From e46a4c96df3210e25ed323c004fe49b6af7a1052 Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Thu, 29 Jan 2026 12:21:39 +0100
Subject: [PATCH] fix(auth): expose JWKS at /api/auth/jwks for OIDC discovery

Better Auth's discovery document points to /api/auth/jwks,
so we need to expose this route directly in NestJS.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/mana-core-auth/src/auth/oidc.controller.ts | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/services/mana-core-auth/src/auth/oidc.controller.ts b/services/mana-core-auth/src/auth/oidc.controller.ts
index e687b0e7d..1f2a94267 100644
--- a/services/mana-core-auth/src/auth/oidc.controller.ts
+++ b/services/mana-core-auth/src/auth/oidc.controller.ts
@@ -61,7 +61,7 @@ export class OidcController {
 	}
 
 	/**
-	 * JWKS Endpoint
+	 * JWKS Endpoint (via /api/oidc/jwks)
 	 *
 	 * Returns JSON Web Key Set for token verification.
 	 */
@@ -70,6 +70,17 @@ export class OidcController {
 		return this.handleOidcRequest(req, res);
 	}
 
+	/**
+	 * JWKS Endpoint (via /api/auth/jwks)
+	 *
+	 * Better Auth's discovery document points to this path,
+	 * so we need to expose it directly as well.
+	 */
+	@Get('api/auth/jwks')
+	async jwksAlt(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
 	/**
 	 * Catch-all for other OIDC endpoints
 	 */