port-nimara-client-portal/server/utils/auth.ts

/**
 * Check if the request is authenticated via Keycloak OIDC session
 */
export const isAuthenticated = async (event: any): Promise<boolean> => {
  console.log('[auth] Checking authentication for:', event.node.req.url);

  // Check OIDC session authentication
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    console.log('[auth] OIDC session cookie:', oidcSession ? 'present' : 'not found');
    
    if (!oidcSession) {
      console.log('[auth] No OIDC session found');
      return false;
    }

    // Parse and validate session data
    let sessionData;
    try {
      sessionData = JSON.parse(oidcSession);
    } catch (parseError) {
      console.error('[auth] Failed to parse session cookie:', parseError);
      return false;
    }

    // Validate session structure
    if (!sessionData.user || !sessionData.accessToken) {
      console.error('[auth] Invalid session structure:', {
        hasUser: !!sessionData.user,
        hasAccessToken: !!sessionData.accessToken
      });
      return false;
    }

    // Check if session is still valid
    if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
      console.log('[auth] Session expired:', {
        expiresAt: sessionData.expiresAt,
        currentTime: Date.now(),
        expiredSince: Date.now() - sessionData.expiresAt
      });
      return false;
    }

    console.log('[auth] Valid OIDC session found for user:', {
      id: sessionData.user.id,
      email: sessionData.user.email
    });
    return true;

  } catch (error) {
    console.error('[auth] OIDC session check failed:', error);
    return false;
  }
}

export const requireAuth = async (event: any) => {
  const authenticated = await isAuthenticated(event);
  if (!authenticated) {
    console.log('[requireAuth] Authentication failed for:', event.node.req.url);
    console.log('[requireAuth] Available cookies:', Object.keys(event.node.req.headers.cookie ? parseCookies(event.node.req.headers.cookie) : {}));
    throw createError({ 
      statusCode: 401, 
      statusMessage: "Authentication required. Please login with Keycloak." 
    });
  }
}

/**
 * Get the authenticated user from the session
 */
export const getAuthenticatedUser = async (event: any): Promise<any | null> => {
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    
    if (!oidcSession) {
      return null;
    }

    const sessionData = JSON.parse(oidcSession);
    
    // Validate session
    if (!sessionData.user || !sessionData.accessToken) {
      return null;
    }

    // Check if session is still valid
    if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
      return null;
    }

    return sessionData.user;
  } catch (error) {
    console.error('[getAuthenticatedUser] Error:', error);
    return null;
  }
}

function parseCookies(cookieString: string): Record<string, string> {
  return cookieString.split(';').reduce((cookies: Record<string, string>, cookie) => {
    const [name, value] = cookie.trim().split('=');
    if (name && value) {
      cookies[name] = value;
    }
    return cookies;
  }, {});
}