You are viewing the docs for v0.5. This is not the latest version.

Session Access and Route Protection

On the server side you can get access to the current session like this:

import { getServerSession } from '#auth'export default eventHandler(async (event) => {  const session = await getServerSession(event)})

This is inspired by the getServerSession of NextAuth.js. It also avoids an external, internet call to the GET /api/auth/sessions endpoint, instead directly calling a pure JS-method.

Note: If you use Nuxts' useFetch from your app-components to fetch data from an endpoint that uses getServerSession or getToken you will need to manually pass along cookies as Nuxt 3 universal rendering will not do this per-default when it runs on the server-side. Not passing along cookies will result in getServerSession returning null when it is called from the server-side as no auth-cookies will exist. Here's an example that manually passes along cookies:

const headers = useRequestHeaders(['cookie']) as HeadersInitconst { data: token } = await useFetch('/api/token', { headers })

Endpoint Protection

To protect an endpoint, check the session after fetching it:

// file: ~/server/api/protected.get.tsimport { getServerSession } from '#auth'export default eventHandler(async (event) => {  const session = await getServerSession(event)  if (!session) {    return { status: 'unauthenticated!' }  }  return { status: 'authenticated!' }})

Server Middleware

You can also use this in a Nuxt server middleware to protect multiple pages at once and keep the authentication logic out of your endpoints:

// file: ~/server/middleware/auth.tsimport { getServerSession } from '#auth'export default eventHandler(async (event) => {  const session = await getServerSession(event)  if (!session) {    throw createError({ statusMessage: 'Unauthenticated', statusCode: 403 })  }})