fix(mana-core-auth): use Better Auth signJWT in refresh endpoint

The refresh endpoint was using manual jwt.sign with RSA keys, but the server doesn't have JWT_PRIVATE_KEY configured. Changed to use Better Auth's signJWT method which uses the JWKS/EdDSA keys from the database. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-14 21:41:09 +02:00 · 2026-02-02 16:40:37 +01:00 · 2026-02-02 16:40:37 +01:00 · 0538a6ca10
commit 0538a6ca10
parent c196144d1c
1 changed files with 26 additions and 23 deletions
--- a/services/mana-core-auth/src/auth/services/better-auth.service.ts
+++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts
@ -778,31 +778,34 @@ export class BetterAuthService {
 				rememberMe: wasRememberMe, // Preserve remember me flag
 			});

-			// Generate new JWT
-			const privateKey = this.configService.get<string>('jwt.privateKey');
-			if (!privateKey) {
-				throw new Error('JWT private key not configured');
+			// Generate new JWT using Better Auth's signJWT (uses JWKS/EdDSA keys)
+			let accessToken = '';
+			try {
+				const api = this.auth.api as any;
+				const jwtResult = await api.signJWT({
+					body: {
+						payload: {
+							sub: user.id,
+							email: user.email,
+							role: user.role || 'user',
+							sid: sessionId,
+						},
+					},
+				});
+
+				accessToken = jwtResult?.token || '';
+
+				if (!accessToken) {
+					throw new Error('Better Auth signJWT returned empty token');
+				}
+			} catch (jwtError) {
+				this.logger.error(
+					'Token refresh: JWT generation failed',
+					jwtError instanceof Error ? jwtError.message : 'Unknown error'
+				);
+				throw new Error('Failed to generate access token');
 			}

-			const accessTokenExpiry = this.configService.get<string>('jwt.accessTokenExpiry') || '15m';
-			const issuer = this.configService.get<string>('jwt.issuer');
-			const audience = this.configService.get<string>('jwt.audience');
-
-			const tokenPayload: Record<string, unknown> = {
-				sub: user.id,
-				email: user.email,
-				role: user.role,
-				sessionId,
-				...(session.deviceId && { deviceId: session.deviceId }),
-			};
-
-			const accessToken = jwt.sign(tokenPayload, privateKey, {
-				algorithm: 'RS256' as const,
-				expiresIn: accessTokenExpiry as jwt.SignOptions['expiresIn'],
-				...(issuer && { issuer }),
-				...(audience && { audience }),
-			});
-
 			return {
 				user: {
 					id: user.id,