feat(auth): add OIDC Controller for Matrix SSO endpoints

- Add OidcController to expose Better Auth OIDC Provider endpoints
- Add handleOidcRequest method to BetterAuthService
- Exclude OIDC routes from global /api/v1 prefix
- Register OidcController in AuthModule

Endpoints:
- GET /.well-known/openid-configuration
- GET /api/oidc/authorize
- POST /api/oidc/token
- GET /api/oidc/userinfo
- GET /api/oidc/jwks

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

services/mana-core-auth/src/auth/oidc.controller.ts

@@ -0,0 +1,122 @@
+/**
+ * OIDC Provider Controller
+ *
+ * Exposes Better Auth's OIDC Provider endpoints for external services
+ * like Matrix/Synapse to use SSO authentication.
+ *
+ * Endpoints:
+ * - GET /.well-known/openid-configuration - OIDC Discovery
+ * - GET /api/oidc/authorize - Authorization endpoint
+ * - POST /api/oidc/token - Token endpoint
+ * - GET /api/oidc/userinfo - UserInfo endpoint
+ * - GET /api/oidc/jwks - JWKS endpoint
+ */
+
+import { Controller, Get, Post, All, Req, Res, HttpStatus } from '@nestjs/common';
+import { Request, Response } from 'express';
+import { BetterAuthService } from './services/better-auth.service';
+
+@Controller()
+export class OidcController {
+	constructor(private readonly betterAuthService: BetterAuthService) {}
+
+	/**
+	 * OIDC Discovery Document
+	 *
+	 * Returns the OpenID Connect discovery document with all endpoints.
+	 */
+	@Get('.well-known/openid-configuration')
+	async getOpenIdConfiguration(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
+	/**
+	 * Authorization Endpoint
+	 *
+	 * Handles OAuth2 authorization requests.
+	 */
+	@Get('api/oidc/authorize')
+	async authorize(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
+	/**
+	 * Token Endpoint
+	 *
+	 * Exchanges authorization codes for tokens.
+	 */
+	@Post('api/oidc/token')
+	async token(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
+	/**
+	 * UserInfo Endpoint
+	 *
+	 * Returns user information for the authenticated user.
+	 */
+	@Get('api/oidc/userinfo')
+	async userinfo(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
+	/**
+	 * JWKS Endpoint
+	 *
+	 * Returns JSON Web Key Set for token verification.
+	 */
+	@Get('api/oidc/jwks')
+	async jwks(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
+	/**
+	 * Catch-all for other OIDC endpoints
+	 */
+	@All('api/oidc/*')
+	async catchAll(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
+	/**
+	 * Handle OIDC request by forwarding to Better Auth
+	 */
+	private async handleOidcRequest(req: Request, res: Response) {
+		try {
+			const response = await this.betterAuthService.handleOidcRequest(req);
+
+			// Set status code
+			res.status(response.status || HttpStatus.OK);
+
+			// Copy headers from Better Auth response
+			if (response.headers) {
+				for (const [key, value] of Object.entries(response.headers)) {
+					if (value) {
+						res.setHeader(key, value as string);
+					}
+				}
+			}
+
+			// Handle redirects
+			if (response.status === 302 || response.status === 301) {
+				const location = response.headers?.location || response.headers?.Location;
+				if (location) {
+					return res.redirect(response.status, location as string);
+				}
+			}
+
+			// Return body
+			if (response.body) {
+				return res.send(response.body);
+			}
+
+			return res.end();
+		} catch (error) {
+			console.error('[OIDC] Error handling request:', error);
+			return res.status(HttpStatus.INTERNAL_SERVER_ERROR).json({
+				error: 'server_error',
+				error_description: 'Internal server error',
+			});
+		}
+	}
+}