@zvonimirsun/iszy-nuxt-auth-layer 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ZvonimirSun
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,63 @@
+# ISZY Nuxt 认证 Layer
+
+用于 ISZY Nuxt 应用的共享认证 layer，抽取前端 BFF、Redis session、登录登出、认证检查和 OAuth 回调等通用能力。
+
+## 功能
+
+- 基于 Redis 的 httpOnly session cookie。
+- session 轮换与短 TTL tombstone，降低并发刷新 token 时的竞态影响。
+- 后端 API 代理工具，自动注入 access token，并在 401 时尝试 refresh token。
+- 本地登录、登出、登录态检查和 OAuth 回调路由。
+- 通用用户 store、公开用户类型和用户信息裁剪工具。
+
+## 使用方式
+
+安装依赖：
+
+```bash
+pnpm add @zvonimirsun/iszy-nuxt-auth-layer
+```
+
+在 Nuxt 应用中继承该 layer：
+
+```ts
+export default defineNuxtConfig({
+  extends: ['@zvonimirsun/iszy-nuxt-auth-layer'],
+})
+```
+
+消费方应用需要按部署环境配置 `runtimeConfig.public.apiOrigin`、Redis 连接信息和 session cookie 选项。
+
+## 运行时配置
+
+```ts
+export default defineNuxtConfig({
+  runtimeConfig: {
+    public: {
+      apiOrigin: '',
+      title: '',
+      features: {
+        publicRegister: false,
+      },
+    },
+    redis: {
+      host: '',
+      port: 6379,
+      password: undefined,
+    },
+    session: {
+      cookieName: 'NUXT_SESSION_ID',
+      maxAge: '7d',
+      domain: '',
+    },
+  },
+})
+```
+
+## 应用差异
+
+该 layer 只提供通用认证链路，不接管具体应用的业务权限：
+
+- `iszy-admin` 仍应在消费方保留 admin/superadmin 鉴权和 403 页面语义。
+- `iszy-tools-next` 仍应在消费方保留工具权限、工具目录刷新和设置页展示逻辑。
+- authentik 接入会在后续版本扩展，本首版只保留现有本地登录与 OAuth 基础能力。

