enableOnWindowFocus must be used only in authenticated condition

[YoshimiShima]

Environment

• Operating System: Darwin
• Node Version: v20.11.1
• Nuxt Version: 3.12.2
• CLI Version: 3.12.0
• Nitro Version: 2.9.6
• Package Manager: [email protected]
• Builder: -
• User Config: nitro, app, components, debug, devServer, devtools, dir, experimental, googleFonts, i18n, ignore, imports, modules, routeRules, build, runtimeConfig, sourcemap, srcDir, tailwindcss, testUtils, typescript, hooks, vite, auth
• Runtime Modules: @pinia/[email protected], @vueuse/[email protected], @nuxt/test-utils/[email protected], @nuxtjs/[email protected], @nuxtjs/[email protected], @nuxtjs/[email protected], @vee-validate/[email protected], @sidebase/[email protected], @pinia-plugin-persistedstate/[email protected], @nuxt/[email protected]
• Build Modules: -

Reproduction

// nuxt.config.ts

provider: {
  type: 'refresh',
  pages: {
    login: '/login',
  },
},
 sessionRefresh: {
   enablePeriodically: 90000,
   enableOnWindowFocus: true,
 },
globalAppMiddleware: {
   isEnabled: true,
},

// login.vue

definePageMeta({
   auth: {
     unauthenticatedOnly: true,
   },
})

Describe the bug

The enableOnWindowFocus feature should not be triggered on pages that are accessible to unauthenticated users. Currently, when a user switches back to a tab containing an unauthenticated page (such as the login page of us), the refresh mechanism is still executed, which is unnecessary and potentially problematic.

In the current implementation in src/runtime/utils/refreshHandler.ts, there's an inconsistency in how enablePeriodically and enableOnWindowFocus are handled.
For enablePeriodically, there's a check for the authenticated state:

nuxt-auth/src/runtime/utils/refreshHandler.ts

Lines 35 to 42 in 9295d1f

	if (enablePeriodically !== false) {
	const intervalTime = enablePeriodically === true ? 1000 : enablePeriodically
	this.refetchIntervalTimer = setInterval(() => {
	if (this.auth?.data.value) {
	this.auth.refresh()
	}
	}, intervalTime)
	}

However, for enableOnWindowFocus, no such check exists:

nuxt-auth/src/runtime/utils/refreshHandler.ts

Lines 72 to 79 in 9295d1f

	visibilityHandler (): void {
	// Listen for when the page is visible, if the user switches tabs
	// and makes our tab visible again, re-fetch the session, but only if
	// this feature is not disabled.
	if (this.config?.enableOnWindowFocus && document.visibilityState === 'visible') {
	this.auth?.refresh()
	}
	}

To resolve this issue and ensure consistency, we should add an authentication check for enableOnWindowFocus as well. A proposed solution is to add a condition like:

if (this.config?.enableOnWindowFocus && document.visibilityState === 'visible' && this.auth?.status.value !== 
'unauthenticated') {
  this.auth?.refresh()
}

This change would prevent unnecessary refresh attempts on unauthenticated pages and align the behavior with enablePeriodically.
Thanks.

Additional context

No response

Logs

FetchError: [POST] "/app/main/api/auth/refresh": 403