- Install @nuxt/ui and integrate with existing Vuetify
- Create new layouts/dashboard-unified.vue with modern sidebar design
- Features: clean white design, collapsible sidebar, role-based navigation
- Remove old layouts/dashboard.vue to eliminate dual-sidebar confusion
- Update all dashboard pages to use dashboard-unified layout
- Add demo page showcasing new sidebar features
- Fix auth error handler to ignore external service 401 errors
- Ensure consistent navigation experience across entire platform
## **Critical Session Storage Configuration:**
### **Nitro Storage Setup:**
- Added file-based storage for OIDC sessions: ./data/oidc-sessions
- Configured general session storage: ./data/sessions
- Uses filesystem driver for container persistence
### **OIDC Session Management:**
- Enhanced session configuration with proper expiration handling
- Cookie settings optimized for HTTPS cross-domain authentication
- Automatic refresh with 60-second threshold before expiry
- Secure cookie flags for production environment
### **Debug Tools Added:**
- /api/debug/oidc-session endpoint for monitoring session state
- Safe debugging without exposing sensitive authentication tokens
## **Problem Solved:**
The core issue was that nuxt-oidc-auth had no persistent storage backend
configured, causing sessions to be lost immediately after OAuth callback.
## **Root Cause:**
- OIDC sessions were using in-memory storage (default)
- Sessions expired immediately in containerized environment
- No refresh token persistence across requests
- User redirected back to login despite successful Keycloak auth
## **Expected Results:**
Keycloak authentication should now persist properly
Sessions saved to filesystem and survive container restarts
Users stay logged in after successful SSO authentication
Automatic token refresh prevents session timeouts
Dashboard access maintained after OAuth callback
## **Container Setup:**
The ./data/ directory will be created automatically in the container
and sessions will persist as long as container storage is maintained.
This completes the Keycloak SSO integration!
## **Session Management Improvements:**
### **OIDC Configuration (nuxt.config.ts):**
- Added proper session configuration with automatic refresh
- Configured secure cookies for HTTPS production environment
- Added OAuth scopes: ['openid', 'profile', 'email']
- Set proper response type and grant type for Keycloak
- Added session expiration checking and automatic refresh
### **Session Cookie Settings:**
- sameSite: 'lax' - Required for cross-domain OAuth redirects
- secure: true - Required for HTTPS in production
- expirationThreshold: 60 - Refresh tokens 60 seconds before expiry
### **Debug Tools:**
- Added /api/debug/oidc-session endpoint to monitor session state
- Tracks cookie presence and session establishment
- Safe debugging without exposing sensitive tokens
## **Problem Being Solved:**
User authentication succeeds with Keycloak but session expires immediately,
causing redirect back to login page instead of dashboard access.
## **Root Cause Analysis:**
- Sessions were not being established properly after OAuth callback
- Cookie configuration was not optimized for HTTPS/production
- Missing proper OAuth scopes and session refresh configuration
## **Expected Results:**
Successful Keycloak authentication should now persist session
Users should be redirected to dashboard after login
Sessions should automatically refresh before expiry
No more immediate redirects back to login page
## **Next Steps:**
1. Rebuild container in Portainer with these session fixes
2. Test authentication flow end-to-end
3. Use debug endpoint to verify session establishment
4. Monitor container logs for OIDC session activity
CRITICAL FIX: The nuxt-oidc-auth module was causing infinite redirect loops
because its global middleware was active on ALL pages, including /login.
## 🚨 **Problem Solved:**
- Login page was redirecting to itself infinitely
- OIDC module auto-authenticating on every route
- 502 Bad Gateway errors from redirect loops
## ✅ **Changes Made:**
### **nuxt.config.ts:**
- Added globalMiddlewareEnabled: false to OIDC middleware config
- This disables automatic authentication on all routes
- Prevents redirect loops on login page
### **Cleanup:**
- Removed obsolete pages/dashboard/keycloak-test.vue
- Fixed TypeScript errors from missing useKeycloak composable
## 🎯 **Result:**
✅ Login page should now load without redirect loops
✅ SSO button should work properly when clicked
✅ Manual authentication control via our middleware
✅ Maintains Directus auth compatibility
## 📋 **Next Steps:**
1. Rebuild container in Portainer with these changes
2. Test login page loads properly
3. Test SSO authentication flow
4. Verify no more 502 errors on callback
This fixes the core issue blocking the Keycloak SSO integration!
