port-nimara-client-portal/middleware/authentication.ts

export default defineNuxtRouteMiddleware(async (to) => {
  // Skip auth for SSR
  if (import.meta.server) return;

  // Check if auth is required (default true unless explicitly set to false)
  const isAuthRequired = to.meta.auth !== false;
  
  if (!isAuthRequired) {
    return;
  }

  try {
    // Check Directus auth first
    const { fetchUser, setUser } = useDirectusAuth();
    const directusUser = useDirectusUser();
    
    if (!directusUser.value) {
      try {
        const user = await fetchUser();
        setUser(user.value);
      } catch (error) {
        // Directus auth failed, continue to check custom Keycloak auth
      }
    }

    if (directusUser.value) {
      // User authenticated with Directus
      return;
    }

    // Check custom Keycloak auth via session API
    try {
      const sessionData = await $fetch('/api/auth/session') as any;
      if (sessionData.authenticated && sessionData.user) {
        // User authenticated with Keycloak
        return;
      }
    } catch (error) {
      // Session check failed, continue to redirect
    }

    // No authentication found, redirect to login
    return navigateTo('/login');
    
  } catch (error) {
    console.error('Auth middleware error:', error);
    return navigateTo('/login');
  }
});
Implement Keycloak authentication integration and unify user management 2025-06-14 14:09:56 +02:00			`export default defineNuxtRouteMiddleware(async (to) => {`
			`// Skip auth for SSR`
			`if (import.meta.server) return;`
feat: add files 2025-02-16 13:10:19 +01:00
Implement Keycloak authentication integration and unify user management 2025-06-14 14:09:56 +02:00			`// Check if auth is required (default true unless explicitly set to false)`
			`const isAuthRequired = to.meta.auth !== false;`

MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration ## SOLUTION: Migrate to Server-Side OIDC Authentication This completely replaces the problematic keycloak-js client-side implementation with nuxt-oidc-auth, eliminating all CORS and iframe issues. ### Benefits: - No more CORS errors - Server-side OAuth flow - No iframe dependencies - Eliminates cross-domain issues - Works with nginx proxy - No proxy configuration conflicts - Better security - Tokens handled server-side - Cleaner integration - Native Nuxt patterns - Maintains Directus compatibility - Dual auth support ### Installation & Configuration: - Added uxt-oidc-auth module to nuxt.config.ts - Configured Keycloak provider with proper OIDC settings - Updated environment variables for security keys ### Code Changes: #### Authentication Flow: - middleware/authentication.ts - Updated to check both Directus + OIDC auth - composables/useUnifiedAuth.ts - Migrated to use useOidcAuth() - pages/login.vue - Updated SSO button to use oidcLogin('keycloak') #### Configuration: - nuxt.config.ts - Added OIDC provider configuration - .env.example - Updated with nuxt-oidc-auth environment variables - Removed old Keycloak runtime config #### Cleanup: - Removed keycloak-js dependency from package.json - Deleted obsolete files: - composables/useKeycloak.ts - pages/auth/callback.vue - server/utils/keycloak-oauth.ts - server/api/debug/ directory ### Authentication Routes (Auto-Generated): - /auth/keycloak/login - SSO login endpoint - /auth/keycloak/logout - SSO logout endpoint - /auth/keycloak/callback - OAuth callback (handled automatically) ### Security Setup Required: Environment variables needed for production: - NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET - NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key) - NUXT_OIDC_SESSION_SECRET (48-character random string) - NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string) ### Expected Results: SSO login should work without CORS errors Compatible with nginx proxy setup Maintains existing Directus authentication Server-side session management Automatic token refresh Ready for container rebuild and production testing! 2025-06-14 15:58:03 +02:00			`if (!isAuthRequired) {`
			`return;`
			`}`

