major: Migration from better-auth to keycloak

legalconsenthub/server/api/[...].ts

@@ -1,14 +1,32 @@
 import type { H3Event } from 'h3'
 import { joinURL } from 'ufo'
+import { jwtDecode } from 'jwt-decode'
 
-export default defineEventHandler((event: H3Event) => {
+export default defineEventHandler(async (event: H3Event) => {
   const { serverApiBaseUrl, clientProxyBasePath } = useRuntimeConfig().public
   const escapedClientProxyBasePath = clientProxyBasePath.replace(/^\//, '\\/')
   // Use the escaped value in the regex
   const path = event.path.replace(new RegExp(`^${escapedClientProxyBasePath}`), '')
   const target = joinURL(serverApiBaseUrl, path)
 
+  const session = await getUserSession(event)
+  const accessToken = session?.jwt?.accessToken
+
+  console.log('🔍 PROXY: proxying request, found access token:', accessToken)
+  console.log('🔍 PROXY: Expiration:', new Date(jwtDecode(accessToken).exp! * 1000).toISOString())
+
+  if (!accessToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Not authenticated'
+    })
+  }
+
   console.log('🔀 proxying request to', target)
 
-  return proxyRequest(event, target)
+  return proxyRequest(event, target, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  })
 })

legalconsenthub/server/api/auth/[...].ts

@@ -1,6 +0,0 @@
-import { auth } from '../../utils/auth'
-import type { H3Event } from 'h3'
-
-export default defineEventHandler((event: H3Event) => {
-  return auth.handler(toWebRequest(event))
-})

legalconsenthub/server/api/jwt/refresh.post.ts

@@ -0,0 +1,46 @@
+import type { OAuthTokenResponse } from '~/types/oauth'
+
+export default eventHandler(async (event) => {
+  const config = useRuntimeConfig()
+  const session = await getUserSession(event)
+  if (!session.jwt?.accessToken && !session.jwt?.refreshToken) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  try {
+    const { access_token, refresh_token } = await $fetch<OAuthTokenResponse>(
+      `http://localhost:7080/realms/legalconsenthub/protocol/openid-connect/token`,
+      {
+        method: 'POST',
+        headers: { 'content-type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'refresh_token',
+          client_id: config.oauth.keycloak.clientId,
+          client_secret: config.oauth.keycloak.clientSecret,
+          refresh_token: session.jwt.refreshToken
+        }).toString()
+      }
+    )
+
+    await setUserSession(event, {
+      jwt: {
+        accessToken: access_token,
+        refreshToken: refresh_token || session.jwt.refreshToken
+      },
+      loggedInAt: Date.now()
+    })
+
+    return {
+      accessToken: access_token,
+      refreshToken: refresh_token || session.jwt.refreshToken
+    }
+  } catch {
+    throw createError({
+      statusCode: 401,
+      message: 'refresh token is invalid'
+    })
+  }
+})