port-nimara-client-portal/server/utils/auth.ts

/**
 * Check if the request is authenticated via Keycloak OIDC session
 */
export const isAuthenticated = async (event: any): Promise<boolean> => {
  console.log('[auth] Checking authentication for:', event.node.req.url);

  // Check OIDC session authentication
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    console.log('[auth] OIDC session cookie:', oidcSession ? 'present' : 'not found');
    
    if (!oidcSession) {
      console.log('[auth] No OIDC session found');
      return false;
    }

    // Parse and validate session data
    let sessionData;
    try {
      sessionData = JSON.parse(oidcSession);
    } catch (parseError) {
      console.error('[auth] Failed to parse session cookie:', parseError);
      return false;
    }

    // Validate session structure
    if (!sessionData.user || !sessionData.accessToken) {
      console.error('[auth] Invalid session structure:', {
        hasUser: !!sessionData.user,
        hasAccessToken: !!sessionData.accessToken
      });
      return false;
    }

    // Check if session is still valid
    if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
      console.log('[auth] Session expired:', {
        expiresAt: sessionData.expiresAt,
        currentTime: Date.now(),
        expiredSince: Date.now() - sessionData.expiresAt
      });
      return false;
    }

    console.log('[auth] Valid OIDC session found for user:', {
      id: sessionData.user.id,
      email: sessionData.user.email
    });
    return true;

  } catch (error) {
    console.error('[auth] OIDC session check failed:', error);
    return false;
  }
}

export const requireAuth = async (event: any) => {
  const authenticated = await isAuthenticated(event);
  if (!authenticated) {
    console.log('[requireAuth] Authentication failed for:', event.node.req.url);
    console.log('[requireAuth] Available cookies:', Object.keys(event.node.req.headers.cookie ? parseCookies(event.node.req.headers.cookie) : {}));
    throw createError({ 
      statusCode: 401, 
      statusMessage: "Authentication required. Please login with Keycloak." 
    });
  }
}

/**
 * Get the authenticated user from the session
 */
export const getAuthenticatedUser = async (event: any): Promise<any | null> => {
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    
    if (!oidcSession) {
      return null;
    }

    const sessionData = JSON.parse(oidcSession);
    
    // Validate session
    if (!sessionData.user || !sessionData.accessToken) {
      return null;
    }

    // Check if session is still valid
    if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
      return null;
    }

    return sessionData.user;
  } catch (error) {
    console.error('[getAuthenticatedUser] Error:', error);
    return null;
  }
}

function parseCookies(cookieString: string): Record<string, string> {
  return cookieString.split(';').reduce((cookies: Record<string, string>, cookie) => {
    const [name, value] = cookie.trim().split('=');
    if (name && value) {
      cookies[name] = value;
    }
    return cookies;
  }, {});
}
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`/**`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`* Check if the request is authenticated via Keycloak OIDC session`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`*/`
			`export const isAuthenticated = async (event: any): Promise<boolean> => {`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`console.log('[auth] Checking authentication for:', event.node.req.url);`
FEAT: Unified Authentication System - Support Both Directus and Keycloak Users Problem Solved: - File previews failing due to unsupported Directus authentication - Encrypted OIDC cookies causing JSON parse errors - Need both Directus and Keycloak users to access same dashboard Changes: - server/utils/auth.ts: Added Directus token validation alongside OIDC - server/api/auth/session.ts: Support both auth methods with proper user data - server/api/auth/logout.ts: Clear appropriate cookies based on auth method Authentication Methods Now Supported: 1. X-tag headers (webhooks/external calls) 2. Directus tokens (existing Directus users) 3. OIDC sessions (Keycloak users, encrypted or plain) Result: - Both Directus and Keycloak users can access dashboard - File previews work for all authenticated users - Proper logout handling for each auth method - No more JSON parse errors for encrypted OIDC cookies 2025-06-15 17:03:42 +02:00
FIX: Correct OIDC cookie name mismatch across all auth endpoints Root Cause: - Auth system was looking for 'keycloak-session' cookies - But actual OIDC system uses 'nuxt-oidc-auth' cookies - This caused authentication failures for file previews and other endpoints Files Updated: - server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie - server/api/auth/session.ts: Updated cookie name references - server/api/auth/logout.ts: Updated cookie deletion - server/api/auth/keycloak/callback.ts: Updated cookie creation Result: - File previews should now work for authenticated users - All authentication endpoints now use consistent cookie names - Both x-tag headers and OIDC sessions work correctly 2025-06-15 16:58:45 +02:00			`// Check OIDC session authentication`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`try {`
FIX: Correct OIDC cookie name mismatch across all auth endpoints Root Cause: - Auth system was looking for 'keycloak-session' cookies - But actual OIDC system uses 'nuxt-oidc-auth' cookies - This caused authentication failures for file previews and other endpoints Files Updated: - server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie - server/api/auth/session.ts: Updated cookie name references - server/api/auth/logout.ts: Updated cookie deletion - server/api/auth/keycloak/callback.ts: Updated cookie creation Result: - File previews should now work for authenticated users - All authentication endpoints now use consistent cookie names - Both x-tag headers and OIDC sessions work correctly 2025-06-15 16:58:45 +02:00			`const oidcSession = getCookie(event, 'nuxt-oidc-auth');`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`console.log('[auth] OIDC session cookie:', oidcSession ? 'present' : 'not found');`
DEBUG: Add detailed OIDC cookie debugging for file preview issues - Added logging for OIDC session presence and type detection - Will help identify why OIDC cookies aren't being sent during file preview requests - Keycloak login works but file previews fail due to missing OIDC cookie 2025-06-15 17:06:01 +02:00
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`if (!oidcSession) {`
			`console.log('[auth] No OIDC session found');`
			`return false;`
			`}`

