From edbe7502d3dd99962f5cb18ba647b7759a616e92 Mon Sep 17 00:00:00 2001 From: Till-JS <101404291+Till-JS@users.noreply.github.com> Date: Fri, 30 Jan 2026 16:57:52 +0100 Subject: [PATCH] fix(mana-core-auth): use Better Auth native sign-in for OIDC login The OIDC login page was using our custom /api/v1/auth/login endpoint which returns tokens but doesn't set session cookies. Better Auth's OIDC provider needs session cookies to recognize logged-in users. Changes: - Update login page to use /api/auth/sign-in/email (Better Auth native) - Add sign-in endpoint handler in oidc.controller.ts - Add route exclusion in main.ts for the sign-in path This fixes the infinite redirect loop where users would log in but then be sent back to login because the OAuth2 authorize endpoint couldn't detect the session. Co-Authored-By: Claude Opus 4.5 --- .../mana-core-auth/src/auth/oidc-login.controller.ts | 12 ++++++------ services/mana-core-auth/src/auth/oidc.controller.ts | 12 ++++++++++++ services/mana-core-auth/src/main.ts | 3 ++- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/services/mana-core-auth/src/auth/oidc-login.controller.ts b/services/mana-core-auth/src/auth/oidc-login.controller.ts index c2aa44e99..4c83ad607 100644 --- a/services/mana-core-auth/src/auth/oidc-login.controller.ts +++ b/services/mana-core-auth/src/auth/oidc-login.controller.ts @@ -223,7 +223,8 @@ export class OidcLoginController { submitBtn.textContent = 'Signing in...'; try { - const response = await fetch('/api/v1/auth/login', { + // Use Better Auth's native sign-in endpoint which sets session cookies + const response = await fetch('/api/auth/sign-in/email', { method: 'POST', headers: { 'Content-Type': 'application/json', @@ -232,13 +233,12 @@ export class OidcLoginController { credentials: 'include', }); - const data = await response.json(); - - if (response.ok && data.accessToken) { - // Login successful - redirect to authorization endpoint - // The oidc_login_prompt cookie will be used to continue the flow + if (response.ok) { + // Login successful - session cookie is now set + // Redirect to authorization endpoint to continue OIDC flow window.location.href = returnUrl; } else { + const data = await response.json().catch(() => ({})); throw new Error(data.message || 'Invalid email or password'); } } catch (error) { diff --git a/services/mana-core-auth/src/auth/oidc.controller.ts b/services/mana-core-auth/src/auth/oidc.controller.ts index 046fc4323..ff37f7c1c 100644 --- a/services/mana-core-auth/src/auth/oidc.controller.ts +++ b/services/mana-core-auth/src/auth/oidc.controller.ts @@ -80,6 +80,18 @@ export class OidcController { return this.handleOidcRequest(req, res); } + /** + * Better Auth Sign-in Endpoint + * + * This endpoint is needed for OIDC login flow. + * When users log in via the /login page, it posts to this endpoint + * which sets the session cookie needed for the OAuth2 flow. + */ + @Post('api/auth/sign-in/email') + async signInEmail(@Req() req: Request, @Res() res: Response) { + return this.handleOidcRequest(req, res); + } + // ============================================ // Alternative /api/oidc/* paths // For backwards compatibility and convenience diff --git a/services/mana-core-auth/src/main.ts b/services/mana-core-auth/src/main.ts index b46253a6a..5a403a74b 100644 --- a/services/mana-core-auth/src/main.ts +++ b/services/mana-core-auth/src/main.ts @@ -100,9 +100,10 @@ async function bootstrap() { { path: 'health', method: RequestMethod.ALL }, // OIDC login page { path: 'login', method: RequestMethod.ALL }, - // Better Auth routes (verification emails, password reset) + // Better Auth routes (verification emails, password reset, sign-in) { path: 'api/auth/verify-email', method: RequestMethod.ALL }, { path: 'api/auth/reset-password/(.*)', method: RequestMethod.ALL }, + { path: 'api/auth/sign-in/(.*)', method: RequestMethod.ALL }, // Better Auth OIDC/OAuth2 routes (native paths from discovery document) { path: 'api/auth/jwks', method: RequestMethod.ALL }, { path: 'api/auth/oauth2/(.*)', method: RequestMethod.ALL },