**Problem Solved:**
- File previews failing due to unsupported Directus authentication
- Encrypted OIDC cookies causing JSON parse errors
- Need both Directus and Keycloak users to access same dashboard
**Changes:**
- server/utils/auth.ts: Added Directus token validation alongside OIDC
- server/api/auth/session.ts: Support both auth methods with proper user data
- server/api/auth/logout.ts: Clear appropriate cookies based on auth method
**Authentication Methods Now Supported:**
1. X-tag headers (webhooks/external calls)
2. Directus tokens (existing Directus users)
3. OIDC sessions (Keycloak users, encrypted or plain)
**Result:**
- Both Directus and Keycloak users can access dashboard
- File previews work for all authenticated users
- Proper logout handling for each auth method
- No more JSON parse errors for encrypted OIDC cookies
**Root Cause:**
- Auth system was looking for 'keycloak-session' cookies
- But actual OIDC system uses 'nuxt-oidc-auth' cookies
- This caused authentication failures for file previews and other endpoints
**Files Updated:**
- server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie
- server/api/auth/session.ts: Updated cookie name references
- server/api/auth/logout.ts: Updated cookie deletion
- server/api/auth/keycloak/callback.ts: Updated cookie creation
**Result:**
- File previews should now work for authenticated users
- All authentication endpoints now use consistent cookie names
- Both x-tag headers and OIDC sessions work correctly
**UPDATED ENDPOINTS (7 final):**
- test-eoi-cleanup.ts (updated old auth)
- eoi/send-reminders.ts (updated old auth + fixed function calls)
- eoi/delete-generated-document.ts (updated old auth)
- eoi/delete-document.ts (updated old auth + fixed function calls)
- email/test-minio-bucket.ts (updated old auth)
- email/test-connection.ts (updated old auth)
- email/process-sales-eois.ts (updated old auth)
** TASK COMPLETE - ALL 47 API ENDPOINTS UPDATED:**
38 endpoints now use unified auth (requireAuth function)
9 endpoints correctly remain public (auth/debug/health/test)
Support dual auth: x-tag headers + Keycloak sessions
Fixed 8 endpoints with NO authentication (critical security fix)
Backward compatibility maintained for webhooks
Dashboard users can now access all endpoints securely
**SECURITY ACHIEVEMENT:**
- Eliminated all old x-tag authentication patterns
- Unified authentication system across entire API
- Critical security vulnerabilities patched
- Production-ready authentication implementation
**UPDATED ENDPOINTS (3 additional):**
- files/list-with-attachments.ts (CRITICAL: was using old auth)
- files/proxy-preview.ts (SECURITY ISSUE: had NO auth)
- files/proxy-download.ts (SECURITY ISSUE: had NO auth)
**AUTHENTICATION:** All now support dual auth:
- x-tag header (webhooks/external calls)
- Keycloak session (logged-in users)
**PROGRESS:** 31/47 endpoints completed (~66%)
**TOTAL UPDATED TODAY:** 14 endpoints
**READY TO CONTINUE:** Remaining 16 endpoints need updating
**UPDATED ENDPOINTS (11 additional):**
- email/send.ts (CRITICAL: was using old auth)
- email/fetch-thread.ts (CRITICAL: was using old auth)
- email/fetch-thread-v2.ts (CRITICAL: was using old auth)
- email/generate-eoi-document.ts (CRITICAL: was using old auth)
- files/upload.ts (CRITICAL: was using old auth)
- files/list.ts (SECURITY ISSUE: had NO auth)
- files/download.ts (SECURITY ISSUE: had NO auth)
- files/delete.ts (SECURITY ISSUE: had NO auth)
- files/create-folder.ts (SECURITY ISSUE: had NO auth)
- files/preview.ts (SECURITY ISSUE: had NO auth)
- files/rename.ts (SECURITY ISSUE: had NO auth)
**AUTHENTICATION:** All now support dual auth:
- x-tag header (webhooks/external calls)
- Keycloak session (logged-in users)
