diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts index 035e9c08b..322ca0051 100644 --- a/services/mana-core-auth/src/auth/services/better-auth.service.ts +++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts @@ -778,31 +778,34 @@ export class BetterAuthService { rememberMe: wasRememberMe, // Preserve remember me flag }); - // Generate new JWT - const privateKey = this.configService.get('jwt.privateKey'); - if (!privateKey) { - throw new Error('JWT private key not configured'); + // Generate new JWT using Better Auth's signJWT (uses JWKS/EdDSA keys) + let accessToken = ''; + try { + const api = this.auth.api as any; + const jwtResult = await api.signJWT({ + body: { + payload: { + sub: user.id, + email: user.email, + role: user.role || 'user', + sid: sessionId, + }, + }, + }); + + accessToken = jwtResult?.token || ''; + + if (!accessToken) { + throw new Error('Better Auth signJWT returned empty token'); + } + } catch (jwtError) { + this.logger.error( + 'Token refresh: JWT generation failed', + jwtError instanceof Error ? jwtError.message : 'Unknown error' + ); + throw new Error('Failed to generate access token'); } - const accessTokenExpiry = this.configService.get('jwt.accessTokenExpiry') || '15m'; - const issuer = this.configService.get('jwt.issuer'); - const audience = this.configService.get('jwt.audience'); - - const tokenPayload: Record = { - sub: user.id, - email: user.email, - role: user.role, - sessionId, - ...(session.deviceId && { deviceId: session.deviceId }), - }; - - const accessToken = jwt.sign(tokenPayload, privateKey, { - algorithm: 'RS256' as const, - expiresIn: accessTokenExpiry as jwt.SignOptions['expiresIn'], - ...(issuer && { issuer }), - ...(audience && { audience }), - }); - return { user: { id: user.id,