From 8b0c7076748e022b130f7721ad6ebd4f458ffdf1 Mon Sep 17 00:00:00 2001
From: Matteioo <26168940+matteioo@users.noreply.github.com>
Date: Sat, 6 Apr 2024 14:22:43 +0200
Subject: [PATCH 1/5] Fixed misplaced comment and added comment for the
 duration in human-readable time.

---
 src/module.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/module.ts b/src/module.ts
index f10a35ee..e87f068c 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -54,7 +54,7 @@ const defaultsByBackend: {
       type: 'Bearer',
       cookieName: 'auth.token',
       headerName: 'Authorization',
-      maxAgeInSeconds: 30 * 60,
+      maxAgeInSeconds: 30 * 60, // 30 minutes
       sameSiteAttribute: 'lax'
     },
     sessionDataType: { id: 'string | number' }
@@ -78,8 +78,8 @@ const defaultsByBackend: {
       type: 'Bearer',
       cookieName: 'auth.token',
       headerName: 'Authorization',
-      maxAgeInSeconds: 5 * 60,
-      sameSiteAttribute: 'none' // 5 minutes
+      maxAgeInSeconds: 5 * 60, // 5 minutes
+      sameSiteAttribute: 'none'
     },
     refreshToken: {
       signInResponseRefreshTokenPointer: '/refreshToken',

From c9141f069a561a93e6880c280351165b364df7be Mon Sep 17 00:00:00 2001
From: Matteioo <26168940+matteioo@users.noreply.github.com>
Date: Sat, 6 Apr 2024 14:42:55 +0200
Subject: [PATCH 2/5] Added secure cookie attribute for local and refresh
 provider.

---
 src/module.ts                                   |  9 ++++++---
 src/runtime/composables/local/useAuthState.ts   | 10 +++++++++-
 src/runtime/composables/refresh/useAuthState.ts |  3 ++-
 src/runtime/types.ts                            | 14 ++++++++++++++
 4 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/src/module.ts b/src/module.ts
index e87f068c..5ad98ea1 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -55,7 +55,8 @@ const defaultsByBackend: {
       cookieName: 'auth.token',
       headerName: 'Authorization',
       maxAgeInSeconds: 30 * 60, // 30 minutes
-      sameSiteAttribute: 'lax'
+      sameSiteAttribute: 'lax',
+      secureCookieAttribute: false
     },
     sessionDataType: { id: 'string | number' }
   },
@@ -79,12 +80,14 @@ const defaultsByBackend: {
       cookieName: 'auth.token',
       headerName: 'Authorization',
       maxAgeInSeconds: 5 * 60, // 5 minutes
-      sameSiteAttribute: 'none'
+      sameSiteAttribute: 'none',
+      secureCookieAttribute: true
     },
     refreshToken: {
       signInResponseRefreshTokenPointer: '/refreshToken',
       cookieName: 'auth.refresh-token',
-      maxAgeInSeconds: 60 * 60 * 24 * 7 // 7 days
+      maxAgeInSeconds: 60 * 60 * 24 * 7, // 7 days
+      secureCookieAttribute: false
     },
     sessionDataType: { id: 'string | number' }
   },
diff --git a/src/runtime/composables/local/useAuthState.ts b/src/runtime/composables/local/useAuthState.ts
index 38877bc8..c8c5f82c 100644
--- a/src/runtime/composables/local/useAuthState.ts
+++ b/src/runtime/composables/local/useAuthState.ts
@@ -19,7 +19,15 @@ export const useAuthState = (): UseAuthStateReturn => {
   const commonAuthState = makeCommonAuthState<SessionData>()
 
   // Re-construct state from cookie, also setup a cross-component sync via a useState hack, see https://github.com/nuxt/nuxt/issues/13020#issuecomment-1397282717
-  const _rawTokenCookie = useCookie<string | null>(config.token.cookieName, { default: () => null, maxAge: config.token.maxAgeInSeconds, sameSite: config.token.sameSiteAttribute })
+  const _rawTokenCookie = useCookie<string | null>(
+    config.token.cookieName,
+    {
+      default: () => null,
+      maxAge: config.token.maxAgeInSeconds,
+      sameSite: config.token.sameSiteAttribute,
+      secure: config.token.secureCookieAttribute
+    }
+  )
 
   const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value)
   watch(rawToken, () => { _rawTokenCookie.value = rawToken.value })
diff --git a/src/runtime/composables/refresh/useAuthState.ts b/src/runtime/composables/refresh/useAuthState.ts
index a7b30459..82585f27 100644
--- a/src/runtime/composables/refresh/useAuthState.ts
+++ b/src/runtime/composables/refresh/useAuthState.ts
@@ -18,7 +18,8 @@ export const useAuthState = (): UseAuthStateReturn => {
     {
       default: () => null,
       maxAge: config.refreshToken.maxAgeInSeconds,
-      sameSite: 'lax'
+      sameSite: 'lax',
+      secure: config.refreshToken.secureCookieAttribute
     }
   )
 
