After logging in I am redirected to login page when refreshing the page

[yuelongh]

Environment

---

• Operating System: Linux
• Node Version: v21.7.3
• Nuxt Version: 3.11.2
• CLI Version: 3.11.1
• Nitro Version: 2.9.6
• Package Manager: yarn@1.22.19
• Builder: -
• User Config: vite, typescript, devtools, app, pwa, modules, formkit, wcmcUserManagement, i18n, tailwindcss, build, runtimeConfig, experimental, alias, dirs, css
• Runtime Modules: @vite-pwa/nuxt@0.6.0, @vueuse/nuxt@10.9.0, @nuxt/test-utils/module@3.12.0, @nuxtjs/stylelint-module@5.2.0, @nuxtjs/eslint-module@4.1.0, @pinia/nuxt@0.5.1, @unepwcmc/user-management@0.0.39, @nuxtjs/tailwindcss@6.11.4, @nuxtjs/i18n@8.3.0, @formkit/nuxt@1.6.2
• Build Modules: -

---

Reproduction

Refresh Page after logging in

Describe the bug

Settings for nuxt-auth

{
      isEnabled: true,
      baseURL: process.env.AUTH_ORIGIN,
      provider: {
        type: 'authjs'
      },
      globalAppMiddleware: {
        isEnabled: true,
        allow404WithoutAuth: true
      }
    }

I am experiencing a weird behaviour that after logging in if I don't refresh the page everything works fine.
However, once I refresh the page then I can see from browser dev tool the value of __Host-next-auth.csrf-token keeps changing then it redirects me to the login page and becomes unauthenticated but it does now keep changing when running in dev mode

I found a solution from another post it did help a bit when so when I have following on my page then it remaining authenticated after refreshing the page but still redirects me to login page

const { getSession } = useAuth()
onMounted(() => {
  getSession({ force: true })
})

Additional context

nuxt-auth versions used 6.3, 7.0, 7.1, 7.2

I have the globalAppMiddleware set to true and I noticed that when const { status } = useAuth(); is called in middleware
node_modules/@sidebase/nuxt-auth/dist/runtime/middleware/auth.mjs status returns unauthenticated then it redirects me to the sign in page but I am already signed in at the point.

Reason of the behaviour -- updated on 21May

After some investigations that I found out because I have Nginx reverse proxy.
So Nginx appends the header of "x-forwarded-proto": "HTTP"
if I force that to be "x-forwarded-proto": "HTTPS" then everything works fine again so it was "x-forwarded-proto" causing the issue I was wondering if anyone knows the reason behind this?

Logs

No response

[mbellamyy]

I have the same issue with refresh. Super super frustrating.

[yuelongh]

I have the same issue with refresh. Super super frustrating.

have you tried to add x-forwarded-proto: https from your proxy manager?

to help debug

I also tried to copy the codes in the middleware
/node_modules/@sidebase/nuxt-auth/dist/runtime/middleware/auth.mjs

and use the code in the file to recreate my own global middleware in my Nuxt to see all values and to see where was the problem that's where I found status becomes unauthenticated in the middleware when x-forwarded-proto header has HTTP as the value

make sure you have this structure 01.xxxxxx.global.ts as the file name so it can be triggered before anything else + globally

[mbellamyy]

I have the same issue with refresh. Super super frustrating.

have you tried to add x-forwarded-proto: https from your proxy manager?

to help debug

I also tried to copy the codes in the middleware /node_modules/@sidebase/nuxt-auth/dist/runtime/middleware/auth.mjs

and use the code in the file to recreate my own global middleware in my Nuxt to see all values and to see where was the problem that's where I found status becomes unauthenticated in the middleware when x-forwarded-proto header has HTTP as the value

make sure you have this structure 01.xxxxxx.global.ts as the file name so it can be triggered before anything else + globally

I have not enabled the globalMiddleware from sidebase-auth settings.

I also don't have a reverse proxy, although I do have a server middleware (in nuxt) that redirects http to https.
It exactly checks if x-forwarded-proto is HTTP and redirects to https if it is. But I can't seem to be able to trigger that case even if I explicitly use http in the request.

I'm dealing with this in production. Whenever I deploy my app, everything is fine, people log in and stay logged in across refreshs. But after a couple of hours, it's your post happening all over again.

[mbellamyy]

This is quite an important issue on quite a basic requirement.
#744 and #743 and #732 seem to be the same problem.
Can someone please look into this?