till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 22:01:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix(mana-core-auth): align JWT issuer validation with Better Auth signing config

Browse source 
Better Auth signs JWTs with issuer=BASE_URL (https://auth.mana.how) for OIDC
compatibility, but validation was using jwt.issuer config which defaults to
'manacore'. This caused "unexpected iss claim value" errors.

Fixed in:
- better-auth.service.ts validateToken()
- jwt-auth.guard.ts
- optional-auth.guard.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Till-JS 2026-02-02 16:50:04 +01:00
parent 0538a6ca10
commit 75937d6ce9
3 changed files with 12 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
services/mana-core-auth/src/auth/services/better-auth.service.ts
View file

@ -856,9 +856,10 @@ export class BetterAuthService {
// Create JWKS fetcher
const JWKS = createRemoteJWKSet(jwksUrl);
// Get issuer/audience from config (Better Auth uses BASE_URL by default)
const issuer = this.configService.get<string>('jwt.issuer') || baseUrl;
const audience = this.configService.get<string>('jwt.audience') || baseUrl;
// IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts)
// Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore'
const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility
const audience = this.configService.get<string>('jwt.audience') || 'manacore';
// Verify using jose library with Better Auth's JWKS
const { payload } = await jwtVerify(token, JWKS, {

5
services/mana-core-auth/src/common/guards/jwt-auth.guard.ts
View file

@ -42,7 +42,10 @@ export class JwtAuthGuard implements CanActivate {
this.jwks = createRemoteJWKSet(jwksUrl);
}
const issuer = this.configService.get<string>('jwt.issuer') || 'manacore';
// IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts)
// Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore'
const baseUrl = this.configService.get<string>('BASE_URL') || 'http://localhost:3001';
const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility
const audience = this.configService.get<string>('jwt.audience') || 'manacore';
const { payload } = await jwtVerify(token, this.jwks, {

5
services/mana-core-auth/src/common/guards/optional-auth.guard.ts
View file

@ -33,7 +33,10 @@ export class OptionalAuthGuard implements CanActivate {
this.jwks = createRemoteJWKSet(jwksUrl);
}
const issuer = this.configService.get<string>('jwt.issuer') || 'manacore';
// IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts)
// Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore'
const baseUrl = this.configService.get<string>('BASE_URL') || 'http://localhost:3001';
const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility
const audience = this.configService.get<string>('jwt.audience') || 'manacore';
const { payload } = await jwtVerify(token, this.jwks, {