package/app/stores/user.ts

@@ -0,0 +1,200 @@
+import type { Device, ResultDto } from '@zvonimirsun/iszy-common'
+import type { PublicSimpleUser } from '#shared/types/auth'
+import { acceptHMRUpdate, defineStore } from 'pinia'
+
+interface LoginAttemptFailureData {
+  code: 'LOGIN_FAILED'
+  failedCount: number
+  remainingAttempts: number
+  maxAttempts: number
+  windowSeconds: number
+}
+
+interface LoginBanFailureData {
+  code: 'LOGIN_BANNED'
+  retryAfterSeconds: number
+  bannedUntil: string
+}
+
+type LoginFailureData = LoginAttemptFailureData | LoginBanFailureData
+type LoginResultData = PublicSimpleUser | LoginFailureData
+
+type ProfileFetcher = <T>(request: string, opts?: {
+  signal?: AbortSignal
+}) => Promise<T>
+
+const appFetch = $fetch as unknown as <T>(request: string, opts?: Record<string, unknown>) => Promise<T>
+
+export const useUserStore = defineStore('user', () => {
+  const profilePulled = ref(false)
+  const profile = ref<PublicSimpleUser>()
+  const logged = computed(() => !!profile.value)
+
+  let pullProfilePromise: Promise<boolean> | null = null
+  let pullProfileAbortController: AbortController | null = null
+
+  async function login(payload: {
+    userName: string
+    password: string
+  }) {
+    const { userName, password } = payload
+    if (!userName || !password) {
+      throw new Error('请输入用户名和密码')
+    }
+
+    try {
+      const res = await appFetch<ResultDto<LoginResultData>>('/api/auth/login', {
+        method: 'post',
+        body: {
+          userName: userName.trim(),
+          password,
+        },
+      })
+
+      if (res.success) {
+        profilePulled.value = true
+        updateProfile(res.data as PublicSimpleUser)
+        return
+      }
+
+      removeProfile()
+      throw new Error(formatLoginFailureMessage(res.message, res.data))
+    }
+    catch (error) {
+      removeProfile()
+      throw error
+    }
+  }
+
+  function formatLoginFailureMessage(message: string, data?: LoginResultData) {
+    const fallbackMessage = message || '登录失败'
+    if (!data || !('code' in data)) {
+      return fallbackMessage
+    }
+
+    if (data.code === 'LOGIN_BANNED') {
+      return '登录失败次数过多，请稍后再试。'
+    }
+
+    return fallbackMessage
+  }
+
+  async function logout() {
+    const res = await appFetch<ResultDto<void>>('/api/auth/logout', {
+      method: 'POST',
+    })
+
+    if (res?.success) {
+      removeProfile()
+      return
+    }
+
+    throw new Error(res?.message || '登出失败')
+  }
+
+  async function pullProfile(force = false, fetcher: ProfileFetcher = appFetch) {
+    if (profilePulled.value && !force) {
+      return logged.value
+    }
+
+    if (force) {
+      pullProfileAbortController?.abort()
+      pullProfileAbortController = null
+      pullProfilePromise = null
+    }
+
+    if (pullProfilePromise && !force) {
+      return pullProfilePromise
+    }
+
+    pullProfileAbortController = new AbortController()
+    pullProfilePromise = (async () => {
+      try {
+        const res = await fetcher<ResultDto<{
+          logged: boolean
+          profile?: PublicSimpleUser
+        }>>('/api/auth/check', {
+          signal: pullProfileAbortController!.signal,
+        })
+
+        if (res?.success && res.data?.logged) {
+          updateProfile(res.data.profile)
+          profilePulled.value = true
+          return true
+        }
+
+        removeProfile()
+        profilePulled.value = true
+        return false
+      }
+      catch (error) {
+        if ((error as Error).name !== 'AbortError') {
+          removeProfile()
+          profilePulled.value = true
+        }
+        throw error
+      }
+      finally {
+        pullProfileAbortController = null
+        pullProfilePromise = null
+      }
+    })()
+
+    return pullProfilePromise
+  }
+
+  function updateProfile(data?: PublicSimpleUser) {
+    profile.value = data
+  }
+
+  function removeProfile() {
+    updateProfile(undefined)
+  }
+
+  async function thirdPartyUnbind(type: string) {
+    await appFetch<ResultDto<void>>('/api/oauth/unbind', {
+      method: 'POST',
+      body: {
+        provider: type,
+      },
+    })
+    await pullProfile(true)
+  }
+
+  async function getDevices(): Promise<Device[]> {
+    const res = await appFetch<ResultDto<Device[]>>('/api/auth/devices')
+    return res.data || []
+  }
+
+  async function removeDevice({ deviceId, other }: {
+    deviceId?: string
+    all?: boolean
+    other?: boolean
+  }) {
+    await appFetch('/api/auth/logout', {
+      method: 'POST',
+      query: {
+        deviceId,
+        other,
+      },
+    })
+  }
+
+  return {
+    profilePulled,
+    profile,
+    logged,
+    login,
+    logout,
+    pullProfile,
+    updateProfile,
+    removeProfile,
+    thirdPartyUnbind,
+    getDevices,
+    removeDevice,
+  }
+})
+
+if (import.meta.hot) {
+  import.meta.hot.accept(acceptHMRUpdate(useUserStore, import.meta.hot))
+}

package/nuxt.config.ts

@@ -0,0 +1,21 @@
+export default defineNuxtConfig({
+  runtimeConfig: {
+    public: {
+      title: '',
+      apiOrigin: '',
+      features: {
+        publicRegister: false,
+      },
+    },
+    redis: {
+      host: '',
+      port: 6379,
+      password: undefined,
+    },
+    session: {
+      cookieName: 'NUXT_SESSION_ID',
+      maxAge: '7d',
+      domain: '',
+    },
+  },
+})

