KEYCLOAK AUTH FIX: Phase 5 - Final Batch (COMPLETE)

**UPDATED ENDPOINTS (7 final):**
- test-eoi-cleanup.ts (updated old auth)
- eoi/send-reminders.ts (updated old auth + fixed function calls)
- eoi/delete-generated-document.ts (updated old auth)
- eoi/delete-document.ts (updated old auth + fixed function calls)
- email/test-minio-bucket.ts (updated old auth)
- email/test-connection.ts (updated old auth)
- email/process-sales-eois.ts (updated old auth)

** TASK COMPLETE - ALL 47 API ENDPOINTS UPDATED:**
 38 endpoints now use unified auth (requireAuth function)
 9 endpoints correctly remain public (auth/debug/health/test)
 Support dual auth: x-tag headers + Keycloak sessions
 Fixed 8 endpoints with NO authentication (critical security fix)
 Backward compatibility maintained for webhooks
 Dashboard users can now access all endpoints securely

**SECURITY ACHIEVEMENT:**
- Eliminated all old x-tag authentication patterns
- Unified authentication system across entire API
- Critical security vulnerabilities patched
- Production-ready authentication implementation

server/api/email/process-sales-eois.ts

@@ -1,3 +1,4 @@
+import { requireAuth } from '~/server/utils/auth';
 import { parseEmail, getIMAPConnection } from '~/server/utils/email-utils';
 import { uploadFile } from '~/server/utils/minio';
 import { getInterestByFieldAsync, updateInterest } from '~/server/utils/nocodb';
@@ -12,11 +13,8 @@ interface ProcessedEOI {
 }
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
+  // Check authentication (x-tag header OR Keycloak session)
-
+  await requireAuth(event);
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
 
   try {
     console.log('[Process Sales EOIs] Starting email processing...');

server/api/email/test-connection.ts

@@ -1,13 +1,11 @@
+import { requireAuth } from '~/server/utils/auth';
 import nodemailer from 'nodemailer';
 import Imap from 'imap';
 import { encryptCredentials, storeCredentialsInSession } from '~/server/utils/encryption';
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
+  // Check authentication (x-tag header OR Keycloak session)
-
+  await requireAuth(event);
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
 
   try {
     const body = await readBody(event);

server/api/email/test-minio-bucket.ts

@@ -1,11 +1,9 @@
+import { requireAuth } from '~/server/utils/auth';
 import { getMinioClient } from '~/server/utils/minio';
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
+  // Check authentication (x-tag header OR Keycloak session)
-
+  await requireAuth(event);
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
 
   try {
     const query = getQuery(event);

server/api/eoi/delete-document.ts

@@ -1,14 +1,12 @@
+import { requireAuth } from '~/server/utils/auth';
 import { getMinioClient } from '~/server/utils/minio';
+import { getInterestById, updateInterest } from '~/server/utils/nocodb';
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
+  // Check authentication (x-tag header OR Keycloak session)
+  await requireAuth(event);
 
-  console.log('[EOI Delete] Request received with x-tag:', xTagHeader);
+  console.log('[EOI Delete] Request received');
-
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    console.error('[EOI Delete] Authentication failed - invalid x-tag');
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
 
   try {
     const body = await readBody(event);
@@ -25,14 +23,7 @@ export default defineEventHandler(async (event) => {
     }
 
     // Get current interest data to find EOI documents
-    const interest = await $fetch(`/api/get-interest-by-id`, {
+    const interest = await getInterestById(interestId);
-      headers: {
-        'x-tag': xTagHeader,
-      },
-      params: {
-        id: interestId,
-      },
-    });
 
     const eoiDocuments = interest['EOI Document'] || [];
     console.log('[EOI Delete] Found EOI documents:', eoiDocuments);
@@ -72,16 +63,7 @@ export default defineEventHandler(async (event) => {
     console.log('[EOI Delete] Resetting interest fields');
     
     // Update the interest
-    await $fetch('/api/update-interest', {
+    await updateInterest(interestId, updateData as any);
-      method: 'POST',
-      headers: {
-        'x-tag': xTagHeader,
-      },
-      body: {
-        id: interestId,
-        data: updateData
-      }
-    });
     
     console.log('[EOI Delete] Delete completed successfully');
     return {

server/api/eoi/delete-generated-document.ts

@@ -1,16 +1,13 @@
+import { requireAuth } from '~/server/utils/auth';
 import { getInterestById, updateInterest } from '~/server/utils/nocodb';
 import { checkDocumentSignatureStatus } from '~/server/utils/documeso';
 import type { InterestSalesProcessLevel, EOIStatus } from '~/utils/types';
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
+  // Check authentication (x-tag header OR Keycloak session)
+  await requireAuth(event);
 
-  console.log('[Delete Generated EOI] Request received with x-tag:', xTagHeader);
+  console.log('[Delete Generated EOI] Request received');
-
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    console.error('[Delete Generated EOI] Authentication failed - invalid x-tag');
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
 
   try {
     const body = await readBody(event);

server/api/eoi/send-reminders.ts

@@ -1,3 +1,4 @@
+import { requireAuth } from '~/server/utils/auth';
 import { getDocumesoDocument, checkDocumentSignatureStatus, formatRecipientName } from '~/server/utils/documeso';
 import { getInterestById } from '~/server/utils/nocodb';
 import { sendEmail } from '~/server/utils/email';
@@ -9,11 +10,8 @@ interface ReminderEmail {
 }
 
 export default defineEventHandler(async (event) => {
-  const xTagHeader = getRequestHeader(event, "x-tag");
+  // Check authentication (x-tag header OR Keycloak session)
-
+  await requireAuth(event);
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
-  }
 
   try {
     const body = await readBody(event);
@@ -104,18 +102,9 @@ export default defineEventHandler(async (event) => {
     }
     
     // Update last reminder sent timestamp
-    await $fetch('/api/update-interest', {
+    await updateInterest(interestId, {
-      method: 'POST',
-      headers: {
-        'x-tag': xTagHeader,
-      },
-      body: {
-        id: interestId,
-        data: {
       'last_reminder_sent': new Date().toISOString()
-        }
+    } as any);
-      }
-    });
     
     return {
       success: true,

server/api/test-eoi-cleanup.ts

@@ -1,9 +1,8 @@
-export default defineEventHandler(async (event) => {
+import { requireAuth } from '~/server/utils/auth';
-  const xTagHeader = getRequestHeader(event, "x-tag");
 
-  if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
+export default defineEventHandler(async (event) => {
-    throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
+  // Check authentication (x-tag header OR Keycloak session)
-  }
+  await requireAuth(event);
 
   try {
     const query = getQuery(event);