Fix SSR and defensive coding for Keycloak integration - Add proper SSR guards and error handling - Make authentication middleware more defensive - Add null checks in useUnifiedAuth composable - Prevent JavaScript errors from breaking page load - Prioritize Directus auth over Keycloak for stability 2025-06-14 15:01:45 +02:00			`try {`
MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration ## SOLUTION: Migrate to Server-Side OIDC Authentication This completely replaces the problematic keycloak-js client-side implementation with nuxt-oidc-auth, eliminating all CORS and iframe issues. ### Benefits: - No more CORS errors - Server-side OAuth flow - No iframe dependencies - Eliminates cross-domain issues - Works with nginx proxy - No proxy configuration conflicts - Better security - Tokens handled server-side - Cleaner integration - Native Nuxt patterns - Maintains Directus compatibility - Dual auth support ### Installation & Configuration: - Added uxt-oidc-auth module to nuxt.config.ts - Configured Keycloak provider with proper OIDC settings - Updated environment variables for security keys ### Code Changes: #### Authentication Flow: - middleware/authentication.ts - Updated to check both Directus + OIDC auth - composables/useUnifiedAuth.ts - Migrated to use useOidcAuth() - pages/login.vue - Updated SSO button to use oidcLogin('keycloak') #### Configuration: - nuxt.config.ts - Added OIDC provider configuration - .env.example - Updated with nuxt-oidc-auth environment variables - Removed old Keycloak runtime config #### Cleanup: - Removed keycloak-js dependency from package.json - Deleted obsolete files: - composables/useKeycloak.ts - pages/auth/callback.vue - server/utils/keycloak-oauth.ts - server/api/debug/ directory ### Authentication Routes (Auto-Generated): - /auth/keycloak/login - SSO login endpoint - /auth/keycloak/logout - SSO logout endpoint - /auth/keycloak/callback - OAuth callback (handled automatically) ### Security Setup Required: Environment variables needed for production: - NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET - NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key) - NUXT_OIDC_SESSION_SECRET (48-character random string) - NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string) ### Expected Results: SSO login should work without CORS errors Compatible with nginx proxy setup Maintains existing Directus authentication Server-side session management Automatic token refresh Ready for container rebuild and production testing! 2025-06-14 15:58:03 +02:00			`// Check Directus auth first`
Fix SSR and defensive coding for Keycloak integration - Add proper SSR guards and error handling - Make authentication middleware more defensive - Add null checks in useUnifiedAuth composable - Prevent JavaScript errors from breaking page load - Prioritize Directus auth over Keycloak for stability 2025-06-14 15:01:45 +02:00			`const { fetchUser, setUser } = useDirectusAuth();`
			`const directusUser = useDirectusUser();`