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@zvonimirsun/iszy-nuxt-auth-layer",
+  "version": "0.1.0",
+  "type": "module",
+  "private": false,
+  "description": "ISZY Nuxt 应用共享认证 layer。",
+  "author": "ZvonimirSun",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://git@github.com/ZvonimirSun/iszy-nuxt-auth-layer.git"
+  },
+  "homepage": "https://github.com/ZvonimirSun/iszy-nuxt-auth-layer#readme",
+  "bugs": {
+    "url": "https://github.com/ZvonimirSun/iszy-nuxt-auth-layer/issues"
+  },
+  "exports": {
+    ".": "./nuxt.config.ts"
+  },
+  "files": [
+    "app",
+    "server",
+    "shared",
+    "nuxt.config.ts",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@zvonimirsun/iszy-common": "^1.2.0",
+    "ms": "^2.1.3"
+  },
+  "peerDependencies": {
+    "@pinia/nuxt": ">=0.11.0",
+    "nuxt": ">=4.0.0",
+    "pinia": ">=3.0.0"
+  },
+  "devDependencies": {
+    "@nuxt/eslint": "^1.15.2",
+    "@pinia/nuxt": "0.11.3",
+    "@types/ms": "^2.1.0",
+    "@types/node": "^25.9.1",
+    "nuxt": "^4.4.7",
+    "pinia": "^3.0.4",
+    "typescript": "^6.0.3",
+    "vue-tsc": "^3.3.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "postinstall": "nuxt prepare",
+    "typecheck": "nuxt typecheck"
+  }
+}

package/server/api/[...].ts

@@ -0,0 +1,3 @@
+export default defineEventHandler(async (event) => {
+  return proxyFetch(event)
+})

package/server/api/auth/check.get.ts

@@ -0,0 +1,43 @@
+import type { PublicUser, ResultDto } from '@zvonimirsun/iszy-common'
+import type { PublicSimpleUser } from '#shared/types/auth'
+
+export default defineEventHandler(async (event): Promise<ResultDto<{
+  logged: boolean
+  profile?: PublicSimpleUser
+}>> => {
+  const session = await getRedisSession(event)
+  if (!session) {
+    return {
+      success: true,
+      data: {
+        logged: false,
+      },
+      message: '未登录',
+    }
+  }
+
+  try {
+    const res = await authFetch<ResultDto<PublicUser>>(event, '/user/me')
+    if (res.success && res.data) {
+      return {
+        success: true,
+        data: {
+          logged: true,
+          profile: toPublicSimpleUser(res.data),
+        },
+        message: '已登录',
+      }
+    }
+  }
+  catch {
+    // fall through to the unauthenticated response below
+  }
+
+  return {
+    success: true,
+    data: {
+      logged: false,
+    },
+    message: '未登录',
+  }
+})

package/server/api/auth/login.post.ts

@@ -0,0 +1,62 @@
+import type { PublicUser, ResultDto } from '@zvonimirsun/iszy-common'
+import type { FetchError } from 'ofetch'
+import type { PublicSimpleUser } from '#shared/types/auth'
+
+interface LoginFailureData {
+  code: 'LOGIN_FAILED' | 'LOGIN_BANNED'
+  failedCount?: number
+  remainingAttempts?: number
+  maxAttempts?: number
+  windowSeconds?: number
+  retryAfterSeconds?: number
+  bannedUntil?: string
+}
+
+export default defineEventHandler(async (event): Promise<ResultDto<PublicSimpleUser | LoginFailureData>> => {
+  const body = await readBody<{
+    userName: string
+    password: string
+  }>(event)
+
+  if (!body.userName || !body.password) {
+    throw createError({
+      statusCode: 400,
+      message: '用户名和密码不能为空',
+    })
+  }
+
+  try {
+    const res = await authFetch<ResultDto<{
+      access_token: string
+      refresh_token: string
+      profile: PublicUser
+    }>>(event, '/auth/login', {
+      method: 'POST',
+      body: {
+        username: body.userName.trim(),
+        password: body.password,
+      },
+    })
+
+    if (res.success) {
+      await setRedisSession(event, {
+        access_token: res.data!.access_token,
+        refresh_token: res.data!.refresh_token,
+      })
+    }
+
+    return {
+      ...res,
+      data: res.data?.profile ? toPublicSimpleUser(res.data.profile) : undefined,
+    }
+  }
+  catch (error) {
+    await destroyRedisSession(event)
+    const errorData = (error as FetchError<ResultDto<LoginFailureData>>).data
+    return {
+      success: false,
+      message: errorData?.message || '登录失败',
+      data: errorData?.data,
+    }
+  }
+})

