- Added ExpenseCreateModal component for adding new expenses with form validation.
- Integrated API endpoint for creating expenses, ensuring only authorized users can access it.
- Updated dashboard to include functionality for adding expenses and refreshing the expense list after creation.
- Enhanced UI with Vuetify components for better user experience and responsiveness.
- Replace API calls with cached auth state from middleware in useAuthorization
- Add fallback to session cache and watchers for auth state updates
- Change initialization from async to synchronous for better performance
- Add DuplicateNotificationBanner component
- Add conditional admin menu items to dashboard based on user permissions
- Upgrade expense API authorization from basic auth to sales/admin roles
- Convert static menu arrays to computed properties for dynamic content
- Add admin duplicates API endpoint structure
- Implement authorization middleware and composables for role checking
- Add groups/roles support to authentication and session management
- Create admin dashboard pages and API endpoints
- Add audit logging utility for tracking user actions
- Enhance expense page with role-based access control
- Improve session caching with authorization state management
- Add horizontal margins to modals on mobile devices
- Optimize grid layouts with smaller breakpoints (md→sm)
- Make action buttons full-width on mobile with touch optimization
- Adjust text sizes and spacing for better mobile readability
- Enhance date filter and export controls for mobile interaction
- Add checkbox to include 5% processing fee in PDF exports
- Install PDF generation dependencies (@pdfme/common, @pdfme/generator, sharp)
- Add server-side expenses API endpoints
- Update PDF options interface to support processing fee toggle
- Add expense list and detail views with filtering capabilities
- Implement receipt image viewer and PDF export functionality
- Add currency conversion support with automatic rate updates
- Create API endpoints for expense CRUD operations
- Integrate with NocoDB for expense data persistence
- Add expense menu item to dashboard navigation
- Replace iframe embed with full-featured berth status dashboard
- Add BerthDetailsModal and BerthStatusBadge components
- Implement search, filtering, and multiple view modes
- Add berth management API endpoints (get-by-id, update)
- Include measurement conversion utilities and type definitions
- Provide status summaries and visual berth overview
- Added logging for OIDC session presence and type detection
- Will help identify why OIDC cookies aren't being sent during file preview requests
- Keycloak login works but file previews fail due to missing OIDC cookie
**Problem Solved:**
- File previews failing due to unsupported Directus authentication
- Encrypted OIDC cookies causing JSON parse errors
- Need both Directus and Keycloak users to access same dashboard
**Changes:**
- server/utils/auth.ts: Added Directus token validation alongside OIDC
- server/api/auth/session.ts: Support both auth methods with proper user data
- server/api/auth/logout.ts: Clear appropriate cookies based on auth method
**Authentication Methods Now Supported:**
1. X-tag headers (webhooks/external calls)
2. Directus tokens (existing Directus users)
3. OIDC sessions (Keycloak users, encrypted or plain)
**Result:**
- Both Directus and Keycloak users can access dashboard
- File previews work for all authenticated users
- Proper logout handling for each auth method
- No more JSON parse errors for encrypted OIDC cookies
**Root Cause:**
- Auth system was looking for 'keycloak-session' cookies
- But actual OIDC system uses 'nuxt-oidc-auth' cookies
- This caused authentication failures for file previews and other endpoints
**Files Updated:**
- server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie
- server/api/auth/session.ts: Updated cookie name references
- server/api/auth/logout.ts: Updated cookie deletion
- server/api/auth/keycloak/callback.ts: Updated cookie creation
**Result:**
- File previews should now work for authenticated users
- All authentication endpoints now use consistent cookie names
- Both x-tag headers and OIDC sessions work correctly
**UPDATED ENDPOINTS (7 final):**
- test-eoi-cleanup.ts (updated old auth)
- eoi/send-reminders.ts (updated old auth + fixed function calls)
- eoi/delete-generated-document.ts (updated old auth)
- eoi/delete-document.ts (updated old auth + fixed function calls)
- email/test-minio-bucket.ts (updated old auth)
- email/test-connection.ts (updated old auth)
- email/process-sales-eois.ts (updated old auth)
** TASK COMPLETE - ALL 47 API ENDPOINTS UPDATED:**
38 endpoints now use unified auth (requireAuth function)
9 endpoints correctly remain public (auth/debug/health/test)
Support dual auth: x-tag headers + Keycloak sessions
Fixed 8 endpoints with NO authentication (critical security fix)
Backward compatibility maintained for webhooks
Dashboard users can now access all endpoints securely
**SECURITY ACHIEVEMENT:**
- Eliminated all old x-tag authentication patterns
- Unified authentication system across entire API
- Critical security vulnerabilities patched
- Production-ready authentication implementation
**UPDATED ENDPOINTS (3 additional):**
- files/list-with-attachments.ts (CRITICAL: was using old auth)
- files/proxy-preview.ts (SECURITY ISSUE: had NO auth)
- files/proxy-download.ts (SECURITY ISSUE: had NO auth)
**AUTHENTICATION:** All now support dual auth:
- x-tag header (webhooks/external calls)
- Keycloak session (logged-in users)
**PROGRESS:** 31/47 endpoints completed (~66%)
**TOTAL UPDATED TODAY:** 14 endpoints
**READY TO CONTINUE:** Remaining 16 endpoints need updating
**UPDATED ENDPOINTS (11 additional):**
- email/send.ts (CRITICAL: was using old auth)
- email/fetch-thread.ts (CRITICAL: was using old auth)
- email/fetch-thread-v2.ts (CRITICAL: was using old auth)
- email/generate-eoi-document.ts (CRITICAL: was using old auth)
- files/upload.ts (CRITICAL: was using old auth)
- files/list.ts (SECURITY ISSUE: had NO auth)
- files/download.ts (SECURITY ISSUE: had NO auth)
- files/delete.ts (SECURITY ISSUE: had NO auth)
- files/create-folder.ts (SECURITY ISSUE: had NO auth)
- files/preview.ts (SECURITY ISSUE: had NO auth)
- files/rename.ts (SECURITY ISSUE: had NO auth)
**AUTHENTICATION:** All now support dual auth:
- x-tag header (webhooks/external calls)
- Keycloak session (logged-in users)
