger.debug("Refreshing authentication state...", { updateClaims: options?.updateClaims });
     try {
+      if (options?.updateClaims) {
+        logger.debug("Updating custom claims before refresh...");
+        await $fetch(`${authPath}/update-claims`, {
+          method: "POST"
+        });
+        logger.debug("Claims updated successfully in storage");
+      }
       const response = await $fetch(`${refreshPath}`, {
         method: "POST"
       });
@@ -56,6 +63,7 @@ export function useAuth() {
       authState.value.error = "Failed to refresh authentication";
       clearAccessToken();
       logger.error("Auth refresh failed:", error);
+      throw error;
     } finally {
       authState.value.isLoading = false;
     }

package/dist/runtime/server/routes/update-claims.post.d.ts

@@ -0,0 +1,33 @@
+/**
+ * POST /auth/update-claims
+ *
+ * Recomputes custom JWT claims based on current user data.
+ * Useful when user data changes (role, permissions, etc.) and claims need updating
+ * without requiring the user to logout and login again.
+ *
+ * Process:
+ * 1. Validates refresh token from cookie
+ * 2. Verifies user owns the refresh token (authorization check)
+ * 3. Re-executes global handler's customClaims callback
+ * 4. Optionally re-executes onUserPersist for fresh DB data (if configured)
+ * 5. Updates stored refresh token data with new claims
+ * 6. User must call refresh() afterward to get a new JWT with updated claims
+ *
+ * Configuration:
+ * - Requires: tokenRefresh.enableClaimsUpdate = true (default)
+ * - Optional: tokenRefresh.recomputeOnUserPersist = true (fetch fresh DB data)
+ *
+ * Security:
+ * - Requires valid refresh token cookie
+ * - Users can only update their own claims
+ * - Claims are recomputed via the same handler used during initial auth
+ *
+ * @returns Success response with message
+ * @throws 401 if no refresh token or invalid token
+ * @throws 403 if feature is disabled
+ */
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    success: boolean;
+    message: string;
+}>>;
+export default _default;

package/dist/runtime/server/routes/update-claims.post.js

@@ -0,0 +1,66 @@
+import { defineEventHandler, getCookie, createError } from "h3";
+import { hashRefreshToken, getRefreshTokenData, storeRefreshTokenData } from "../utils/refreshToken.js";
+import { useRuntimeConfig } from "#imports";
+import { createLogger } from "../utils/logger.js";
+import { recomputeCustomClaims } from "../utils/recomputeClaims.js";
+const logger = createLogger("UpdateClaims");
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig(event);
+  const cookieConfig = config.nuxtAegis?.tokenRefresh?.cookie;
+  const tokenRefreshConfig = config.nuxtAegis?.tokenRefresh;
+  const enableClaimsUpdate = tokenRefreshConfig?.enableClaimsUpdate ?? true;
+  if (!enableClaimsUpdate) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Forbidden",
+      message: "Claims update feature is disabled"
+    });
+  }
+  const cookieName = cookieConfig?.cookieName || "nuxt-aegis-refresh";
+  const refreshToken = getCookie(event, cookieName);
+  if (!refreshToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized",
+      message: "No refresh token found"
+    });
+  }
+  try {
+    const hashedRefreshToken = hashRefreshToken(refreshToken);
+    const storedRefreshToken = await getRefreshTokenData(hashedRefreshToken, event);
+    const isRevoked = storedRefreshToken?.isRevoked || false;
+    const isExpired = storedRefreshToken?.expiresAt ? Date.now() > storedRefreshToken.expiresAt : true;
+    if (!storedRefreshToken || isRevoked || isExpired) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Invalid or expired refresh token"
+      });
+    }
+    logger.debug(`Updating claims for user: ${storedRefreshToken.sub}`);
+    const newCustomClaims = await recomputeCustomClaims(storedRefreshToken, event);
+    await storeRefreshTokenData(
+      hashedRefreshToken,
+      {
+        ...storedRefreshToken,
+        customClaims: newCustomClaims
+      },
+      event
+    );
+    logger.debug("Claims updated successfully. User should call refresh() to get new JWT.");
+    return {
+      success: true,
+      message: "Claims updated successfully. Call refresh() to receive a new access token with updated claims."
+    };
+  } catch (error) {
+    if (error && typeof error === "object" && "statusCode" in error) {
+      throw error;
+    }
+    logger.error("Claims update failed:", error);
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Internal Server Error",
+      message: "Failed to update claims"
+    });
+  }
+});

package/dist/runtime/server/utils/recomputeClaims.d.ts

@@ -0,0 +1,20 @@
+import type { H3Event } from 'h3';
+import type { RefreshTokenData } from '../../types/index.js';
+/**
+ * Recompute custom claims for a user based on current data
+ *
+ * Uses the global handler's customClaims callback to generate fresh claims.
+ * Optionally re-executes onUserPersist to fetch fresh database data.
+ *
+ * @param refreshTokenData - Stored refresh token data containing user info
+ * @param event - H3 event for context
+ * @returns Updated custom claims object
+ *
+ * @example
+ * ```typescript
+ * const storedData = await getRefreshTokenData(hashedToken, event)
+ * const newClaims = await recomputeCustomClaims(storedData, event)
+ * // newClaims now contains fresh data from database
+ * ```
+ */
+export declare function recomputeCustomClaims(refreshTokenData: RefreshTokenData, event: H3Event): Promise<Record<string, unknown>>;

