From 42dafe593b834dd0b16b9586d6ddbdc53bde5f5c Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Thu, 29 Jan 2026 12:31:25 +0100
Subject: [PATCH] fix(auth): fix global prefix exclusion for OIDC routes

Add explicit path exclusions and path-to-regexp wildcard patterns
to ensure /api/auth/jwks and other OIDC routes are excluded from
the /api/v1 global prefix. This fixes JWKS endpoint accessibility
for Matrix Synapse OIDC integration.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/mana-core-auth/src/main.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/services/mana-core-auth/src/main.ts b/services/mana-core-auth/src/main.ts
index 42ff4ad22..aa4cc91f8 100644
--- a/services/mana-core-auth/src/main.ts
+++ b/services/mana-core-auth/src/main.ts
@@ -86,9 +86,15 @@ async function bootstrap() {
 		exclude: [
 			{ path: 'metrics', method: RequestMethod.ALL },
 			{ path: 'health', method: RequestMethod.ALL },
+			// Better Auth routes - use path-to-regexp wildcards
 			{ path: 'api/auth/(.*)', method: RequestMethod.ALL },
+			{ path: 'api/auth/jwks', method: RequestMethod.ALL },
+			{ path: 'api/auth/:path*', method: RequestMethod.ALL },
+			// OIDC routes
 			{ path: '.well-known/(.*)', method: RequestMethod.ALL },
+			{ path: '.well-known/openid-configuration', method: RequestMethod.ALL },
 			{ path: 'api/oidc/(.*)', method: RequestMethod.ALL },
+			{ path: 'api/oidc/:path*', method: RequestMethod.ALL },
 		],
 	});