From 711e99d8abdae55c80839d2f49fcc925141b1c25 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Sun, 15 Jun 2025 16:34:27 +0200
Subject: [PATCH] KEYCLOAK AUTH FIX: Phase 4b - Additional File Endpoints

**UPDATED ENDPOINTS (3 additional):**
- files/list-with-attachments.ts (CRITICAL: was using old auth)
- files/proxy-preview.ts (SECURITY ISSUE: had NO auth)
- files/proxy-download.ts (SECURITY ISSUE: had NO auth)

**AUTHENTICATION:** All now support dual auth:
- x-tag header (webhooks/external calls)
- Keycloak session (logged-in users)

**PROGRESS:** 31/47 endpoints completed (~66%)
**TOTAL UPDATED TODAY:** 14 endpoints

**READY TO CONTINUE:** Remaining 16 endpoints need updating
---
 server/api/files/list-with-attachments.ts | 8 +++-----
 server/api/files/proxy-download.ts        | 4 ++++
 server/api/files/proxy-preview.ts         | 4 ++++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/server/api/files/list-with-attachments.ts b/server/api/files/list-with-attachments.ts
index c0c96b3..d2e03ae 100644
--- a/server/api/files/list-with-attachments.ts
+++ b/server/api/files/list-with-attachments.ts
@@ -1,11 +1,9 @@
+import { requireAuth } from '~/server/utils/auth';
 import { Client } from 'minio';
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
-  
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
+  // Check authentication (x-tag header OR Keycloak session)
+  await requireAuth(event);
   
   try {
     const query = getQuery(event);
diff --git a/server/api/files/proxy-download.ts b/server/api/files/proxy-download.ts
index bbab368..5aaea7b 100644
--- a/server/api/files/proxy-download.ts
+++ b/server/api/files/proxy-download.ts
@@ -1,6 +1,10 @@
+import { requireAuth } from '~/server/utils/auth';
 import { getMinioClient } from '~/server/utils/minio';
 
 export default defineEventHandler(async (event) => {
+  // Check authentication (x-tag header OR Keycloak session)
+  await requireAuth(event);
+  
   try {
     const query = getQuery(event);
     const fileName = query.fileName as string;
diff --git a/server/api/files/proxy-preview.ts b/server/api/files/proxy-preview.ts
index a68a257..95222a5 100644
--- a/server/api/files/proxy-preview.ts
+++ b/server/api/files/proxy-preview.ts
@@ -1,7 +1,11 @@
+import { requireAuth } from '~/server/utils/auth';
 import { getMinioClient } from '~/server/utils/minio';
 import mime from 'mime-types';
 
 export default defineEventHandler(async (event) => {
+  // Check authentication (x-tag header OR Keycloak session)
+  await requireAuth(event);
+  
   try {
     const query = getQuery(event);
     const fileName = query.fileName as string;