port-nimara-client-portal/server/api/auth/refresh.ts

import { keycloakClient } from '~/server/utils/keycloak-client'

export default defineEventHandler(async (event) => {
  const startTime = Date.now()
  console.log('[REFRESH] Processing token refresh request')
  
  try {
    // Get current session
    const oidcSession = getCookie(event, 'nuxt-oidc-auth')
    
    if (!oidcSession) {
      console.error('[REFRESH] No session found')
      throw createError({
        statusCode: 401,
        statusMessage: 'No session found'
      })
    }

    let sessionData
    try {
      sessionData = JSON.parse(oidcSession)
    } catch (parseError) {
      console.error('[REFRESH] Failed to parse session:', parseError)
      throw createError({
        statusCode: 401,
        statusMessage: 'Invalid session format'
      })
    }

    // Check if we have a refresh token
    if (!sessionData.refreshToken) {
      console.error('[REFRESH] No refresh token available')
      throw createError({
        statusCode: 401,
        statusMessage: 'No refresh token available'
      })
    }

    // Validate environment variables
    const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET
    if (!clientSecret) {
      console.error('[REFRESH] KEYCLOAK_CLIENT_SECRET not configured')
      throw createError({
        statusCode: 500,
        statusMessage: 'Authentication service misconfigured'
      })
    }

    // Use refresh token to get new access token with retry logic
    console.log('[REFRESH] Using Keycloak client for token refresh...')
    const tokenResponse = await keycloakClient.refreshAccessToken(sessionData.refreshToken)

    const refreshDuration = Date.now() - startTime
    console.log(`[REFRESH] Token refresh successful in ${refreshDuration}ms:`, {
      hasAccessToken: !!tokenResponse.access_token,
      hasRefreshToken: !!tokenResponse.refresh_token,
      expiresIn: tokenResponse.expires_in
    })

    // Update session with new tokens
    const updatedSessionData = {
      ...sessionData,
      accessToken: tokenResponse.access_token,
      refreshToken: tokenResponse.refresh_token || sessionData.refreshToken, // Keep old refresh token if new one not provided
      expiresAt: Date.now() + (tokenResponse.expires_in * 1000),
      refreshedAt: Date.now()
    }

    // Set updated session cookie with proper session duration
    const sessionDuration = 8 * 60 * 60; // 8 hours in seconds
    const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
    
    setCookie(event, 'nuxt-oidc-auth', JSON.stringify(updatedSessionData), {
      httpOnly: true,
      secure: true,
      sameSite: 'lax',
      maxAge: sessionDuration,
      domain: cookieDomain,
      path: '/'
    })

    console.log('[REFRESH] Session updated successfully')

    return {
      success: true,
      expiresAt: updatedSessionData.expiresAt
    }

  } catch (error: any) {
    console.error('[REFRESH] Token refresh failed:', error)
    
    // Clear invalid session
    const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
    deleteCookie(event, 'nuxt-oidc-auth', {
      domain: cookieDomain,
      path: '/'
    })

    throw createError({
      statusCode: 401,
      statusMessage: 'Token refresh failed - please login again'
    })
  }
})
FEAT: Implement Keycloak client with circuit breaker and retry logic for improved authentication resilience 2025-06-17 14:50:34 +02:00			`import { keycloakClient } from '~/server/utils/keycloak-client'`

FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`export default defineEventHandler(async (event) => {`
FEAT: Implement Keycloak client with circuit breaker and retry logic for improved authentication resilience 2025-06-17 14:50:34 +02:00			`const startTime = Date.now()`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`console.log('[REFRESH] Processing token refresh request')`

			`try {`
			`// Get current session`
			`const oidcSession = getCookie(event, 'nuxt-oidc-auth')`

			`if (!oidcSession) {`
			`console.error('[REFRESH] No session found')`
			`throw createError({`
			`statusCode: 401,`
			`statusMessage: 'No session found'`
			`})`
			`}`