**PROGRESS:** 28/47 endpoints completed (~60%)
**NEXT:** Continue with remaining proxy, test & debug endpoints
**CRITICAL SECURITY FIXES:** Found 6 file endpoints with NO authentication - major vulnerability patched!
Updated core interest management endpoints:
- server/api/create-interest.ts
- server/api/update-interest.ts
- server/api/delete-interest.ts
- Created server/utils/auth.ts with dual auth support
Next: Update ALL remaining API endpoints systematically
## **Fixed 404 Error:**
### **Issue:**
- Keycloak was redirecting to /auth/keycloak/callback
- But our server endpoint was at /api/auth/keycloak/callback
- This caused a 404 Page Not Found error
### **Solution:**
- Updated useCustomAuth.ts redirect URI to include /api prefix
- Updated server callback endpoint to match the new path
- Both client and server now use: /api/auth/keycloak/callback
### **Files Changed:**
- composables/useCustomAuth.ts - Updated login redirect URI
- server/api/auth/keycloak/callback.ts - Updated token exchange redirect URI
## **Result:**
Now when users click 'Login with SSO':
1. Redirect to Keycloak
2. Keycloak redirects back to /api/auth/keycloak/callback
3. Server handles the callback properly
4. User gets authenticated and redirected to dashboard
The 404 error should be resolved and SSO login should work!
## **Session Management Improvements:**
### **OIDC Configuration (nuxt.config.ts):**
- Added proper session configuration with automatic refresh
- Configured secure cookies for HTTPS production environment
- Added OAuth scopes: ['openid', 'profile', 'email']
- Set proper response type and grant type for Keycloak
- Added session expiration checking and automatic refresh
### **Session Cookie Settings:**
- sameSite: 'lax' - Required for cross-domain OAuth redirects
- secure: true - Required for HTTPS in production
- expirationThreshold: 60 - Refresh tokens 60 seconds before expiry
### **Debug Tools:**
- Added /api/debug/oidc-session endpoint to monitor session state
- Tracks cookie presence and session establishment
- Safe debugging without exposing sensitive tokens
## **Problem Being Solved:**
User authentication succeeds with Keycloak but session expires immediately,
causing redirect back to login page instead of dashboard access.
## **Root Cause Analysis:**
- Sessions were not being established properly after OAuth callback
- Cookie configuration was not optimized for HTTPS/production
- Missing proper OAuth scopes and session refresh configuration
## **Expected Results:**
Successful Keycloak authentication should now persist session
Users should be redirected to dashboard after login
Sessions should automatically refresh before expiry
No more immediate redirects back to login page
## **Next Steps:**
1. Rebuild container in Portainer with these session fixes
2. Test authentication flow end-to-end
3. Use debug endpoint to verify session establishment
4. Monitor container logs for OIDC session activity
Root Cause Resolution:
- NocoDB API requires null values (not undefined) to clear database fields
- Updated updateInterest utility to automatically convert undefined null
- This ensures signature links and documensoID are properly cleared from database
Database Cleanup Enhancements:
- Fixed all EOI deletion endpoints to properly clear embedded signature links
- Both delete-generated-document and delete-document now clear ALL fields:
* EmbeddedSignatureLinkClient, EmbeddedSignatureLinkCC, EmbeddedSignatureLinkDeveloper
* Signature Link Client, Signature Link CC, Signature Link Developer
* documensoID and all related EOI metadata
Added Debug Capabilities:
- Created test-eoi-cleanup.ts endpoint for debugging cleanup operations
- Enhanced logging in NocoDB utility for field conversion tracking
- Better error handling and validation throughout cleanup process
Technical Implementation:
- NocoDB utility now automatically handles undefined null conversion
- Comprehensive field clearing in allowedFields array
- Proper TypeScript typing for all cleanup operations
- Enhanced logging for troubleshooting database operations
This resolves the persistent issue where signature links and document IDs remained in the database after EOI deletion, ensuring complete cleanup and proper state reset.
