nuxt-umbu 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Aslan Gama
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,21 @@
+# Nuxt Umbu
+
+Nuxt Umbu is an authentication module for **Nuxt** designed to work seamlessly with **Laravel Sanctum** and **Laravel Passport**.
+
+It provides a secure and SSR-compatible authentication layer with built-in support for cookies, tokens, middleware, composables, and optional Two-Factor Authentication (2FA).
+
+## Features
+
+- 🔐 Authentication for **Nuxt**
+- ⚡ Built for **SSR and SPA**
+- 🍪 Secure **HTTP-only cookie authentication (Sanctum)**
+- 🔑 **OAuth2 token authentication (Passport)**
+- 🧩 Strategy-based architecture
+- 🛡 Built-in **CSRF protection**
+- 📦 `$auth` instance available globally
+- 🧠 Route middleware for protected pages
+- 🔄 Automatic user fetching
+- 🔑 Optional **Two-Factor Authentication (2FA)**
+- 🪝 Extensible for future authentication providers
+
+---

package/dist/module.d.mts

@@ -0,0 +1,22 @@
+import * as _nuxt_schema from '@nuxt/schema';
+import { AuthSecretConfig, ModuleOptions } from '../dist/runtime/types/index.js';
+
+declare const _default: _nuxt_schema.NuxtModule<ModuleOptions & {
+    twoFactorAuth: boolean;
+}, ModuleOptions & {
+    twoFactorAuth: boolean;
+}, false>;
+
+declare module 'nuxt/schema' {
+    interface RuntimeConfig {
+        secret?: Record<string, AuthSecretConfig>;
+    }
+    interface PublicRuntimeConfig {
+        baseURL: string;
+    }
+    interface NuxtConfig {
+        auth?: ModuleOptions;
+    }
+}
+
+export { _default as default };

package/dist/module.json

@@ -0,0 +1,9 @@
+{
+  "name": "nuxt-umbu",
+  "configKey": "auth",
+  "version": "0.0.1",
+  "builder": {
+    "@nuxt/module-builder": "1.0.2",
+    "unbuild": "unknown"
+  }
+}