			`let sessionData`
			`try {`
			`sessionData = JSON.parse(oidcSession)`
			`} catch (parseError) {`
			`console.error('[REFRESH] Failed to parse session:', parseError)`
			`throw createError({`
			`statusCode: 401,`
			`statusMessage: 'Invalid session format'`
			`})`
			`}`

			`// Check if we have a refresh token`
			`if (!sessionData.refreshToken) {`
			`console.error('[REFRESH] No refresh token available')`
			`throw createError({`
			`statusCode: 401,`
			`statusMessage: 'No refresh token available'`
			`})`
			`}`

			`// Validate environment variables`
			`const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET`
			`if (!clientSecret) {`
			`console.error('[REFRESH] KEYCLOAK_CLIENT_SECRET not configured')`
			`throw createError({`
			`statusCode: 500,`
			`statusMessage: 'Authentication service misconfigured'`
			`})`
			`}`

FEAT: Implement Keycloak client with circuit breaker and retry logic for improved authentication resilience 2025-06-17 14:50:34 +02:00			`// Use refresh token to get new access token with retry logic`
			`console.log('[REFRESH] Using Keycloak client for token refresh...')`
			`const tokenResponse = await keycloakClient.refreshAccessToken(sessionData.refreshToken)`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00
FEAT: Implement Keycloak client with circuit breaker and retry logic for improved authentication resilience 2025-06-17 14:50:34 +02:00			`const refreshDuration = Date.now() - startTime`
			console.log(`[REFRESH] Token refresh successful in ${refreshDuration}ms:`, {
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`hasAccessToken: !!tokenResponse.access_token,`
			`hasRefreshToken: !!tokenResponse.refresh_token,`
			`expiresIn: tokenResponse.expires_in`
			`})`

			`// Update session with new tokens`
			`const updatedSessionData = {`
			`...sessionData,`
			`accessToken: tokenResponse.access_token,`
			`refreshToken: tokenResponse.refresh_token \|\| sessionData.refreshToken, // Keep old refresh token if new one not provided`
			`expiresAt: Date.now() + (tokenResponse.expires_in * 1000),`
			`refreshedAt: Date.now()`
			`}`

FEAT: Enhance authentication session management with configurable cookie domain and improved token refresh logic 2025-06-16 17:53:43 +02:00			`// Set updated session cookie with proper session duration`
			`const sessionDuration = 8 * 60 * 60; // 8 hours in seconds`
			`const cookieDomain = process.env.COOKIE_DOMAIN \|\| '.portnimara.dev';`

FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`setCookie(event, 'nuxt-oidc-auth', JSON.stringify(updatedSessionData), {`
			`httpOnly: true,`
			`secure: true,`
			`sameSite: 'lax',`
FEAT: Enhance authentication session management with configurable cookie domain and improved token refresh logic 2025-06-16 17:53:43 +02:00			`maxAge: sessionDuration,`
			`domain: cookieDomain,`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`path: '/'`
			`})`

			`console.log('[REFRESH] Session updated successfully')`

			`return {`
			`success: true,`
			`expiresAt: updatedSessionData.expiresAt`
			`}`

			`} catch (error: any) {`
			`console.error('[REFRESH] Token refresh failed:', error)`

			`// Clear invalid session`
FEAT: Enhance authentication session management with configurable cookie domain and improved token refresh logic 2025-06-16 17:53:43 +02:00			`const cookieDomain = process.env.COOKIE_DOMAIN \|\| '.portnimara.dev';`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`deleteCookie(event, 'nuxt-oidc-auth', {`
FEAT: Enhance authentication session management with configurable cookie domain and improved token refresh logic 2025-06-16 17:53:43 +02:00			`domain: cookieDomain,`
FEAT: Migrate authentication system from Directus to Keycloak, implementing token refresh and enhancing session management 2025-06-15 17:37:14 +02:00			`path: '/'`
			`})`

			`throw createError({`
			`statusCode: 401,`
			`statusMessage: 'Token refresh failed - please login again'`
			`})`
			`}`
			`})`