package/server/api/auth/logout.post.ts

@@ -0,0 +1,39 @@
+import type { ResultDto } from '@zvonimirsun/iszy-common'
+import type { FetchError } from 'ofetch'
+
+export default defineEventHandler(async (event): Promise<ResultDto<void>> => {
+  const query = getQuery<{
+    deviceId?: string
+    other?: string
+  }>(event)
+
+  const session = await getRedisSession(event)
+  if (!session) {
+    return {
+      success: true,
+      message: '已登出',
+    }
+  }
+
+  try {
+    await authFetch(event, '/auth/logout', {
+      method: 'POST',
+      query,
+    })
+  }
+  catch (error) {
+    const errorCode = (error as FetchError)?.response?.status
+    if (errorCode && errorCode !== 401) {
+      throw error
+    }
+  }
+
+  if (!query.other && !query.deviceId) {
+    await destroyRedisSession(event)
+  }
+
+  return {
+    success: true,
+    message: '已登出',
+  }
+})

package/server/api/oauth/[provider]/bind.get.ts

@@ -0,0 +1,19 @@
+import type { ResultDto } from '@zvonimirsun/iszy-common'
+
+export default defineEventHandler(async (event) => {
+  const { apiOrigin } = usePublicConfig()
+  const { provider } = event.context.params as { provider: string }
+  const url = getRequestURL(event)
+
+  const res = await authFetch<ResultDto<string>>(event, '/oauth/code', {
+    method: 'POST',
+  })
+  const code = res.data!
+  const state = random()
+
+  await setState(state, {
+    isBind: true,
+  })
+
+  return sendRedirect(event, `${apiOrigin}/oauth/${provider}/bind?state=${state}&client=${encodeURIComponent(url.origin)}&access_token=${code}`)
+})

package/server/api/oauth/[provider]/callback.get.ts

@@ -0,0 +1,99 @@
+import type { PublicUser, ResultDto } from '@zvonimirsun/iszy-common'
+
+function renderCallbackPage(title: string, origin: string, body: string, payload: { success: boolean, message?: string }) {
+  return `
+    <head>
+      <title>${title}</title>
+      <meta charset="UTF-8">
+    </head>
+    <body>
+      ${body}
+      <script>
+        if (window.opener && !window.opener.closed) {
+          window.opener.postMessage(${JSON.stringify(payload)}, '${origin}');
+        }
+      </script>
+    </body>
+  `
+}
+
+export default defineEventHandler(async (event) => {
+  const { title } = usePublicConfig()
+  const url = getRequestURL(event)
+  const query = getQuery(event)
+  const state = query.state as string
+
+  if (!state) {
+    throw createError({
+      statusCode: 400,
+      message: '缺少 state 参数',
+    })
+  }
+
+  const stateData = await getState(state)
+  if (!stateData) {
+    throw createError({
+      statusCode: 400,
+      message: '无效的 state 参数',
+    })
+  }
+
+  await removeState(state)
+
+  if (stateData.isBind) {
+    const error = query.error as string | undefined
+    if (error) {
+      return renderCallbackPage(`${title} - 绑定失败`, url.origin, error, {
+        success: false,
+        message: error,
+      })
+    }
+
+    return renderCallbackPage(`${title} - 绑定成功`, url.origin, '验证成功', {
+      success: true,
+    })
+  }
+
+  const code = query.code as string
+  const error = query.error as string | undefined
+  let errorMessage = error || (!code ? '缺少 code 参数' : '')
+
+  if (!errorMessage) {
+    try {
+      const res = await authFetch<ResultDto<{
+        access_token: string
+        refresh_token: string
+        profile: PublicUser
+      }>>(event, '/oauth/token', {
+        method: 'POST',
+        query: {
+          access_token: code,
+        },
+      })
+
+      if (!res.success) {
+        errorMessage = '获取 token 失败'
+      }
+      else {
+        await setRedisSession(event, {
+          access_token: res.data!.access_token,
+          refresh_token: res.data!.refresh_token,
+        })
+      }
+    }
+    catch {
+      errorMessage = '获取 token 失败'
+    }
+  }
+
+  if (errorMessage) {
+    return renderCallbackPage(`${title} - 登录失败`, url.origin, errorMessage, {
+      success: false,
+      message: errorMessage,
+    })
+  }
+
+  return renderCallbackPage(`${title} - 登录成功`, url.origin, '登录成功', {
+    success: true,
+  })
+})