package/dist/module.mjs

@@ -0,0 +1,114 @@
+import { defineNuxtModule, useLogger, createResolver, addImportsDir, addRouteMiddleware, addServerHandler, addPluginTemplate, addTypeTemplate } from '@nuxt/kit';
+import { defu } from 'defu';
+import kebabCase from 'lodash.kebabcase';
+import fs from 'fs';
+
+const PACKAGE_NAME = "nuxt-umbu";
+const module$1 = defineNuxtModule({
+  meta: {
+    name: PACKAGE_NAME,
+    configKey: "auth"
+  },
+  async setup(options, nuxt) {
+    const logger = useLogger(PACKAGE_NAME);
+    const { resolve } = createResolver(import.meta.url);
+    const isDev = nuxt.options.dev;
+    const provider = options.provider || "sanctum";
+    options = defu(options, {
+      cookie: {
+        options: {
+          httpOnly: false,
+          secure: false,
+          sameSite: "Lax",
+          priority: "high"
+        },
+        prefix: "auth."
+      },
+      twoFactorAuth: false
+    });
+    options.cookie = options.cookie ?? { prefix: "auth.", options: {} };
+    options.cookie.options = options.cookie.options ?? {
+      httpOnly: false,
+      secure: false,
+      sameSite: "Lax",
+      priority: "high"
+    };
+    if (isDev) {
+      options.cookie.prefix = "auth.";
+      options.cookie.options.secure = false;
+    }
+    addImportsDir(resolve("./runtime/composables"));
+    addRouteMiddleware({
+      name: "auth",
+      path: resolve("./runtime/" + provider + "/middleware/auth")
+    });
+    if (provider === "passport") {
+      const runtimeConfig = nuxt.options.runtimeConfig;
+      if (!runtimeConfig.secret || typeof runtimeConfig.secret !== "object" || Object.keys(runtimeConfig.secret).length === 0) {
+        logger.error(`Missing "runtimeConfig.secret" in nuxt.config.ts`);
+        return;
+      }
+      Object.entries(runtimeConfig.secret).forEach(([key, config]) => {
+        if (!options.strategies[key]) {
+          logger.error(
+            `[${PACKAGE_NAME}] Strategy "${key}" found in "runtimeConfig.secret" but not in "options.strategies". Skipping validation.`
+          );
+          return;
+        }
+        if (!config.client_id || !config.client_secret || !config.grant_type) {
+          logger.error(
+            `[${PACKAGE_NAME}] Invalid "secret.${key}" configuration. Required keys: client_id, client_secret, grant_type.`
+          );
+          return;
+        }
+      });
+      Object.entries(options.strategies).forEach(
+        ([strategyName, strategy]) => {
+          strategy.handler = strategy.handler ?? [];
+          strategy.endpoints = strategy.endpoints || {};
+          strategy.endpoints = defu(strategy.endpoints, {
+            logout: { alias: "logout" }
+          });
+          Object.entries(strategy.endpoints).filter(
+            ([key, endpoint]) => key !== "user" && (key === "logout" || endpoint.url && endpoint.method)
+          ).forEach(([key, endpoint]) => {
+            const typedEndpoint = endpoint;
+            const route = `/api/${kebabCase(typedEndpoint.alias) || typedEndpoint.url.replace(/^\/(api|oauth)\//, "")}`;
+            const handlerFile = resolve(`./runtime/passport/server/api/${key}`);
+            strategy.handler.push({ [key]: route });
+            addServerHandler({
+              route,
+              handler: handlerFile
+            });
+          });
+        }
+      );
+    }
+    const has2FA = Object.values(options.strategies).some(
+      (strategy) => strategy.endpoints?.["2fa"]?.url && strategy.endpoints?.["2fa"]?.method
+    );
+    if (has2FA) {
+      options.twoFactorAuth = true;
+      addRouteMiddleware({
+        name: "_2fa",
+        path: resolve("./runtime/" + provider + "/middleware/2fa")
+      });
+      logger.success("Middleware `_2fa` enabled");
+    }
+    nuxt.options.runtimeConfig.public[PACKAGE_NAME] = options;
+    const hasTsPlugin = fs.existsSync(resolve(`./runtime/${provider}/plugin.ts`));
+    addPluginTemplate({
+      src: resolve(`./runtime/${provider}/plugin.${hasTsPlugin ? "ts" : "js"}`),
+      filename: `plugin.${hasTsPlugin ? "ts" : "js"}`,
+      mode: "all"
+    });
+    addTypeTemplate({
+      src: resolve("./auth.d.ts"),
+      filename: "auth.d.ts"
+    });
+    nuxt.options.alias["#auth-utils"] = resolve("./runtime/" + provider + "/utils");
+    logger.success("`nuxt-umbu` setup done");
+  }
+});
+
+export { module$1 as default };

package/dist/runtime/composables/autx.d.ts

@@ -0,0 +1,3 @@
+import { type FetchOptions } from 'ofetch';
+export type AutxOptions<T = any> = FetchOptions<'json', T>;
+export declare function $autx<T = any>(request: string, options?: AutxOptions<T>): Promise<T>;