Database Cleanup Enhancements:
- Fixed missing embedded signature link cleanup in deletion endpoints
- Both delete-generated-document and delete-document now properly clear:
* EmbeddedSignatureLinkClient, EmbeddedSignatureLinkCC, EmbeddedSignatureLinkDeveloper
* All legacy signature links and documensoID references
- Enhanced validation endpoint to detect and clean orphaned records automatically
EOI Section Reactivity Fixes:
- Added local reactive state (documentValidated, documentExists) for immediate UI updates
- EOI section now instantly shows Generate UI when documents are deleted/invalid
- No more phantom signatory status displays after document deletion
- Improved hasGeneratedEOI computed property with validation state override
Mobile UI Improvements:
- Implemented stacked badge layout for interest table on mobile
- Contact info + status badges now stack vertically (60% width)
- Eliminated horizontal scrolling issues on mobile devices
- Enhanced email thread view with proper width constraints and text wrapping
- Made email refresh button round with better mobile styling
Technical Enhancements:
- Comprehensive field cleanup using undefined instead of null for proper database reset
- Enhanced error handling for document validation and deletion
- Improved logging for debugging EOI state transitions
- Better handling of edge cases where documensoID exists but document was deleted externally
All EOI-related operations now properly maintain database consistency and provide immediate visual feedback to users.
- Add new /api/eoi/validate-document endpoint to check document existence
- Automatically clean up orphaned database records when documents don't exist in Documenso
- Update EOISection component to validate documents on mount
- Enhanced delete-generated-document endpoint to handle already-deleted documents
- Updated check-signature-status endpoint with validation logic
- Prevents EOI section from showing when document no longer exists
- Self-healing system that fixes data inconsistencies automatically
Key improvements:
- Validates document existence before showing EOI management UI
- Cleans up documensoID, signature links, and status fields when document is missing
- Graceful handling of 404 errors from Documenso API
- Background validation with user-friendly notifications
- Prevents phantom EOI states that appear generated but don't exist
EOI ENHANCEMENTS:
- Fix EOI deletion to clear ALL signature fields (embedded links, timestamps, etc.)
- Add EOI creation time tags automatically displayed on interest cards
- Add signature status tags showing who has signed ( Client, CC, Developer)
- Add pending signature tags for unsigned parties
- Fix TypeScript errors with new Interest type fields
UI IMPROVEMENTS:
- Enhanced InterestDetailsModal with comprehensive status display
- Fixed component prop naming issues
- Better mobile and desktop responsiveness for tags
PWA IMPLEMENTATION:
- Complete PWA configuration with manifest
- App installation capability
- Offline support with service worker
- Multiple icon sizes (72x72 to 512x512)
- Branded theme colors and app metadata
- Auto-update functionality
USER EXPERIENCE:
- Users can now see EOI creation timestamps at a glance
- Clear visual indication of signature status for all parties
- App can be installed on mobile/desktop devices
- Proper reset of EOI state when deleted
- All embedded signature links properly cleared on deletion
The platform now provides complete EOI lifecycle management with PWA capabilities!
- Switch from localStorage to sessionStorage for email sessions
- Add session validation on component mount
- Implement IMAP connection pool with folder search capabilities
- Add operation locking utility for concurrent request handling
- Refactor EOI section component structure
- Update API endpoints for better email thread management
- Add helper function to generate embedded signing URLs from Documenso links
- Store embedded signature links for all signers (Client, Developer, CC)
- Add webhook secret configuration for embedded signing
- Add documentation for embedded signing and website implementation
- Update Interest type with embedded signature link fields
- Removed limit on cached emails - now loads ALL cached emails from MinIO
- Kept IMAP limit at 50 for reasonable performance
- Added loading indicator showing when emails are being fetched
- Fixed ES module import issue in email-utils.ts
- Improved user experience with visual feedback during loading
This ensures all email threads load completely while maintaining reasonable performance
- Fixed refresh button icon not displaying (changed from icon prop to v-icon element)
- Reduced default email limit from 50 to 20 to improve loading speed
- Optimized cached email loading to only load most recent emails (up to limit)
- Fixed CommonJS require error in email-utils.ts (changed to ES module import)
- Added sorting to cached files to ensure newest emails are loaded first
This should significantly improve email loading performance from 578 cached files down to max 20
Matt