			`if (!directusUser.value) {`
			`try {`
			`const user = await fetchUser();`
			`setUser(user.value);`
			`} catch (error) {`
FIX: Authentication middleware for custom Keycloak auth ## Fixed 502 Error After Login: ### Issue: - After successful Keycloak authentication, users got 502 Bad Gateway error - Middleware was still trying to use removed useOidcAuth() composable - This caused the app to crash when accessing dashboard ### Solution: - Replaced useOidcAuth() with direct session API call - Uses /api/auth/session endpoint to check authentication - Maintains dual auth support (Directus + Keycloak) - Added proper error handling to prevent crashes ### Authentication Flow Now: 1. Check Directus auth first (existing users) 2. Check custom Keycloak session via API call 3. Allow access if either authentication succeeds 4. Redirect to login if no authentication found ### Files Changed: - middleware/authentication.ts - Updated to use custom auth system ## Result: The complete authentication flow should now work: 1. Login via Keycloak SSO 2. Token exchange and session creation 3. Middleware validates session properly 4. Dashboard loads without 502 errors ## Ready to Test: Deploy and test the complete SSO flow - should work end-to-end! 2025-06-15 15:47:36 +02:00			`// Directus auth failed, continue to check custom Keycloak auth`
Fix SSR and defensive coding for Keycloak integration - Add proper SSR guards and error handling - Make authentication middleware more defensive - Add null checks in useUnifiedAuth composable - Prevent JavaScript errors from breaking page load - Prioritize Directus auth over Keycloak for stability 2025-06-14 15:01:45 +02:00			`}`
			`}`
feat: add files 2025-02-16 13:10:19 +01:00
Fix SSR and defensive coding for Keycloak integration - Add proper SSR guards and error handling - Make authentication middleware more defensive - Add null checks in useUnifiedAuth composable - Prevent JavaScript errors from breaking page load - Prioritize Directus auth over Keycloak for stability 2025-06-14 15:01:45 +02:00			`if (directusUser.value) {`
			`// User authenticated with Directus`
			`return;`
			`}`
feat: add files 2025-02-16 13:10:19 +01:00
FIX: Authentication middleware for custom Keycloak auth ## Fixed 502 Error After Login: ### Issue: - After successful Keycloak authentication, users got 502 Bad Gateway error - Middleware was still trying to use removed useOidcAuth() composable - This caused the app to crash when accessing dashboard ### Solution: - Replaced useOidcAuth() with direct session API call - Uses /api/auth/session endpoint to check authentication - Maintains dual auth support (Directus + Keycloak) - Added proper error handling to prevent crashes ### Authentication Flow Now: 1. Check Directus auth first (existing users) 2. Check custom Keycloak session via API call 3. Allow access if either authentication succeeds 4. Redirect to login if no authentication found ### Files Changed: - middleware/authentication.ts - Updated to use custom auth system ## Result: The complete authentication flow should now work: 1. Login via Keycloak SSO 2. Token exchange and session creation 3. Middleware validates session properly 4. Dashboard loads without 502 errors ## Ready to Test: Deploy and test the complete SSO flow - should work end-to-end! 2025-06-15 15:47:36 +02:00			`// Check custom Keycloak auth via session API`
			`try {`
			`const sessionData = await $fetch('/api/auth/session') as any;`
			`if (sessionData.authenticated && sessionData.user) {`
			`// User authenticated with Keycloak`
			`return;`
			`}`
			`} catch (error) {`
			`// Session check failed, continue to redirect`
Implement Official Keycloak JS Adapter with Proxy-Aware Configuration MAJOR ENHANCEMENT: Complete Keycloak integration with proper HTTPS/proxy handling ## Core Improvements: ### 1. Enhanced Configuration (nuxt.config.ts) - Added proxy trust configuration for nginx environments - Configured baseUrl for production HTTPS enforcement - Added debug mode configuration for development ### 2. Proxy-Aware Keycloak Composable (composables/useKeycloak.ts) - Intelligent base URL detection (production vs development) - Force HTTPS redirect URIs in production environments - Enhanced debugging and logging capabilities - Proper PKCE implementation for security - Automatic token refresh mechanism ### 3. Dual Authentication System - Updated middleware to support both Directus and Keycloak - Enhanced useUnifiedAuth for seamless auth source switching - Maintains backward compatibility with existing Directus users ### 4. OAuth Flow Implementation - Created proper callback handler (pages/auth/callback.vue) - Comprehensive error handling and user feedback - Automatic redirect to dashboard on success ### 5. Enhanced Login Experience (pages/login.vue) - Restored SSO login button with proper error handling - Maintained existing Directus login form - Clear separation between auth methods with visual divider ### 6. Comprehensive Testing Suite (pages/dashboard/keycloak-test.vue) - Real-time configuration display - Authentication status monitoring - Interactive testing tools - Detailed debug logging system ## Technical Solutions: Proxy Detection: Automatically detects nginx proxy and uses correct HTTPS URLs HTTPS Enforcement: Forces secure redirect URIs in production Error Handling: Comprehensive error catching with user-friendly messages Debug Capabilities: Enhanced logging for troubleshooting Security: Implements PKCE and secure token handling ## Infrastructure Compatibility: - Works with nginx reverse proxy setups - Compatible with Docker container networking - Handles SSL termination at proxy level - Supports both development and production environments This implementation specifically addresses the HTTP/HTTPS redirect URI mismatch that was causing 'unauthorized_client' errors in the proxy environment. 2025-06-14 15:26:26 +02:00			`}`

MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration ## SOLUTION: Migrate to Server-Side OIDC Authentication This completely replaces the problematic keycloak-js client-side implementation with nuxt-oidc-auth, eliminating all CORS and iframe issues. ### Benefits: - No more CORS errors - Server-side OAuth flow - No iframe dependencies - Eliminates cross-domain issues - Works with nginx proxy - No proxy configuration conflicts - Better security - Tokens handled server-side - Cleaner integration - Native Nuxt patterns - Maintains Directus compatibility - Dual auth support ### Installation & Configuration: - Added uxt-oidc-auth module to nuxt.config.ts - Configured Keycloak provider with proper OIDC settings - Updated environment variables for security keys ### Code Changes: #### Authentication Flow: - middleware/authentication.ts - Updated to check both Directus + OIDC auth - composables/useUnifiedAuth.ts - Migrated to use useOidcAuth() - pages/login.vue - Updated SSO button to use oidcLogin('keycloak') #### Configuration: - nuxt.config.ts - Added OIDC provider configuration - .env.example - Updated with nuxt-oidc-auth environment variables - Removed old Keycloak runtime config #### Cleanup: - Removed keycloak-js dependency from package.json - Deleted obsolete files: - composables/useKeycloak.ts - pages/auth/callback.vue - server/utils/keycloak-oauth.ts - server/api/debug/ directory ### Authentication Routes (Auto-Generated): - /auth/keycloak/login - SSO login endpoint - /auth/keycloak/logout - SSO logout endpoint - /auth/keycloak/callback - OAuth callback (handled automatically) ### Security Setup Required: Environment variables needed for production: - NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET - NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key) - NUXT_OIDC_SESSION_SECRET (48-character random string) - NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string) ### Expected Results: SSO login should work without CORS errors Compatible with nginx proxy setup Maintains existing Directus authentication Server-side session management Automatic token refresh Ready for container rebuild and production testing! 2025-06-14 15:58:03 +02:00			`// No authentication found, redirect to login`
			`return navigateTo('/login');`

Fix SSR and defensive coding for Keycloak integration - Add proper SSR guards and error handling - Make authentication middleware more defensive - Add null checks in useUnifiedAuth composable - Prevent JavaScript errors from breaking page load - Prioritize Directus auth over Keycloak for stability 2025-06-14 15:01:45 +02:00			`} catch (error) {`
			`console.error('Auth middleware error:', error);`
MAJOR: Replace keycloak-js with nuxt-oidc-auth for seamless SSO integration ## SOLUTION: Migrate to Server-Side OIDC Authentication This completely replaces the problematic keycloak-js client-side implementation with nuxt-oidc-auth, eliminating all CORS and iframe issues. ### Benefits: - No more CORS errors - Server-side OAuth flow - No iframe dependencies - Eliminates cross-domain issues - Works with nginx proxy - No proxy configuration conflicts - Better security - Tokens handled server-side - Cleaner integration - Native Nuxt patterns - Maintains Directus compatibility - Dual auth support ### Installation & Configuration: - Added uxt-oidc-auth module to nuxt.config.ts - Configured Keycloak provider with proper OIDC settings - Updated environment variables for security keys ### Code Changes: #### Authentication Flow: - middleware/authentication.ts - Updated to check both Directus + OIDC auth - composables/useUnifiedAuth.ts - Migrated to use useOidcAuth() - pages/login.vue - Updated SSO button to use oidcLogin('keycloak') #### Configuration: - nuxt.config.ts - Added OIDC provider configuration - .env.example - Updated with nuxt-oidc-auth environment variables - Removed old Keycloak runtime config #### Cleanup: - Removed keycloak-js dependency from package.json - Deleted obsolete files: - composables/useKeycloak.ts - pages/auth/callback.vue - server/utils/keycloak-oauth.ts - server/api/debug/ directory ### Authentication Routes (Auto-Generated): - /auth/keycloak/login - SSO login endpoint - /auth/keycloak/logout - SSO logout endpoint - /auth/keycloak/callback - OAuth callback (handled automatically) ### Security Setup Required: Environment variables needed for production: - NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET - NUXT_OIDC_TOKEN_KEY (base64 encoded 32-byte key) - NUXT_OIDC_SESSION_SECRET (48-character random string) - NUXT_OIDC_AUTH_SESSION_SECRET (48-character random string) ### Expected Results: SSO login should work without CORS errors Compatible with nginx proxy setup Maintains existing Directus authentication Server-side session management Automatic token refresh Ready for container rebuild and production testing! 2025-06-14 15:58:03 +02:00			`return navigateTo('/login');`
feat: add files 2025-02-16 13:10:19 +01:00			`}`
			`});`