package/server/api/oauth/[provider]/index.get.ts

@@ -0,0 +1,10 @@
+export default defineEventHandler(async (event) => {
+  const { apiOrigin } = usePublicConfig()
+  const { provider } = event.context.params as { provider: string }
+  const url = getRequestURL(event)
+  const state = random()
+
+  await setState(state, {})
+
+  return sendRedirect(event, `${apiOrigin}/oauth/${provider}?state=${state}&client=${encodeURIComponent(url.origin)}`)
+})

package/server/middleware/session.ts

@@ -0,0 +1,3 @@
+export default defineResponseMiddleware(async (event) => {
+  await setRedisSession(event, await getRedisSession(event))
+})

package/server/plugins/redisStorage.ts

@@ -0,0 +1,14 @@
+import redisDriver from 'unstorage/drivers/redis'
+
+export default defineNitroPlugin(() => {
+  const storage = useStorage()
+  const redisConfig = useRuntimeConfig().redis
+
+  const driver = redisDriver({
+    host: redisConfig.host,
+    port: redisConfig.port,
+    password: redisConfig.password,
+  })
+
+  storage.mount('redis', driver)
+})

package/server/utils/authFetch.ts

@@ -0,0 +1,164 @@
+import type { PublicUser, ResultDto } from '@zvonimirsun/iszy-common'
+import type { H3Event } from 'h3'
+import type { NitroFetchRequest, TypedInternalResponse } from 'nitropack'
+import type { FetchError } from 'ofetch'
+import type { SessionData } from '#shared/types/auth'
+import { getProxyRequestHeaders } from 'h3'
+
+export async function proxyFetch(event: H3Event) {
+  const sessionId = getSessionId(event)
+  const { apiOrigin } = usePublicConfig()
+  const target = apiOrigin + event.path.slice(4)
+
+  const headers = getForwardRequestHeaders(event)
+  headers['accept-encoding'] = 'identity'
+
+  const body = ['GET', 'HEAD'].includes(event.method) ? undefined : await readRawBody(event)
+
+  const doRequest = async () => {
+    if (sessionId) {
+      const sessionData = await getRedisSession(event)
+      if (sessionData) {
+        headers.authorization = `Bearer ${sessionData.access_token}`
+      }
+    }
+    return fetch(target, {
+      method: event.method,
+      headers,
+      body,
+      duplex: 'half',
+      redirect: 'manual',
+    } as RequestInit & { duplex: 'half' })
+  }
+
+  let res = await doRequest()
+  if (sessionId && res.status === 401) {
+    try {
+      useRedisSession(event, await refreshWithLock(sessionId, async () => refreshToken(event)))
+    }
+    catch {
+      await destroyRedisSession(event)
+      return pipeResponse(event, res)
+    }
+    res = await doRequest()
+  }
+  return pipeResponse(event, res)
+}
+
+export async function authFetch<T = unknown>(event: H3Event, ...params: Parameters<typeof $fetch>): Promise<TypedInternalResponse<NitroFetchRequest, T>> {
+  const sessionId = getSessionId(event)
+  const { apiOrigin } = usePublicConfig()
+  const [url, opts = {}] = params
+  const headers: Record<string, string> = {
+    ...getForwardRequestHeaders(event),
+    ...(opts.headers as Record<string, string> | undefined),
+  }
+
+  opts.headers = headers
+  opts.baseURL = apiOrigin
+  const fetcher = $fetch as unknown as (request: NitroFetchRequest, options?: typeof opts) => Promise<T>
+
+  const doRequest = async () => {
+    if (sessionId) {
+      const sessionData = await getRedisSession(event)
+      if (sessionData) {
+        headers.authorization = `Bearer ${sessionData.access_token}`
+      }
+    }
+    return fetcher(url, opts)
+  }
+
+  try {
+    return await doRequest() as TypedInternalResponse<NitroFetchRequest, T>
+  }
+  catch (error) {
+    if (sessionId && (error as FetchError)?.response?.status === 401) {
+      try {
+        useRedisSession(event, await refreshWithLock(sessionId, async () => refreshToken(event)))
+        return await doRequest() as TypedInternalResponse<NitroFetchRequest, T>
+      }
+      catch {
+        await destroyRedisSession(event)
+        throw error
+      }
+    }
+    throw error
+  }
+}
+
+async function refreshToken(event: H3Event): Promise<SessionData> {
+  const sessionData = await getRedisSession(event)
+  if (!sessionData) {
+    throw new Error('REFRESH_FAILED')
+  }
+
+  const { apiOrigin } = usePublicConfig()
+  const res = await $fetch<ResultDto<{
+    access_token: string
+    refresh_token: string
+    profile: PublicUser
+  }>>(`${apiOrigin}/auth/refresh`, {
+    method: 'POST',
+    headers: {
+      ...getForwardRequestHeaders(event),
+      Authorization: `Bearer ${sessionData.refresh_token}`,
+    },
+  })
+
+  if (!res.success) {
+    throw new Error('REFRESH_FAILED')
+  }
+
+  return rotateRedisSession(event, {
+    access_token: res.data!.access_token,
+    refresh_token: res.data!.refresh_token,
+  })
+}
+
+const locks = new Map<string, Promise<SessionData>>()
+
+async function refreshWithLock(sessionId: string, fn: () => Promise<SessionData>) {
+  if (locks.has(sessionId)) {
+    return locks.get(sessionId)!
+  }
+
+  const promise = (async () => {
+    try {
+      return await fn()
+    }
+    finally {
+      locks.delete(sessionId)
+    }
+  })()
+
+  locks.set(sessionId, promise)
+  return promise
+}
+
+function getForwardRequestHeaders(event: H3Event) {
+  const headers = getProxyRequestHeaders(event, { host: false })
+  const remoteAddr = getRequestIP(event, { xForwardedFor: true }) || ''
+  const xForwardedFor = headers['x-forwarded-for'] || remoteAddr
+
+  delete headers.cookie
+  delete headers.authorization
+  if (xForwardedFor) {
+    headers['x-forwarded-for'] = xForwardedFor
+  }
+
+  return headers
+}
+
+async function pipeResponse(event: H3Event, res: Response) {
+  setResponseStatus(event, res.status)
+  for (const [key, value] of res.headers) {
+    if (key.toLowerCase() === 'set-cookie') {
+      continue
+    }
+    setHeader(event, key, value)
+  }
+  if (res.body == null) {
+    return send(event, '')
+  }
+  return sendStream(event, res.body)
+}

