From 75937d6ce9f315ac08fcd8cfc88f54561d89237b Mon Sep 17 00:00:00 2001 From: Till-JS <101404291+Till-JS@users.noreply.github.com> Date: Mon, 2 Feb 2026 16:50:04 +0100 Subject: [PATCH] fix(mana-core-auth): align JWT issuer validation with Better Auth signing config Better Auth signs JWTs with issuer=BASE_URL (https://auth.mana.how) for OIDC compatibility, but validation was using jwt.issuer config which defaults to 'manacore'. This caused "unexpected iss claim value" errors. Fixed in: - better-auth.service.ts validateToken() - jwt-auth.guard.ts - optional-auth.guard.ts Co-Authored-By: Claude Opus 4.5 --- .../src/auth/services/better-auth.service.ts | 7 ++++--- .../mana-core-auth/src/common/guards/jwt-auth.guard.ts | 5 ++++- .../src/common/guards/optional-auth.guard.ts | 5 ++++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts index 322ca0051..cc5b94fc5 100644 --- a/services/mana-core-auth/src/auth/services/better-auth.service.ts +++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts @@ -856,9 +856,10 @@ export class BetterAuthService { // Create JWKS fetcher const JWKS = createRemoteJWKSet(jwksUrl); - // Get issuer/audience from config (Better Auth uses BASE_URL by default) - const issuer = this.configService.get('jwt.issuer') || baseUrl; - const audience = this.configService.get('jwt.audience') || baseUrl; + // IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts) + // Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore' + const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility + const audience = this.configService.get('jwt.audience') || 'manacore'; // Verify using jose library with Better Auth's JWKS const { payload } = await jwtVerify(token, JWKS, { diff --git a/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts b/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts index 70a69c268..ad7e458e8 100644 --- a/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts +++ b/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts @@ -42,7 +42,10 @@ export class JwtAuthGuard implements CanActivate { this.jwks = createRemoteJWKSet(jwksUrl); } - const issuer = this.configService.get('jwt.issuer') || 'manacore'; + // IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts) + // Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore' + const baseUrl = this.configService.get('BASE_URL') || 'http://localhost:3001'; + const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility const audience = this.configService.get('jwt.audience') || 'manacore'; const { payload } = await jwtVerify(token, this.jwks, { diff --git a/services/mana-core-auth/src/common/guards/optional-auth.guard.ts b/services/mana-core-auth/src/common/guards/optional-auth.guard.ts index 6f8884b6b..4b557f647 100644 --- a/services/mana-core-auth/src/common/guards/optional-auth.guard.ts +++ b/services/mana-core-auth/src/common/guards/optional-auth.guard.ts @@ -33,7 +33,10 @@ export class OptionalAuthGuard implements CanActivate { this.jwks = createRemoteJWKSet(jwksUrl); } - const issuer = this.configService.get('jwt.issuer') || 'manacore'; + // IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts) + // Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore' + const baseUrl = this.configService.get('BASE_URL') || 'http://localhost:3001'; + const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility const audience = this.configService.get('jwt.audience') || 'manacore'; const { payload } = await jwtVerify(token, this.jwks, {