Session Access and Route Protection
On the server side you can get access to the current session like this:
import { getServerSession } from '#auth'export default eventHandler(async (event) => { const session = await getServerSession(event)})
This is inspired by the getServerSession
of NextAuth.js. It also avoids an external, internet call to the GET /api/auth/sessions
endpoint, instead directly calling a pure JS-method.
Note: If you use Nuxts' useFetch
from your app-components to fetch data from an endpoint that uses getServerSession
or getToken
you will need to manually pass along cookies as Nuxt 3 universal rendering will not do this per-default when it runs on the server-side. Not passing along cookies will result in getServerSession
returning null
when it is called from the server-side as no auth-cookies will exist. Here's an example that manually passes along cookies:
const headers = useRequestHeaders(['cookie']) as HeadersInitconst { data: token } = await useFetch('/api/token', { headers })
Endpoint Protection
To protect an endpoint, check the session after fetching it:
// file: ~/server/api/protected.get.tsimport { getServerSession } from '#auth'export default eventHandler(async (event) => { const session = await getServerSession(event) if (!session) { return { status: 'unauthenticated!' } } return { status: 'authenticated!' }})
Server Middleware
You can also use this in a Nuxt server middleware to protect multiple pages at once and keep the authentication logic out of your endpoints:
// file: ~/server/middleware/auth.tsimport { getServerSession } from '#auth'export default eventHandler(async (event) => { const session = await getServerSession(event) if (!session) { throw createError({ statusMessage: 'Unauthenticated', statusCode: 403 }) }})