port-nimara-client-portal/middleware/authentication.ts

export default defineNuxtRouteMiddleware(async (to) => {
  // Skip auth for SSR
  if (import.meta.server) return;

  // Check if auth is required (default true unless explicitly set to false)
  const isAuthRequired = to.meta.auth !== false;
  
  // Check Keycloak auth first
  const oidc = useOidc();
  if (oidc.isLoggedIn) {
    // User authenticated with Keycloak
    return;
  }

  // Fall back to Directus auth
  const { fetchUser, setUser } = useDirectusAuth();
  const directusUser = useDirectusUser();
  
  if (!directusUser.value) {
    const user = await fetchUser();
    setUser(user.value);
  }

  if (directusUser.value) {
    // User authenticated with Directus
    return;
  }

  // No authentication found
  if (isAuthRequired) {
    // Redirect to login page
    return navigateTo('/login');
  }
});