- Implement authorization middleware and composables for role checking
- Add groups/roles support to authentication and session management
- Create admin dashboard pages and API endpoints
- Add audit logging utility for tracking user actions
- Enhance expense page with role-based access control
- Improve session caching with authorization state management
**Problem Solved:**
- File previews failing due to unsupported Directus authentication
- Encrypted OIDC cookies causing JSON parse errors
- Need both Directus and Keycloak users to access same dashboard
**Changes:**
- server/utils/auth.ts: Added Directus token validation alongside OIDC
- server/api/auth/session.ts: Support both auth methods with proper user data
- server/api/auth/logout.ts: Clear appropriate cookies based on auth method
**Authentication Methods Now Supported:**
1. X-tag headers (webhooks/external calls)
2. Directus tokens (existing Directus users)
3. OIDC sessions (Keycloak users, encrypted or plain)
**Result:**
- Both Directus and Keycloak users can access dashboard
- File previews work for all authenticated users
- Proper logout handling for each auth method
- No more JSON parse errors for encrypted OIDC cookies
**Root Cause:**
- Auth system was looking for 'keycloak-session' cookies
- But actual OIDC system uses 'nuxt-oidc-auth' cookies
- This caused authentication failures for file previews and other endpoints
**Files Updated:**
- server/utils/auth.ts: Updated to check 'nuxt-oidc-auth' cookie
- server/api/auth/session.ts: Updated cookie name references
- server/api/auth/logout.ts: Updated cookie deletion
- server/api/auth/keycloak/callback.ts: Updated cookie creation
**Result:**
- File previews should now work for authenticated users
- All authentication endpoints now use consistent cookie names
- Both x-tag headers and OIDC sessions work correctly
Matt