package/server/utils/random.ts

@@ -0,0 +1,5 @@
+import { randomBytes } from 'node:crypto'
+
+export function random(size = 16) {
+  return randomBytes(size).toString('hex').slice(0, size)
+}

package/server/utils/sessionStore.ts

@@ -0,0 +1,120 @@
+import type { H3Event } from 'h3'
+import type { StringValue } from 'ms'
+import type { SessionData, SessionTombstone } from '#shared/types/auth'
+import { randomBytes } from 'node:crypto'
+import ms from 'ms'
+
+const SESSION_TOMBSTONE_TTL = 30
+const SESSION_ID_LENGTH = 32
+
+function createSessionId() {
+  return randomBytes(SESSION_ID_LENGTH).toString('hex').slice(0, SESSION_ID_LENGTH)
+}
+
+export function getSessionId(event: H3Event): string | undefined {
+  const { session: sessionConfig } = useRuntimeConfig()
+  return getCookie(event, sessionConfig.cookieName)
+}
+
+export function getSessionKey(sessionId: string): string {
+  return `session:${sessionId}`
+}
+
+function setSessionId(id: string, data: Omit<SessionData, 'id'> | SessionData): SessionData {
+  return {
+    ...data,
+    id,
+  }
+}
+
+export async function getRedisSession(event: H3Event): Promise<SessionData | null> {
+  const storage = useStorage<SessionData | SessionTombstone>('redis')
+  const sessionId = getSessionId(event)
+  if (!sessionId) {
+    return null
+  }
+
+  const data = await storage.getItem(getSessionKey(sessionId))
+  if (!data) {
+    return null
+  }
+
+  if ('redirectTo' in data) {
+    const newData = await storage.getItem(getSessionKey(data.redirectTo))
+    if (!newData || 'redirectTo' in newData) {
+      return null
+    }
+    useRedisSession(event, newData)
+    return newData
+  }
+
+  return data
+}
+
+export async function setRedisSession(event: H3Event, data?: Omit<SessionData, 'id'> | SessionData | null) {
+  const { session: sessionConfig } = useRuntimeConfig()
+  const cookieName = sessionConfig.cookieName
+  const ttl = ms(sessionConfig.maxAge as StringValue) / 1000
+  const storage = useStorage<SessionData>('redis')
+
+  let sessionId = getSessionId(event)
+  if (!data) {
+    if (sessionId) {
+      await storage.removeItem(getSessionKey(sessionId))
+      sessionId = undefined
+      deleteCookie(event, cookieName)
+    }
+    return
+  }
+
+  const nextSessionId = sessionId || createSessionId()
+  const sessionData = setSessionId(nextSessionId, data)
+  await storage.setItem(getSessionKey(nextSessionId), sessionData, { ttl })
+  setCookie(event, cookieName, nextSessionId, {
+    maxAge: ttl,
+    domain: sessionConfig.domain || undefined,
+    sameSite: 'lax',
+    httpOnly: true,
+    secure: true,
+    priority: 'high',
+  })
+}
+
+export async function rotateRedisSession(event: H3Event, data: Omit<SessionData, 'id'> | SessionData) {
+  const { session: sessionConfig } = useRuntimeConfig()
+  const ttl = ms(sessionConfig.maxAge as StringValue) / 1000