package/dist/runtime/composables/autx.js

@@ -0,0 +1,62 @@
+import { $fetch } from "ofetch";
+import { useNuxtApp, useRuntimeConfig, reloadNuxtApp, useAuthConfig, createError } from "#imports";
+import { useEnsureCsrf } from "../composables/useEnsureCsrf.js";
+const CSRF_METHODS = ["POST", "PUT", "PATCH", "DELETE"];
+export async function $autx(request, options = {}) {
+  const { $auth } = useNuxtApp();
+  const baseURL = useRuntimeConfig().public.baseURL;
+  const { provider } = useAuthConfig();
+  if (!$auth || !$auth.headers) {
+    throw new Error("Auth instance is not available or missing headers.");
+  }
+  const method = (options.method || "GET").toUpperCase();
+  if (provider === "sanctum" && CSRF_METHODS.includes(method)) {
+    await useEnsureCsrf($auth);
+  }
+  const authHeaders = $auth.headers instanceof Headers ? Object.fromEntries($auth.headers.entries()) : $auth.headers;
+  const runtimeBaseURL = typeof baseURL === "string" ? baseURL : void 0;
+  const fetchOptions = {
+    ...options,
+    baseURL: options.baseURL ?? runtimeBaseURL,
+    credentials: options.credentials ?? (provider === "sanctum" ? "include" : void 0),
+    headers: {
+      ...authHeaders,
+      ...options.headers
+    }
+  };
+  return $fetch(request, {
+    ...fetchOptions,
+    async onResponseError(context) {
+      const { request: request2, response } = context;
+      let errorBody;
+      try {
+        errorBody = response._data ?? await response.text();
+      } catch (e) {
+        errorBody = "Unknown error";
+      }
+      console.error("[API Error]", {
+        request: request2,
+        status: response.status,
+        body: errorBody,
+        fullResponse: response
+      });
+      if (response.status === 401) {
+        if (import.meta.client) {
+          console.warn("[auth] 401 Unauthorized \u2013 reloading app");
+          const strategy = $auth.strategy;
+          if (strategy) {
+            await $auth.logout(strategy);
+          }
+          if (provider === "sanctum") {
+            reloadNuxtApp();
+          }
+        }
+        return;
+      }
+      throw createError({
+        statusCode: response.status,
+        data: errorBody
+      });
+    }
+  });
+}

package/dist/runtime/composables/useConfig.d.ts

@@ -0,0 +1,4 @@
+import type { ModuleOptions } from '../types/index.js';
+export declare const useAuthConfig: () => ModuleOptions & {
+    twoFactorAuth: boolean;
+};

package/dist/runtime/composables/useConfig.js

@@ -0,0 +1,4 @@
+import { useRuntimeConfig } from "#imports";
+export const useAuthConfig = () => {
+  return useRuntimeConfig().public["nuxt-umbu"];
+};

package/dist/runtime/composables/useEnsureCsrf.d.ts

@@ -0,0 +1,2 @@
+import type { AuthInstance } from '../types/index.js';
+export declare function useEnsureCsrf(auth?: AuthInstance): Promise<void>;

package/dist/runtime/composables/useEnsureCsrf.js

@@ -0,0 +1,11 @@
+import { useCookie, useNuxtApp } from "#imports";
+export async function useEnsureCsrf(auth) {
+  const { $auth } = useNuxtApp();
+  if (!$auth) return;
+  const xsrf = useCookie("XSRF-TOKEN").value;
+  if (xsrf) {
+    $auth.headers.set("X-XSRF-TOKEN", decodeURIComponent(xsrf));
+    return;
+  }
+  await $auth.csrfToken();
+}

package/dist/runtime/composables/useStates.d.ts

@@ -0,0 +1,2 @@
+import type { AuthState } from '../types/index.js';
+export declare const useAuthStore: () => import("vue").Ref<AuthState, AuthState>;

package/dist/runtime/composables/useStates.js

@@ -0,0 +1,6 @@
+import { useState } from "#imports";
+export const useAuthStore = () => useState("auth", () => ({
+  user: null,
+  loggedIn: false,
+  strategy: ""
+}));

package/dist/runtime/passport/middleware/2fa.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("nuxt/app").RouteMiddleware;
+export default _default;

