fix(mana-core-auth): use Better Auth native sign-in for OIDC login

The OIDC login page was using our custom /api/v1/auth/login endpoint which returns tokens but doesn't set session cookies. Better Auth's OIDC provider needs session cookies to recognize logged-in users. Changes: - Update login page to use /api/auth/sign-in/email (Better Auth native) - Add sign-in endpoint handler in oidc.controller.ts - Add route exclusion in main.ts for the sign-in path This fixes the infinite redirect loop where users would log in but then be sent back to login because the OAuth2 authorize endpoint couldn't detect the session. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-14 22:21:10 +02:00 · 2026-01-30 16:57:52 +01:00 · 2026-01-30 16:57:52 +01:00 · edbe7502d3
commit edbe7502d3
parent e3cfafe594
3 changed files with 20 additions and 7 deletions
--- a/services/mana-core-auth/src/auth/oidc-login.controller.ts
+++ b/services/mana-core-auth/src/auth/oidc-login.controller.ts
@ -223,7 +223,8 @@ export class OidcLoginController {
            submitBtn.textContent = 'Signing in...';

            try {
-                const response = await fetch('/api/v1/auth/login', {
+                // Use Better Auth's native sign-in endpoint which sets session cookies
+                const response = await fetch('/api/auth/sign-in/email', {
                    method: 'POST',
                    headers: {
                        'Content-Type': 'application/json',
@ -232,13 +233,12 @@ export class OidcLoginController {
                    credentials: 'include',
                });

-                const data = await response.json();
-
-                if (response.ok && data.accessToken) {
-                    // Login successful - redirect to authorization endpoint
-                    // The oidc_login_prompt cookie will be used to continue the flow
+                if (response.ok) {
+                    // Login successful - session cookie is now set
+                    // Redirect to authorization endpoint to continue OIDC flow
                    window.location.href = returnUrl;
                } else {
+                    const data = await response.json().catch(() => ({}));
                    throw new Error(data.message || 'Invalid email or password');
                }
            } catch (error) {
--- a/services/mana-core-auth/src/auth/oidc.controller.ts
+++ b/services/mana-core-auth/src/auth/oidc.controller.ts
@ -80,6 +80,18 @@ export class OidcController {
 		return this.handleOidcRequest(req, res);
 	}

+	/**
+	 * Better Auth Sign-in Endpoint
+	 *
+	 * This endpoint is needed for OIDC login flow.
+	 * When users log in via the /login page, it posts to this endpoint
+	 * which sets the session cookie needed for the OAuth2 flow.
+	 */
+	@Post('api/auth/sign-in/email')
+	async signInEmail(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
 	// ============================================
 	// Alternative /api/oidc/* paths
 	// For backwards compatibility and convenience
--- a/services/mana-core-auth/src/main.ts
+++ b/services/mana-core-auth/src/main.ts
@ -100,9 +100,10 @@ async function bootstrap() {
 			{ path: 'health', method: RequestMethod.ALL },
 			// OIDC login page
 			{ path: 'login', method: RequestMethod.ALL },
-			// Better Auth routes (verification emails, password reset)
+			// Better Auth routes (verification emails, password reset, sign-in)
 			{ path: 'api/auth/verify-email', method: RequestMethod.ALL },
 			{ path: 'api/auth/reset-password/(.*)', method: RequestMethod.ALL },
+			{ path: 'api/auth/sign-in/(.*)', method: RequestMethod.ALL },
 			// Better Auth OIDC/OAuth2 routes (native paths from discovery document)
 			{ path: 'api/auth/jwks', method: RequestMethod.ALL },
 			{ path: 'api/auth/oauth2/(.*)', method: RequestMethod.ALL },