diff --git a/src/runtime/types.ts b/src/runtime/types.ts
index 094c446e..4f9d6f2e 100644
--- a/src/runtime/types.ts
+++ b/src/runtime/types.ts
@@ -167,6 +167,13 @@ export type ProviderLocal = {
      * @example 'strict'
      */
     sameSiteAttribute?: boolean | 'lax' | 'strict' | 'none' | undefined;
+    /**
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean;
   };
   /**
    * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint.
@@ -230,6 +237,13 @@ export type ProviderLocalRefresh = Omit<ProviderLocal, 'type'> & {
      * Note: Your backend may reject / expire the token earlier / differently.
      */
     maxAgeInSeconds?: number;
+    /**
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean;
   };
 };
 

From 3bfe140c161568febf7c4f92d5edd7a542127d3b Mon Sep 17 00:00:00 2001
From: Matteioo <26168940+matteioo@users.noreply.github.com>
Date: Sat, 6 Apr 2024 21:09:47 +0200
Subject: [PATCH 3/5] Set secure attribute of token to false by default.

---
 src/module.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/module.ts b/src/module.ts
index c8ce520d..69c97203 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -81,7 +81,7 @@ const defaultsByBackend: {
       headerName: 'Authorization',
       maxAgeInSeconds: 5 * 60, // 5 minutes
       sameSiteAttribute: 'none',
-      secureCookieAttribute: true
+      secureCookieAttribute: false
     },
     refreshToken: {
       signInResponseRefreshTokenPointer: '/refreshToken',

From 1643683d5ebffe93fde4d0de49cd4f776d0de049 Mon Sep 17 00:00:00 2001
From: Matteioo <26168940+matteioo@users.noreply.github.com>
Date: Sun, 7 Apr 2024 14:39:58 +0200
Subject: [PATCH 4/5] Added documentation for the added secureCookieAttribute.

---
 docs/content/2.configuration/2.nuxt-config.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/content/2.configuration/2.nuxt-config.md b/docs/content/2.configuration/2.nuxt-config.md
index 738460f2..5085fe06 100644
--- a/docs/content/2.configuration/2.nuxt-config.md
+++ b/docs/content/2.configuration/2.nuxt-config.md
@@ -225,6 +225,13 @@ type ProviderLocal = {
      * @example 'strict'
      */
      sameSiteAttribute?:  boolean | 'lax' | 'strict' | 'none' | undefined,
+    /**
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean,
   },
   /**
    * Define an interface for the session data object that `nuxt-auth` expects to receive from the `getSession` endpoint.
@@ -362,6 +369,13 @@ type ProviderRefresh = {
      * @example 'strict'
      */
      sameSiteAttribute?:  boolean | 'lax' | 'strict' | 'none' | undefined,
+    /**
+     * Whether to set the secure flag on the cookie. This is useful when the application is served over HTTPS.
+     *
+     * @default false
+     * @example true
+     */
+    secureCookieAttribute?: boolean,
   },
   /**
    * Settings for the authentication-refreshToken that `nuxt-auth` receives from the `signIn` endpoint and that can be used to authenticate subsequent requests.

From 7451d3a15f5ef314587df7b0ce98e9ae0e471780 Mon Sep 17 00:00:00 2001
From: Marsel Shayhin <18054980+phoenix-ru@users.noreply.github.com>
Date: Thu, 16 May 2024 11:51:05 +0200
Subject: [PATCH 5/5] Update useAuthState.ts

---
 src/runtime/composables/local/useAuthState.ts | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/runtime/composables/local/useAuthState.ts b/src/runtime/composables/local/useAuthState.ts
index f137e4aa..7047df88 100644
--- a/src/runtime/composables/local/useAuthState.ts
+++ b/src/runtime/composables/local/useAuthState.ts
@@ -25,16 +25,13 @@ export const useAuthState = (): UseAuthStateReturn => {
   const commonAuthState = makeCommonAuthState<SessionData>()
 
   // Re-construct state from cookie, also setup a cross-component sync via a useState hack, see https://github.com/nuxt/nuxt/issues/13020#issuecomment-1397282717
-  const _rawTokenCookie = useCookie<string | null>(
-    config.token.cookieName,
-    {
-      default: () => null,
-      domain: config.token.cookieDomain,
-      maxAge: config.token.maxAgeInSeconds,
-      sameSite: config.token.sameSiteAttribute,
-      secure: config.token.secureCookieAttribute
-    }
-  )
+  const _rawTokenCookie = useCookie<string | null>(config.token.cookieName, {
+    default: () => null,
+    domain: config.token.cookieDomain,
+    maxAge: config.token.maxAgeInSeconds,
+    sameSite: config.token.sameSiteAttribute,
+    secure: config.token.secureCookieAttribute
+  })
 
   const rawToken = useState('auth:raw-token', () => _rawTokenCookie.value)
   watch(rawToken, () => { _rawTokenCookie.value = rawToken.value })