package/dist/runtime/passport/middleware/2fa.js

@@ -0,0 +1,46 @@
+import {
+  useNuxtApp,
+  useCookie,
+  useAuthStore,
+  createError,
+  useRequestEvent,
+  defineNuxtRouteMiddleware
+} from "#imports";
+import { handleLogout, validateSession, getRedirectPath } from "#auth-utils";
+export default defineNuxtRouteMiddleware(async () => {
+  const { $auth } = useNuxtApp();
+  const store = useAuthStore();
+  if (!$auth) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Auth plugin is not initialized"
+    });
+  }
+  if (import.meta.server) {
+    const event = useRequestEvent();
+    if (!event) return;
+    const strategyName = useCookie($auth.prefix + `strategy`).value;
+    const token = strategyName ? useCookie($auth.prefix + `_2fa.` + strategyName).value : null;
+    const expires = strategyName ? useCookie($auth.prefix + `_2fa_expiration.` + strategyName).value : null;
+    if (!validateSession(strategyName, token, expires)) {
+      return await handleLogout(strategyName, getRedirectPath(strategyName), "has2FA");
+    }
+    if (token) {
+      $auth.headers.set("2fa", token);
+    }
+  }
+  if (import.meta.client) {
+    const strategy = localStorage.getItem($auth.prefix + `strategy`);
+    const token = strategy ? localStorage.getItem($auth.prefix + `_2fa.` + strategy) : null;
+    const expires = strategy ? localStorage.getItem($auth.prefix + `_2fa_expiration.` + strategy) : null;
+    if (!validateSession(strategy, token, expires) || $auth.strategy !== strategy || $auth.strategy !== store.value.strategy) {
+      return await handleLogout(strategy, getRedirectPath(strategy), "has2FA");
+    }
+    if (token) {
+      $auth.headers.set("2fa", token);
+    }
+    if (!$auth.user || !$auth.loggedIn || !store.value.user || !store.value.loggedIn) {
+      return await handleLogout(strategy, getRedirectPath(strategy), "has2FA");
+    }
+  }
+});

package/dist/runtime/passport/middleware/auth.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("nuxt/app").RouteMiddleware;
+export default _default;

package/dist/runtime/passport/middleware/auth.js

@@ -0,0 +1,46 @@
+import {
+  useNuxtApp,
+  useCookie,
+  useAuthStore,
+  createError,
+  useRequestEvent,
+  defineNuxtRouteMiddleware
+} from "#imports";
+import { handleLogout, validateSession, getRedirectPath } from "#auth-utils";
+export default defineNuxtRouteMiddleware(async () => {
+  const { $auth } = useNuxtApp();
+  const store = useAuthStore();
+  if (!$auth) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Auth plugin is not initialized"
+    });
+  }
+  if (import.meta.server) {
+    const event = useRequestEvent();
+    if (!event) return;
+    const strategyName = useCookie($auth.prefix + `strategy`).value;
+    const token = strategyName ? useCookie($auth.prefix + `_token.` + strategyName).value : null;
+    const expires = strategyName ? useCookie($auth.prefix + `_token_expiration.` + strategyName).value : null;
+    if (!validateSession(strategyName, token, expires)) {
+      return await handleLogout(strategyName, getRedirectPath(strategyName), "auth");
+    }
+    if (token) {
+      $auth.headers.set("Authorization", token);
+    }
+  }
+  if (import.meta.client) {
+    const strategy = localStorage.getItem($auth.prefix + `strategy`);
+    const token = strategy ? localStorage.getItem($auth.prefix + `_token.` + strategy) : null;
+    const expires = strategy ? localStorage.getItem($auth.prefix + `_token_expiration.` + strategy) : null;
+    if (!validateSession(strategy, token, expires) || $auth.strategy !== strategy || $auth.strategy !== store.value.strategy) {
+      return await handleLogout(strategy, getRedirectPath(strategy), "auth");
+    }
+    if (token) {
+      $auth.headers.set("Authorization", token);
+    }
+    if (!$auth.user || !$auth.loggedIn || !store.value.user || !store.value.loggedIn) {
+      return await handleLogout(strategy, getRedirectPath(strategy), "auth");
+    }
+  }
+});

package/dist/runtime/passport/plugin.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("nuxt/app").Plugin<Record<string, unknown>> & import("nuxt/app").ObjectPlugin<Record<string, unknown>>;
+export default _default;