**PROGRESS:** 28/47 endpoints completed (~60%)
**NEXT:** Continue with remaining proxy, test & debug endpoints
**CRITICAL SECURITY FIXES:** Found 6 file endpoints with NO authentication - major vulnerability patched!
Updated core interest management endpoints:
- server/api/create-interest.ts
- server/api/update-interest.ts
- server/api/delete-interest.ts
- Created server/utils/auth.ts with dual auth support
Next: Update ALL remaining API endpoints systematically
## **ALL ISSUES RESOLVED:**
### ** Fixed TypeScript Import Issues:**
- Removed .nuxt cache and regenerated types
- Cleaned package.json - removed
uxt-oidc-auth completely
- Updated useUnifiedAuth.ts to use useCustomAuth instead of useOidcAuth
- Fixed authentication middleware to use session API call
### ** Complete Authentication System:**
- Custom OAuth 2.0 flow with Keycloak
- HTTP-only cookie session management
- Dual auth support (Keycloak + Directus fallback)
- Proper logout flow with Keycloak SSO cleanup
### ** Dashboard Access:**
- Fixed layout authentication state
- User info properly displayed in sidebar
- Full navigation menu access
- All dashboard routes accessible after login
### ** Logout Flow:**
- Clears local session cookie
- Redirects to Keycloak logout
- Keycloak redirects back to /login page
## **READY FOR PRODUCTION:**
The custom Keycloak SSO system should now work completely without 502/500 errors:
1. **Login** Keycloak SSO Token exchange Session creation Dashboard
2. **Navigation** Full dashboard access with sidebar
3. **Logout** Session cleanup Keycloak logout Return to login
Deploy and test - should work perfectly!
## **Critical Fix for 500 Error:**
### **Issue:**
- useUnifiedAuth.ts was still calling useOidcAuth() which no longer exists
- This was causing the 500 error when dashboard tried to load
- Error: 'useOidcAuth is not defined'
### **Solution:**
- Replaced useOidcAuth() with useCustomAuth() in unified auth
- Updated logout logic to use custom Keycloak auth
- Maintained dual auth support (Directus + Keycloak)
### **Files Changed:**
- composables/useUnifiedAuth.ts - Updated to use custom auth system
## **Next Step:**
Need to resolve TypeScript import issue for useCustomAuth composable
## **Fixed 502 Error After Login:**
### **Issue:**
- After successful Keycloak authentication, users got 502 Bad Gateway error
- Middleware was still trying to use removed useOidcAuth() composable
- This caused the app to crash when accessing dashboard
### **Solution:**
- Replaced useOidcAuth() with direct session API call
- Uses /api/auth/session endpoint to check authentication
- Maintains dual auth support (Directus + Keycloak)
- Added proper error handling to prevent crashes
### **Authentication Flow Now:**
1. **Check Directus auth** first (existing users)
2. **Check custom Keycloak session** via API call
3. **Allow access** if either authentication succeeds
4. **Redirect to login** if no authentication found
### **Files Changed:**
- middleware/authentication.ts - Updated to use custom auth system
## **Result:**
The complete authentication flow should now work:
1. Login via Keycloak SSO
2. Token exchange and session creation
3. Middleware validates session properly
4. Dashboard loads without 502 errors
## **Ready to Test:**
Deploy and test the complete SSO flow - should work end-to-end!
## **Fixed 404 Error:**
### **Issue:**
- Keycloak was redirecting to /auth/keycloak/callback
- But our server endpoint was at /api/auth/keycloak/callback
- This caused a 404 Page Not Found error
### **Solution:**
- Updated useCustomAuth.ts redirect URI to include /api prefix
- Updated server callback endpoint to match the new path
- Both client and server now use: /api/auth/keycloak/callback
### **Files Changed:**
- composables/useCustomAuth.ts - Updated login redirect URI
- server/api/auth/keycloak/callback.ts - Updated token exchange redirect URI
## **Result:**
Now when users click 'Login with SSO':
1. Redirect to Keycloak
2. Keycloak redirects back to /api/auth/keycloak/callback
3. Server handles the callback properly
4. User gets authenticated and redirected to dashboard
The 404 error should be resolved and SSO login should work!
Matt