fix(mana-auth): /api/v1/auth/login mints JWT via auth.handler instead of api.signInEmail

Previous attempt (commit 55cc75e7d) tried to fix the broken JWT mint in /api/v1/auth/login by switching the cookie name from `mana.session_token` to `__Secure-mana.session_token` for production. That was necessary but not sufficient: Better Auth's session cookie value isn't just the raw session token, it's `<token>.<HMAC>` where the HMAC is derived from the better-auth secret. Reconstructing the cookie from auth.api.signInEmail's JSON response only gave us the raw token, so /api/auth/token's get-session middleware still couldn't validate it and the JWT mint kept silently failing. Real fix: do the sign-in via auth.handler (the HTTP path) rather than auth.api.signInEmail (the SDK path). The handler returns a real fetch Response with a Set-Cookie header containing the fully signed cookie envelope. We capture that header verbatim and forward it as the cookie on the /api/auth/token request, which now passes validation and mints the JWT correctly. Verified end-to-end on auth.mana.how: $ curl -X POST https://auth.mana.how/api/v1/auth/login \ -d '{"email":"...","password":"..."}' { "user": {...}, "token": "<session token>", "accessToken": "eyJhbGciOiJFZERTQSI...", ← real JWT now "refreshToken": "<session token>" } Side benefits: - The email-not-verified path is now handled by checking signInResponse.status === 403 directly, no more catching APIError with the comment-noted async-stream footgun. - X-Forwarded-For is forwarded explicitly so Better Auth's rate limiter and our security log see the real client IP. - The leftover catch block now only handles unexpected exceptions (network errors etc); the FORBIDDEN-checking logic in it is dead but harmless and left in for defense in depth.
2026-05-19 08:21:23 +02:00 · 2026-04-08 16:25:55 +02:00 · 2026-04-08 16:25:55 +02:00 · bfa8a0a773
commit bfa8a0a773
parent 4eb5dfe4a0
254 changed files with 88 additions and 29437 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -74,7 +74,6 @@ jobs:
      nutriphi-backend: ${{ steps.changes.outputs.nutriphi-backend }}
      nutriphi-web: ${{ steps.changes.outputs.nutriphi-web }}
      skilltree-web: ${{ steps.changes.outputs.skilltree-web }}
-      mana-matrix-bot: ${{ steps.changes.outputs.mana-matrix-bot }}
      any-changes: ${{ steps.changes.outputs.any-changes }}
    steps:
      - name: Checkout code
@ -113,7 +112,6 @@ jobs:
            echo "nutriphi-backend=true" >> $GITHUB_OUTPUT
            echo "nutriphi-web=true" >> $GITHUB_OUTPUT
            echo "skilltree-web=true" >> $GITHUB_OUTPUT
-            echo "mana-matrix-bot=true" >> $GITHUB_OUTPUT
            echo "any-changes=true" >> $GITHUB_OUTPUT
            exit 0
          fi
@ -156,7 +154,6 @@ jobs:
            echo "nutriphi-backend=true" >> $GITHUB_OUTPUT
            echo "nutriphi-web=true" >> $GITHUB_OUTPUT
            echo "skilltree-web=true" >> $GITHUB_OUTPUT
-            echo "mana-matrix-bot=true" >> $GITHUB_OUTPUT
            echo "any-changes=true" >> $GITHUB_OUTPUT
            exit 0
          fi
@ -370,14 +367,6 @@ jobs:
            echo "skilltree-web=false" >> $GITHUB_OUTPUT
          fi

-          # mana-matrix-bot (consolidated Go bot)
-          MANA_MATRIX_BOT_CHANGED=$(check_pattern "services/mana-matrix-bot/")
-          if [ "$MANA_MATRIX_BOT_CHANGED" == "true" ]; then
-            echo "mana-matrix-bot=true" >> $GITHUB_OUTPUT
-          else
-            echo "mana-matrix-bot=false" >> $GITHUB_OUTPUT
-          fi
-
          # zitare-backend: REMOVED — migrated to local-first

          # Check if any service needs building
@ -1221,38 +1210,5 @@ jobs:
          cache-from: type=gha
          cache-to: type=gha,mode=max

-  # ===========================================
-  # Matrix Bots
-  # ===========================================
-
-  build-mana-matrix-bot:
-    name: Build mana-matrix-bot (Go)
-    runs-on: ubuntu-latest
-    needs: detect-changes
-    if: needs.detect-changes.outputs.mana-matrix-bot == 'true'
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/mana-matrix-bot
-          tags: type=raw,value=latest
-      - uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: services/mana-matrix-bot/Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
  # ===========================================
  # Zitare Backend: REMOVED — migrated to local-first