support not peristing tokens and last auth (#73)

* store last auth user * some comment
descope · Apr 22, 2024 · ade1c6f · ade1c6f
1 parent 3fcfd31
commit ade1c6f
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -224,6 +224,24 @@ Descope SDK is automatically refreshes the session token when it is about to exp
 If the Descope project settings are configured to manage tokens in cookies.
 you must also configure a custom domain, and set it as the `baseUrl` to the `descope` plugin. See the above [`plugin` usage](#add-descope-plugin-to-your-application) for usage example.
 
+### Token Persistence
+
+Descope stores two tokens: the session token and the refresh token.
+
+- The refresh token is either stored in local storage or an `httpOnly` cookie. This is configurable in the Descope console.
+- The session token is stored in either local storage or a JS cookie. This behavior is configurable via the `sessionTokenViaCookie` prop in the Descope plugin.
+
+However, for security reasons, you may choose not to store tokens in the browser. In this case, you can pass `persistTokens: false` to the Descope plugin. This prevents the SDK from storing the tokens in the browser.
+
+Notes:
+
+- You must configure the refresh token to be stored in an `httpOnly` cookie in the Descope console. Otherwise, the refresh token will not be stored, and when the page is refreshed, the user will be logged out.
+- You can still retrieve the session token using the `useSession` hook.
+
+### Last User Persistence
+
+Descope stores the last user information in local storage. If you wish to disable this feature, you can pass `storeLastAuthenticatedUser: false` to the Descope plugin. Please note that some features related to the last authenticated user may not function as expected if this behavior is disabled.
+
 ### Widgets
 
 Widgets are components that allow you to expose management features for tenant-based implementation. In certain scenarios, your customers may require the capability to perform managerial actions independently, alleviating the necessity to contact you. Widgets serve as a feature enabling you to delegate these capabilities to your customers in a modular manner.

diff --git a/src/Descope.vue b/src/Descope.vue
@@ -12,6 +12,7 @@
 			:telemetryKey.attr="telemetryKey"
 			:redirect-url="redirectUrl"
 			:auto-focus="autoFocus"
+			:store-last-authenticated-user="storeLastAuthenticatedUser"
 			:errorTransformer.prop="errorTransformer"
 			:form.attr="formStr"
 			:client.attr="clientStr"
@@ -88,7 +89,7 @@ const props = defineProps({
 	}
 });
 const emit = defineEmits(['success', 'error', 'ready']);
-const { projectId, baseUrl } = useOptions();
+const { projectId, baseUrl, storeLastAuthenticatedUser } = useOptions();
 const sdk = useDescope();
 
 const formStr = computed(() => (props.form ? JSON.stringify(props.form) : ''));

diff --git a/src/plugin.ts b/src/plugin.ts
@@ -19,8 +19,8 @@ export const getSdk = () => externalSdk;
 export default {
 	install: function (app: App, options: Options) {
 		const sdk = createSdk({
-			...options,
 			persistTokens: true,
+			...options,
 			autoRefresh: true,
 			baseHeaders
 		});

diff --git a/src/sdk.ts b/src/sdk.ts
@@ -9,8 +9,9 @@ const createSdkWrapper = <P extends Parameters<typeof createSdk>[0]>(
 	config: P
 ) => {
 	const sdk = createSdk({
-		...config,
 		persistTokens: IS_BROWSER as true,
+		storeLastAuthenticatedUser: IS_BROWSER as true,
+		...config,
 		autoRefresh: IS_BROWSER as true
 	});
 	globalSdk = sdk;

diff --git a/src/types.ts b/src/types.ts
@@ -4,7 +4,11 @@ import type { Ref } from 'vue';
 export type Options = {
 	projectId: string;
 	baseUrl?: string;
+	// If true, tokens will be stored on local storage
+	persistTokens?: boolean;
 	sessionTokenViaCookie?: boolean;
+	// If true, last authenticated user will be stored on local storage and can accessed with getUser function
+	storeLastAuthenticatedUser?: boolean;
 };
 
 export type Sdk = ReturnType<typeof createSdk>;

diff --git a/tests/plugin.test.ts b/tests/plugin.test.ts
@@ -23,6 +23,29 @@ describe('plugin', () => {
 
 		plugin.install(app, options);
 
+		expect(createSdk).toHaveBeenCalledWith(
+			expect.objectContaining({
+				persistTokens: true,
+				autoRefresh: true,
+				storeLastAuthenticatedUser: true,
+				...options
+			})
+		);
+	});
+
+	it('should create sdk instance with the custom config', () => {
+		const provide = jest.fn();
+		const app = { provide } as any;
+		const options = {
+			projectId: 'pid',
+			baseUrl: 'burl',
+			sessionTokenViaCookie: true,
+			persistTokens: false,
+			storeLastAuthenticatedUser: true
+		};
+
+		plugin.install(app, options);
+
 		expect(createSdk).toHaveBeenCalledWith(expect.objectContaining(options));
 	});