DEBUGGING: Add comprehensive console logging to track authentication flow
## Changes Made:
### 1. Configuration Updates (nuxt.config.ts)
- Temporarily enabled keycloakDebug: true for production
- Allows detailed logging to troubleshoot authentication issues
### 2. Enhanced Error Logging (composables/useKeycloak.ts)
- Added [KEYCLOAK] prefixed console logs throughout login flow
- Enhanced error reporting with message, stack, and name details
- Added logging for initialization status and redirect URIs
- TypeScript-safe error handling with instanceof checks
## Debug Information Now Available:
- Keycloak initialization status
- Login function execution tracking
- Redirect URI generation details
- Authentication state monitoring
- Detailed error messages with stack traces
This will help identify exactly where the authentication process is failing
and provide actionable debugging information in the browser console.
Ready for container rebuild and testing.
- Remove problematic nuxt-openid-connect module that was causing OAuth issues
- Install and implement official keycloak-js adapter for better reliability
- Create new useKeycloak composable with proper token management
- Update useUnifiedAuth to work with new Keycloak implementation
- Fix authentication middleware to support both auth methods
- Update login page to use new Keycloak login function
- Clean up configuration and remove deprecated OIDC settings
- This should resolve all the HTTP/HTTPS redirect and token exchange issues
- Add full PWA configuration with manifest and service worker
- Create PWAInstallBanner component with mobile detection
- Implement install banner on login page (shows below login form)
- Add usePWA composable for reusable PWA functionality
- Configure offline support with Workbox caching strategies
- Add PWA initialization plugin
- Update app name to 'Port Nimara Portal' throughout
- Use circular logo in install banner and instructions
- Banner shows only once and hides if already installed
- Support both Android (direct install) and iOS (manual instructions)
- Add comprehensive documentation for PWA implementation
Features:
- Mobile-only install banner with dismissal tracking
- Standalone mode detection to hide banner when installed
- Platform-specific installation instructions
- Offline functionality with API caching
- Auto-updating service worker
- Native app-like experience when installed
EOI ENHANCEMENTS:
- Fix EOI deletion to clear ALL signature fields (embedded links, timestamps, etc.)
- Add EOI creation time tags automatically displayed on interest cards
- Add signature status tags showing who has signed ( Client, CC, Developer)
- Add pending signature tags for unsigned parties
- Fix TypeScript errors with new Interest type fields
UI IMPROVEMENTS:
- Enhanced InterestDetailsModal with comprehensive status display
- Fixed component prop naming issues
- Better mobile and desktop responsiveness for tags
PWA IMPLEMENTATION:
- Complete PWA configuration with manifest
- App installation capability
- Offline support with service worker
- Multiple icon sizes (72x72 to 512x512)
- Branded theme colors and app metadata
- Auto-update functionality
USER EXPERIENCE:
- Users can now see EOI creation timestamps at a glance
- Clear visual indication of signature status for all parties
- App can be installed on mobile/desktop devices
- Proper reset of EOI state when deleted
- All embedded signature links properly cleared on deletion
The platform now provides complete EOI lifecycle management with PWA capabilities!
Update Minio configuration to use secure HTTPS connection by:
- Changing port from 9000 to 443 (standard HTTPS port)
- Enabling SSL/TLS encryption (useSSL: true)
This ensures secure communication with the S3-compatible storage service.
- Change MinIO configuration to use non-SSL connection (useSSL: false)
- Add test-connection endpoint to verify MinIO connectivity
- Add comprehensive logging to track connection issues
- Enhance error messages in list files API for better debugging
Matt
Ron