+  const storage = useStorage<SessionData | SessionTombstone>('redis')
+
+  const oldSessionId = getSessionId(event)
+  const sessionId = createSessionId()
+  const sessionData = setSessionId(sessionId, data)
+
+  await storage.setItem(getSessionKey(sessionId), sessionData, { ttl })
+
+  if (oldSessionId) {
+    await storage.setItem(
+      getSessionKey(oldSessionId),
+      { redirectTo: sessionId },
+      { ttl: SESSION_TOMBSTONE_TTL },
+    )
+  }
+
+  useRedisSession(event, sessionData)
+  return sessionData
+}
+
+export function useRedisSession(event: H3Event, session: SessionData) {
+  const { session: sessionConfig } = useRuntimeConfig()
+  setCookie(event, sessionConfig.cookieName, session.id, {
+    maxAge: ms(sessionConfig.maxAge as StringValue) / 1000,
+    domain: sessionConfig.domain || undefined,
+    sameSite: 'lax',
+    httpOnly: true,
+    secure: true,
+    priority: 'high',
+  })
+}
+
+export async function destroyRedisSession(event: H3Event): Promise<void> {
+  return setRedisSession(event, undefined)
+}

package/server/utils/stateStore.ts

@@ -0,0 +1,23 @@
+import type { OAuthStateData } from '#shared/types/auth'
+import ms from 'ms'
+
+export function getStateKey(state: string): string {
+  return `oauth:state:${state}`
+}
+
+export async function setState(state: string, data: OAuthStateData) {
+  const storage = useStorage<OAuthStateData>('redis')
+  return storage.setItem(getStateKey(state), data, {
+    ttl: ms('5m') / 1000,
+  })
+}
+
+export async function getState(state: string) {
+  const storage = useStorage<OAuthStateData>('redis')
+  return storage.getItem(getStateKey(state))
+}
+
+export async function removeState(state: string) {
+  const storage = useStorage<OAuthStateData>('redis')
+  await storage.removeItem(getStateKey(state))
+}

package/shared/types/auth.ts

@@ -0,0 +1,19 @@
+import type { PublicUser } from '@zvonimirsun/iszy-common'
+
+export type { PublicUser, RawPrivilege, RawRole, RegisterUser, ResultDto, UpdateUser } from '@zvonimirsun/iszy-common'
+
+export type PublicSimpleUser = Omit<PublicUser, 'status' | 'createBy' | 'updateBy' | 'privileges'>
+
+export interface SessionData {
+  id: string
+  access_token: string
+  refresh_token: string
+}
+
+export interface SessionTombstone {
+  redirectTo: string
+}
+
+export interface OAuthStateData {
+  isBind?: boolean
+}

package/shared/utils/usePublicConfig.ts

@@ -0,0 +1,4 @@
+export function usePublicConfig() {
+  const { public: publicConfig } = useRuntimeConfig()
+  return publicConfig
+}

package/shared/utils/user.ts

@@ -0,0 +1,7 @@
+import type { PublicUser } from '@zvonimirsun/iszy-common'
+import type { PublicSimpleUser } from '#shared/types/auth'
+
+export function toPublicSimpleUser(user: PublicUser): PublicSimpleUser {
+  const { status, createBy, updateBy, privileges, ...result } = user
+  return result
+}