FEAT: Unified Authentication System - Support Both Directus and Keycloak Users

**Problem Solved:** - File previews failing due to unsupported Directus authentication - Encrypted OIDC cookies causing JSON parse errors - Need both Directus and Keycloak users to access same dashboard **Changes:** - server/utils/auth.ts: Added Directus token validation alongside OIDC - server/api/auth/session.ts: Support both auth methods with proper user data - server/api/auth/logout.ts: Clear appropriate cookies based on auth method **Authentication Methods Now Supported:** 1. X-tag headers (webhooks/external calls) 2. Directus tokens (existing Directus users) 3. OIDC sessions (Keycloak users, encrypted or plain) **Result:** - Both Directus and Keycloak users can access dashboard - File previews work for all authenticated users - Proper logout handling for each auth method - No more JSON parse errors for encrypted OIDC cookies
2025-06-15 17:03:42 +02:00
parent 7ca77e2dcf
commit d45ae31f10
3 changed files with 131 additions and 35 deletions
--- a/server/utils/auth.ts
+++ b/server/utils/auth.ts
@@ -1,7 +1,8 @@
 /**
 * Check if the request is authenticated via either:
 * 1. x-tag header (for webhooks/external calls)
- * 2. Keycloak session (for logged-in users)
+ * 2. Directus token (for Directus authenticated users)
+ * 3. OIDC session (for Keycloak authenticated users)
 */
 export const isAuthenticated = async (event: any): Promise<boolean> => {
  // Check x-tag header authentication (existing method)
@@ -11,10 +12,35 @@ export const isAuthenticated = async (event: any): Promise<boolean> => {
    return true;
  }

+  // Check Directus token authentication
+  try {
+    const directusToken = getCookie(event, 'directus_token');
+    if (directusToken) {
+      // Validate Directus token is not expired
+      const directusExpiry = getCookie(event, 'directus_token_expired_at');
+      if (directusExpiry) {
+        const expiryTime = parseInt(directusExpiry);
+        if (Date.now() < expiryTime) {
+          console.log('[auth] Authenticated via Directus token');
+          return true;
+        } else {
+          console.log('[auth] Directus token expired');
+        }
+      } else {
+        // If no expiry cookie, assume token is valid
+        console.log('[auth] Authenticated via Directus token (no expiry check)');
+        return true;
+      }
+    }
+  } catch (error) {
+    console.log('[auth] Directus token check failed:', error);
+  }
+
  // Check OIDC session authentication
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    if (oidcSession) {
+      // Note: OIDC session might be encrypted, we'll validate it properly in session endpoint
      console.log('[auth] Authenticated via OIDC session');
      return true;
    }