			`// Parse and validate session data`
			`let sessionData;`
			`try {`
			`sessionData = JSON.parse(oidcSession);`
			`} catch (parseError) {`
			`console.error('[auth] Failed to parse session cookie:', parseError);`
			`return false;`
			`}`

			`// Validate session structure`
			`if (!sessionData.user \|\| !sessionData.accessToken) {`
			`console.error('[auth] Invalid session structure:', {`
			`hasUser: !!sessionData.user,`
			`hasAccessToken: !!sessionData.accessToken`
			`});`
			`return false;`
			`}`

			`// Check if session is still valid`
			`if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {`
			`console.log('[auth] Session expired:', {`
			`expiresAt: sessionData.expiresAt,`
			`currentTime: Date.now(),`
			`expiredSince: Date.now() - sessionData.expiresAt`
			`});`
			`return false;`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`}`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00
			`console.log('[auth] Valid OIDC session found for user:', {`
			`id: sessionData.user.id,`
			`email: sessionData.user.email`
			`});`
			`return true;`

FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`} catch (error) {`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`console.error('[auth] OIDC session check failed:', error);`
			`return false;`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`}`
			`}`

			`export const requireAuth = async (event: any) => {`
			`const authenticated = await isAuthenticated(event);`
			`if (!authenticated) {`
DEBUG: Add auth debugging logs to identify file preview auth issue 2025-06-15 16:53:20 +02:00			`console.log('[requireAuth] Authentication failed for:', event.node.req.url);`
			`console.log('[requireAuth] Available cookies:', Object.keys(event.node.req.headers.cookie ? parseCookies(event.node.req.headers.cookie) : {}));`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`throw createError({`
			`statusCode: 401,`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`statusMessage: "Authentication required. Please login with Keycloak."`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`});`
			`}`
			`}`
DEBUG: Add auth debugging logs to identify file preview auth issue 2025-06-15 16:53:20 +02:00
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`/**`
			`* Get the authenticated user from the session`
			`*/`
			`export const getAuthenticatedUser = async (event: any): Promise<any \| null> => {`
			`try {`
			`const oidcSession = getCookie(event, 'nuxt-oidc-auth');`

			`if (!oidcSession) {`
			`return null;`
			`}`

			`const sessionData = JSON.parse(oidcSession);`

			`// Validate session`
			`if (!sessionData.user \|\| !sessionData.accessToken) {`
			`return null;`
			`}`

			`// Check if session is still valid`
			`if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {`
			`return null;`
			`}`

			`return sessionData.user;`
			`} catch (error) {`
			`console.error('[getAuthenticatedUser] Error:', error);`
			`return null;`
			`}`
			`}`

DEBUG: Add auth debugging logs to identify file preview auth issue 2025-06-15 16:53:20 +02:00			`function parseCookies(cookieString: string): Record<string, string> {`
			`return cookieString.split(';').reduce((cookies: Record<string, string>, cookie) => {`
			`const [name, value] = cookie.trim().split('=');`
			`if (name && value) {`
			`cookies[name] = value;`
			`}`
			`return cookies;`
			`}, {});`
			`}`