From 7ca77e2dcf4389af7f12b19bb1b38d5eda1ff6c5 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Sun, 15 Jun 2025 16:58:45 +0200
Subject: [PATCH] FIX: Correct OIDC cookie name mismatch across all auth
 endpoints

**Root Cause:**
- Auth system was looking for 'keycloak-session' cookies
- But actual OIDC system uses 'nuxt-oidc-auth' cookies
- This caused authentication failures for file previews and other endpoints

**Files Updated:**
- server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie
- server/api/auth/session.ts: Updated cookie name references
- server/api/auth/logout.ts: Updated cookie deletion
- server/api/auth/keycloak/callback.ts: Updated cookie creation

**Result:**
- File previews should now work for authenticated users
- All authentication endpoints now use consistent cookie names
- Both x-tag headers and OIDC sessions work correctly
---
 server/api/auth/keycloak/callback.ts |  4 ++--
 server/api/auth/logout.ts            |  6 +++---
 server/api/auth/session.ts           |  8 ++++----
 server/utils/auth.ts                 | 10 +++++-----
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/server/api/auth/keycloak/callback.ts b/server/api/auth/keycloak/callback.ts
index 972371c..a9f7ee7 100644
--- a/server/api/auth/keycloak/callback.ts
+++ b/server/api/auth/keycloak/callback.ts
@@ -60,14 +60,14 @@ export default defineEventHandler(async (event) => {
     }
 
     // Create a simple session using a secure cookie
-    setCookie(event, 'keycloak-session', JSON.stringify(sessionData), {
+    setCookie(event, 'nuxt-oidc-auth', JSON.stringify(sessionData), {
       httpOnly: true,
       secure: true,
       sameSite: 'lax',
       maxAge: tokenResponse.expires_in
     })
 
-    console.log('[KEYCLOAK] Session cookie set, redirecting to dashboard')
+    console.log('[OIDC] Session cookie set, redirecting to dashboard')
 
     // Redirect to dashboard
     await sendRedirect(event, '/dashboard')
diff --git a/server/api/auth/logout.ts b/server/api/auth/logout.ts
index bdc0cbf..fc7dad8 100644
--- a/server/api/auth/logout.ts
+++ b/server/api/auth/logout.ts
@@ -1,9 +1,9 @@
 export default defineEventHandler(async (event) => {
   try {
     // Clear the session cookie
-    deleteCookie(event, 'keycloak-session')
+    deleteCookie(event, 'nuxt-oidc-auth')
     
-    console.log('[KEYCLOAK] User logged out, session cleared')
+    console.log('[OIDC] User logged out, session cleared')
     
     // Redirect to Keycloak logout to clear SSO session
     const logoutUrl = 'https://auth.portnimara.dev/realms/client-portal/protocol/openid-connect/logout?' + 
@@ -13,7 +13,7 @@ export default defineEventHandler(async (event) => {
     
     await sendRedirect(event, logoutUrl)
   } catch (error) {
-    console.error('[KEYCLOAK] Logout error:', error)
+    console.error('[OIDC] Logout error:', error)
     throw createError({
       statusCode: 500,
       statusMessage: 'Logout failed'
diff --git a/server/api/auth/session.ts b/server/api/auth/session.ts
index da36f3a..5b493eb 100644
--- a/server/api/auth/session.ts
+++ b/server/api/auth/session.ts
@@ -1,6 +1,6 @@
 export default defineEventHandler(async (event) => {
   try {
-    const sessionCookie = getCookie(event, 'keycloak-session')
+    const sessionCookie = getCookie(event, 'nuxt-oidc-auth')
     
     if (!sessionCookie) {
       return { user: null, authenticated: false }
@@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
     // Check if session is still valid
     if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
       // Session expired, clear cookie
-      deleteCookie(event, 'keycloak-session')
+      deleteCookie(event, 'nuxt-oidc-auth')
       return { user: null, authenticated: false }
     }
 
@@ -25,9 +25,9 @@ export default defineEventHandler(async (event) => {
       authenticated: true
     }
   } catch (error) {
-    console.error('[KEYCLOAK] Session check error:', error)
+    console.error('[OIDC] Session check error:', error)
     // Clear invalid session
-    deleteCookie(event, 'keycloak-session')
+    deleteCookie(event, 'nuxt-oidc-auth')
     return { user: null, authenticated: false }
   }
 })
diff --git a/server/utils/auth.ts b/server/utils/auth.ts
index 14b09f8..d0877ed 100644
--- a/server/utils/auth.ts
+++ b/server/utils/auth.ts
@@ -11,15 +11,15 @@ export const isAuthenticated = async (event: any): Promise<boolean> => {
     return true;
   }
 
-  // Check Keycloak session authentication
+  // Check OIDC session authentication
   try {
-    const keycloakSession = getCookie(event, 'keycloak-session');
-    if (keycloakSession) {
-      console.log('[auth] Authenticated via Keycloak session');
+    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
+    if (oidcSession) {
+      console.log('[auth] Authenticated via OIDC session');
       return true;
     }
   } catch (error) {
-    console.log('[auth] Keycloak session check failed:', error);
+    console.log('[auth] OIDC session check failed:', error);
   }
 
   console.log('[auth] No valid authentication found');