package/dist/runtime/server/utils/recomputeClaims.js

@@ -0,0 +1,50 @@
+import { useRuntimeConfig } from "#imports";
+import { useAegisHandler } from "./handler.js";
+import { processCustomClaims } from "./customClaims.js";
+import { createLogger } from "./logger.js";
+const logger = createLogger("RecomputeClaims");
+export async function recomputeCustomClaims(refreshTokenData, event) {
+  const config = useRuntimeConfig(event);
+  const tokenRefreshConfig = config.nuxtAegis?.tokenRefresh;
+  const handler = useAegisHandler();
+  if (!handler) {
+    logger.warn("No Aegis handler registered. Cannot recompute custom claims.");
+    return refreshTokenData.customClaims || {};
+  }
+  let userData = refreshTokenData.providerUserInfo;
+  const provider = refreshTokenData.provider;
+  if (tokenRefreshConfig?.recomputeOnUserPersist && handler.onUserPersist) {
+    logger.debug(`Re-executing onUserPersist for provider: ${provider}`);
+    const persistContext = {
+      provider,
+      event
+    };
+    try {
+      const enrichedData = await handler.onUserPersist(userData, persistContext);
+      if (enrichedData) {
+        userData = {
+          ...userData,
+          ...enrichedData
+        };
+      }
+    } catch (error) {
+      logger.error("Error re-executing onUserPersist:", error);
+    }
+  }
+  if (!handler.customClaims) {
+    logger.debug("No customClaims callback defined in handler. Returning existing claims.");
+    return refreshTokenData.customClaims || {};
+  }
+  try {
+    logger.debug(`Recomputing custom claims for user: ${refreshTokenData.sub}`);
+    const newClaims = await processCustomClaims(
+      userData,
+      handler.customClaims
+    );
+    logger.debug("Custom claims recomputed successfully");
+    return newClaims;
+  } catch (error) {
+    logger.error("Error recomputing custom claims:", error);
+    return refreshTokenData.customClaims || {};
+  }
+}

package/dist/runtime/types/refresh.d.ts

@@ -52,6 +52,10 @@ export interface TokenRefreshConfig {
     automaticRefresh?: boolean;
     /** Enable refresh token rotation on every refresh (default: true) */
     rotationEnabled?: boolean;
+    /** Enable claims update endpoint and functionality (default: true) */
+    enableClaimsUpdate?: boolean;
+    /** Re-execute onUserPersist hook when updating claims for fresh database data (default: false) */
+    recomputeOnUserPersist?: boolean;
     /** Refresh token cookie configuration */
     cookie?: CookieConfig;
     /** Encryption configuration for stored user data */

package/dist/runtime/types/routes.d.ts

@@ -23,8 +23,8 @@ export interface ClientMiddlewareConfig {
     global?: boolean;
     /** Redirect destination for unauthenticated users (required when enabled) */
     redirectTo: string;
-    /** Redirect destination for authenticated users on logged-out pages (required when enabled) */
-    loggedOutRedirectTo: string;
+    /** Redirect destination for authenticated users on logged-out pages */
+    loggedOutRedirectTo?: string;
     /** Array of route patterns excluded from authentication (glob patterns supported) */
     publicRoutes?: string[];
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@peterbud/nuxt-aegis",
-  "version": "1.1.0-alpha.3",
+  "version": "1.1.0-alpha.4",
   "description": "Nuxt module for authentication with JWT token generation and session management.",
   "publishConfig": {
     "access": "public"
@@ -39,9 +39,9 @@
   "scripts": {
     "build": "nuxt-module-build prepare && nuxt-module-build build",
     "prepack": "nuxt-module-build build",
-    "dev": "pnpm run dev:prepare && nuxi dev playground",
-    "dev:build": "nuxi build playground",
-    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
+    "dev": "pnpm run dev:prepare && nuxt dev playground",
+    "dev:build": "nuxt build playground",
+    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt prepare playground",
     "docs:dev": "pnpm --filter docs docs:dev",
     "docs:build": "pnpm --filter docs docs:build",
     "release": "pnpm run lint && pnpm run test && pnpm run prepack && changelogen --release && npm publish && git push --follow-tags",
@@ -52,25 +52,25 @@
     "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit"
   },
   "dependencies": {
-    "@nuxt/kit": "^4.2.2",
+    "@nuxt/kit": "^4.3.0",
     "consola": "^3.4.2",
     "defu": "^6.1.4",
     "jose": "^6.1.3",
-    "ufo": "^1.6.1"
+    "ufo": "^1.6.3"
   },
   "devDependencies": {
     "@nuxt/devtools": "^3.1.1",
-    "@nuxt/eslint-config": "^1.12.1",
+    "@nuxt/eslint-config": "^1.13.0",
     "@nuxt/module-builder": "^1.0.2",
-    "@nuxt/schema": "^4.2.2",
-    "@nuxt/test-utils": "^3.22.0",
+    "@nuxt/schema": "^4.3.0",
+    "@nuxt/test-utils": "^3.23.0",
     "@types/node": "latest",
     "changelogen": "^0.6.2",
     "eslint": "^9.39.2",
-    "nuxt": "^4.2.2",
+    "nuxt": "^4.3.0",
     "typescript": "~5.9.3",
     "vitest": "^3.2.4",
-    "vue-tsc": "^3.2.1"
+    "vue-tsc": "^3.2.3"
   },
   "pnpm": {
     "overrides": {