From 191c7b4cc7036c94a73bbf9c66b7750bb4796aa7 Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Sun, 1 Feb 2026 03:48:55 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(mana-core-auth):=20handle=20?=
 =?UTF-8?q?form-urlencoded=20token=20requests?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Better Auth OIDC token endpoint now correctly handles both:
- application/x-www-form-urlencoded (OAuth 2.0 spec)
- application/json

This fixes SSO login from Synapse which uses form-urlencoded.
---
 .../src/auth/services/better-auth.service.ts  | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts
index 2c78d0802..f59dd048f 100644
--- a/services/mana-core-auth/src/auth/services/better-auth.service.ts
+++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts
@@ -1293,11 +1293,34 @@ export class BetterAuthService {
 				}
 			}
 
+			// Prepare body based on content type
+			let requestBody: string | undefined;
+			if (req.method !== 'GET' && req.method !== 'HEAD' && req.body) {
+				const contentType = req.headers['content-type'] || '';
+				if (contentType.includes('application/x-www-form-urlencoded')) {
+					// Convert object to URL-encoded form data
+					const params = new URLSearchParams();
+					for (const [key, value] of Object.entries(req.body)) {
+						if (value !== undefined && value !== null) {
+							params.append(key, String(value));
+						}
+					}
+					requestBody = params.toString();
+				} else {
+					// Default to JSON
+					requestBody = JSON.stringify(req.body);
+					// Ensure content-type is set for JSON
+					if (!headers.has('content-type')) {
+						headers.set('content-type', 'application/json');
+					}
+				}
+			}
+
 			// Create Fetch Request
 			const fetchRequest = new Request(url.toString(), {
 				method: req.method,
 				headers,
-				body: req.method !== 'GET' && req.method !== 'HEAD' ? JSON.stringify(req.body) : undefined,
+				body: requestBody,
 			});
 
 			// Call Better Auth's handler