[Fixed] Handle shared session with frontend micro services and Nuxt Auth Utils
hey, i'm currently looking to implement nuxtAuthUtils on multiple frontend nuxt apps that share the same session, my idea was to have one main nuxt app with only the backend routes needed for authentication (
/auth/{service}.get.ts, etc), but useUserSession will only fetch the session from the current Nuxt instance from what i can see.
I was thinking of reimplementing the useUserSession composable so that it requests the main auth app like this {appUrl}/api/_auth/session instead of just /api/_auth/session with each app sharing the same NUXT_SESSION_PASSWORD, do you think it would work ?3 Replies
Hi @Numil. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Your approach—centralizing authentication backend routes in a main Nuxt app and having multiple frontend Nuxt apps share the same session—is logical, but there are important considerations and some limitations based on the available information.
What Nuxt Auth Utils Supports
- Session Storage:
- Sessions and Authentication
- nuxt-auth-utils GitHub ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
nuxt-auth-utils uses sealed cookies (encrypted with NUXT_SESSION_PASSWORD) to store session data. This means that, in theory, if all your frontend apps share the same domain (or a parent domain) and the same NUXT_SESSION_PASSWORD, the session cookie could be read by each app, provided the cookie is set with the correct domain and path attributes. However, the documentation does not explicitly cover multi-app or cross-origin session sharing scenarios, so this is not officially supported or documented behavior Sessions and Authentication.
- useUserSession: This composable fetches the session from the current Nuxt instance’s /api/_auth/session endpoint. Out of the box, it does not support fetching the session from a remote or external Nuxt app. Your idea to reimplement useUserSession to fetch from {appUrl}/api/_auth/session is technically feasible, but it is not covered in the official documentation, so you would be venturing into custom territory.
Key Considerations
- Cookie Domain: For session cookies to be accessible across multiple frontend apps, they must be set with a domain that encompasses all your apps (e.g., .example.com for app1.example.com and app2.example.com). If your apps are on different domains, browser security policies will prevent cookie sharing.
- CORS and Security: If you fetch session data from a remote app (e.g., via {appUrl}/api/_auth/session), you must ensure CORS is properly configured and that sensitive data is not exposed to unauthorized origins.
- Reimplementing useUserSession: The documentation does not provide guidance on customizing useUserSession to fetch from a remote endpoint. While your approach is reasonable, you would need to handle edge cases such as session refresh, error handling, and synchronization yourself.
Summary
- Sharing sessions between multiple Nuxt frontend apps using nuxt-auth-utils is not officially documented or supported.
- Your approach (customizing useUserSession to fetch from a central auth app and sharing NUXT_SESSION_PASSWORD) could work if all apps share the same cookie domain and you handle CORS/security correctly, but you will need to implement and test this yourself.
- There is no explicit support or example for this scenario in the official documentation or recipes Sessions and Authentication.
If you proceed, be sure to thoroughly test cross-app session behavior, especially around login, logout, and session expiration.
If you need official support for this pattern, consider opening a discussion or feature request in the nuxt-auth-utils repository or Nuxt discussions.
---
References:- Sessions and Authentication
- nuxt-auth-utils GitHub ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
<@108292831583440896> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
OMFG I had a shower thought I was dumb if I just use a cross website nuxt session cookie it will just work anywhere I just need to implement the nuxt layer we already implemented with the OAuth config for the refresh. Well this is fixed I was just dumb
I came to this solution when I thought: “But wait our multiple AWS instances already manager a session on another website I must have been blind sighted”