faber-finances/server/middleware/auth.js

export default defineEventHandler(async (event) => {
  // Skip auth check for login page and auth API routes
  if (event.node.req.url?.startsWith('/api/auth/') || 
      event.node.req.url === '/login' ||
      event.node.req.url?.startsWith('/_nuxt/') ||
      event.node.req.url?.startsWith('/__nuxt_devtools__/')) {
    return
  }
  
  // Only check auth for API routes and page requests
  if (event.node.req.url?.startsWith('/api/') || 
      !event.node.req.url?.includes('.')) {
    
    const token = getCookie(event, 'auth-token')
    
    if (!token) {
      if (event.node.req.url?.startsWith('/api/')) {
        throw createError({
          statusCode: 401,
          statusMessage: 'Authentication required'
        })
      }
      // Redirect to login for page requests
      return sendRedirect(event, '/login')
    }
    
    const session = await useStorage('memory').getItem(`session:${token}`)
    
    if (!session || (session.expiresAt && new Date() > new Date(session.expiresAt))) {
      if (session && session.expiresAt && new Date() > new Date(session.expiresAt)) {
        await useStorage('memory').removeItem(`session:${token}`)
      }
      deleteCookie(event, 'auth-token')
      if (event.node.req.url?.startsWith('/api/')) {
        throw createError({
          statusCode: 401,
          statusMessage: 'Session expired'
        })
      }
      return sendRedirect(event, '/login')
    }
  }
})