From 8207d38ca5e7ac74b59dfb5b1065b535df72102f Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Fri, 30 Jan 2026 18:12:16 +0100
Subject: [PATCH] fix(mana-core-auth): use comma-separated redirect_urls for
 Better Auth OIDC

Better Auth's OIDC provider expects redirect_urls to be a comma-separated
string, not a JSON array. Updated seed script and schema documentation.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/mana-core-auth/src/db/schema/auth.schema.ts      | 2 +-
 services/mana-core-auth/src/db/seeds/seed-oidc-clients.ts | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/services/mana-core-auth/src/db/schema/auth.schema.ts b/services/mana-core-auth/src/db/schema/auth.schema.ts
index cb28a5b21..8c67140b7 100644
--- a/services/mana-core-auth/src/db/schema/auth.schema.ts
+++ b/services/mana-core-auth/src/db/schema/auth.schema.ts
@@ -135,7 +135,7 @@ export const oauthApplications = authSchema.table('oauth_applications', {
 	metadata: text('metadata'),
 	clientId: text('client_id').unique().notNull(),
 	clientSecret: text('client_secret').notNull(),
-	redirectURLs: text('redirect_urls').notNull(), // JSON array as text
+	redirectURLs: text('redirect_urls').notNull(), // Comma-separated URLs (Better Auth expects this format, NOT JSON)
 	type: text('type').notNull().default('web'), // web, native, spa
 	disabled: boolean('disabled').default(false).notNull(),
 	userId: text('user_id').references(() => users.id, { onDelete: 'cascade' }),
diff --git a/services/mana-core-auth/src/db/seeds/seed-oidc-clients.ts b/services/mana-core-auth/src/db/seeds/seed-oidc-clients.ts
index 84f7f7470..926b329db 100644
--- a/services/mana-core-auth/src/db/seeds/seed-oidc-clients.ts
+++ b/services/mana-core-auth/src/db/seeds/seed-oidc-clients.ts
@@ -62,7 +62,8 @@ async function seed() {
 			.update(oauthApplications)
 			.set({
 				clientSecret: synapseClientSecret,
-				redirectURLs: JSON.stringify(['https://matrix.mana.how/_synapse/client/oidc/callback']),
+				// Better Auth expects comma-separated string, NOT JSON array
+				redirectURLs: 'https://matrix.mana.how/_synapse/client/oidc/callback',
 				updatedAt: new Date(),
 			})
 			.where(eq(oauthApplications.clientId, 'synapse'));
@@ -77,7 +78,8 @@ async function seed() {
 			icon: 'https://matrix.org/images/matrix-logo.svg',
 			clientId: 'synapse',
 			clientSecret: synapseClientSecret,
-			redirectURLs: JSON.stringify(['https://matrix.mana.how/_synapse/client/oidc/callback']),
+			// Better Auth expects comma-separated string, NOT JSON array
+			redirectURLs: 'https://matrix.mana.how/_synapse/client/oidc/callback',
 			type: 'web',
 			disabled: false,
 			metadata: JSON.stringify({