port-nimara-client-portal/server/utils/auth.ts

/**
 * Check if the request is authenticated via either:
 * 1. x-tag header (for webhooks/external calls)
 * 2. Keycloak session (for logged-in users)
 */
export const isAuthenticated = async (event: any): Promise<boolean> => {
  // Check x-tag header authentication (existing method)
  const xTagHeader = getRequestHeader(event, "x-tag");
  if (xTagHeader && (xTagHeader === "094ut234" || xTagHeader === "pjnvü1230")) {
    console.log('[auth] Authenticated via x-tag header');
    return true;
  }

  // Check OIDC session authentication
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    if (oidcSession) {
      console.log('[auth] Authenticated via OIDC session');
      return true;
    }
  } catch (error) {
    console.log('[auth] OIDC session check failed:', error);
  }

  console.log('[auth] No valid authentication found');
  return false;
}

export const requireAuth = async (event: any) => {
  const authenticated = await isAuthenticated(event);
  if (!authenticated) {
    console.log('[requireAuth] Authentication failed for:', event.node.req.url);
    console.log('[requireAuth] Available headers:', Object.keys(event.node.req.headers));
    console.log('[requireAuth] Available cookies:', Object.keys(event.node.req.headers.cookie ? parseCookies(event.node.req.headers.cookie) : {}));
    throw createError({ 
      statusCode: 401, 
      statusMessage: "Authentication required. Please provide x-tag header or valid session." 
    });
  }
}

function parseCookies(cookieString: string): Record<string, string> {
  return cookieString.split(';').reduce((cookies: Record<string, string>, cookie) => {
    const [name, value] = cookie.trim().split('=');
    if (name && value) {
      cookies[name] = value;
    }
    return cookies;
  }, {});
}
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`/**`
			`* Check if the request is authenticated via either:`
			`* 1. x-tag header (for webhooks/external calls)`
			`* 2. Keycloak session (for logged-in users)`
			`*/`
			`export const isAuthenticated = async (event: any): Promise<boolean> => {`
			`// Check x-tag header authentication (existing method)`
			`const xTagHeader = getRequestHeader(event, "x-tag");`
			`if (xTagHeader && (xTagHeader === "094ut234" \|\| xTagHeader === "pjnvü1230")) {`
			`console.log('[auth] Authenticated via x-tag header');`
			`return true;`
			`}`

FIX: Correct OIDC cookie name mismatch across all auth endpoints Root Cause: - Auth system was looking for 'keycloak-session' cookies - But actual OIDC system uses 'nuxt-oidc-auth' cookies - This caused authentication failures for file previews and other endpoints Files Updated: - server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie - server/api/auth/session.ts: Updated cookie name references - server/api/auth/logout.ts: Updated cookie deletion - server/api/auth/keycloak/callback.ts: Updated cookie creation Result: - File previews should now work for authenticated users - All authentication endpoints now use consistent cookie names - Both x-tag headers and OIDC sessions work correctly 2025-06-15 16:58:45 +02:00			`// Check OIDC session authentication`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`try {`
FIX: Correct OIDC cookie name mismatch across all auth endpoints Root Cause: - Auth system was looking for 'keycloak-session' cookies - But actual OIDC system uses 'nuxt-oidc-auth' cookies - This caused authentication failures for file previews and other endpoints Files Updated: - server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie - server/api/auth/session.ts: Updated cookie name references - server/api/auth/logout.ts: Updated cookie deletion - server/api/auth/keycloak/callback.ts: Updated cookie creation Result: - File previews should now work for authenticated users - All authentication endpoints now use consistent cookie names - Both x-tag headers and OIDC sessions work correctly 2025-06-15 16:58:45 +02:00			`const oidcSession = getCookie(event, 'nuxt-oidc-auth');`
			`if (oidcSession) {`
			`console.log('[auth] Authenticated via OIDC session');`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`return true;`
			`}`
			`} catch (error) {`
FIX: Correct OIDC cookie name mismatch across all auth endpoints Root Cause: - Auth system was looking for 'keycloak-session' cookies - But actual OIDC system uses 'nuxt-oidc-auth' cookies - This caused authentication failures for file previews and other endpoints Files Updated: - server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie - server/api/auth/session.ts: Updated cookie name references - server/api/auth/logout.ts: Updated cookie deletion - server/api/auth/keycloak/callback.ts: Updated cookie creation Result: - File previews should now work for authenticated users - All authentication endpoints now use consistent cookie names - Both x-tag headers and OIDC sessions work correctly 2025-06-15 16:58:45 +02:00			`console.log('[auth] OIDC session check failed:', error);`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`}`

			`console.log('[auth] No valid authentication found');`
			`return false;`
			`}`

			`export const requireAuth = async (event: any) => {`
			`const authenticated = await isAuthenticated(event);`
			`if (!authenticated) {`
DEBUG: Add auth debugging logs to identify file preview auth issue 2025-06-15 16:53:20 +02:00			`console.log('[requireAuth] Authentication failed for:', event.node.req.url);`
			`console.log('[requireAuth] Available headers:', Object.keys(event.node.req.headers));`
			`console.log('[requireAuth] Available cookies:', Object.keys(event.node.req.headers.cookie ? parseCookies(event.node.req.headers.cookie) : {}));`
FIX: Authentication for Keycloak - Phase 1 Updated core interest management endpoints: - server/api/create-interest.ts - server/api/update-interest.ts - server/api/delete-interest.ts - Created server/utils/auth.ts with dual auth support Next: Update ALL remaining API endpoints systematically 2025-06-15 16:13:22 +02:00			`throw createError({`
			`statusCode: 401,`
			`statusMessage: "Authentication required. Please provide x-tag header or valid session."`
			`});`
			`}`
			`}`
DEBUG: Add auth debugging logs to identify file preview auth issue 2025-06-15 16:53:20 +02:00
			`function parseCookies(cookieString: string): Record<string, string> {`
			`return cookieString.split(';').reduce((cookies: Record<string, string>, cookie) => {`
			`const [name, value] = cookie.trim().split('=');`
			`if (name && value) {`
			`cookies[name] = value;`
			`}`
			`return cookies;`
			`}, {});`
			`}`