The manual bodyParser.json() middleware conflicts with NestJS rawBody mode.
When rawBody: true is enabled, NestJS consumes the body stream first, then
the manual parser tries to read it again causing "stream is not readable".
NestJS handles JSON parsing internally, so the manual middleware was redundant
and causing 500 errors on login requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The JSON body parser was consuming the request body before NestJS
could access the rawBody needed for Stripe webhook signature
verification. Now webhooks to /api/v1/webhooks/stripe skip the
body parser middleware.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The get-session endpoint needs to be accessible at /api/auth/get-session
(without the /api/v1 prefix) for SSO to work.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OIDC providers like Synapse expect the JWT issuer claim to match the
discovery document's issuer URL. Changed JWT plugin config from
JWT_ISSUER to BASE_URL to ensure consistency.
Also adds:
- @manacore/credit-operations package with operation definitions
- @manacore/shared-credit-ui package with React Native and Svelte components
- CreditInterceptor and @UseCredits decorator in nestjs-integration
- Credit system integration in chat backend
Set useJWTPlugin: true so id_tokens are signed with EdDSA keys
from JWKS instead of HS256. This fixes Synapse OIDC integration
which verifies tokens via JWKS endpoint.
The OIDC login page was using our custom /api/v1/auth/login endpoint
which returns tokens but doesn't set session cookies. Better Auth's
OIDC provider needs session cookies to recognize logged-in users.
Changes:
- Update login page to use /api/auth/sign-in/email (Better Auth native)
- Add sign-in endpoint handler in oidc.controller.ts
- Add route exclusion in main.ts for the sign-in path
This fixes the infinite redirect loop where users would log in but
then be sent back to login because the OAuth2 authorize endpoint
couldn't detect the session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The login page uses inline JavaScript for the form submission handler.
Helmet's default CSP was blocking this, preventing users from logging in
via OIDC/SSO flows (e.g., Matrix Synapse).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a simple login page at /login for OIDC authorization flows.
When users access the authorization endpoint without being logged in,
Better Auth redirects them to this page. After successful login,
users are redirected back to continue the authorization flow.
- Create OidcLoginController with login page HTML
- Add controller to AuthModule
- Exclude /login from global prefix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Better Auth's OIDC discovery document advertises endpoints at
/api/auth/oauth2/* paths. Add routes for these native paths to
ensure Matrix Synapse and other OIDC clients can complete the
authorization flow.
Routes added:
- GET /api/auth/oauth2/authorize
- POST /api/auth/oauth2/token
- GET /api/auth/oauth2/userinfo
- GET /api/auth/jwks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add explicit path exclusions and path-to-regexp wildcard patterns
to ensure /api/auth/jwks and other OIDC routes are excluded from
the /api/v1 global prefix. This fixes JWKS endpoint accessibility
for Matrix Synapse OIDC integration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use { path, method } syntax for NestJS global prefix excludes to ensure
OIDC routes (.well-known/*, api/oidc/*) are properly excluded from the
/api/v1 prefix.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OidcController to expose Better Auth OIDC Provider endpoints
- Add handleOidcRequest method to BetterAuthService
- Exclude OIDC routes from global /api/v1 prefix
- Register OidcController in AuthModule
Endpoints:
- GET /.well-known/openid-configuration
- GET /api/oidc/authorize
- POST /api/oidc/token
- GET /api/oidc/userinfo
- GET /api/oidc/jwks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Better Auth generates verification URLs with /api/auth/verify-email path,
but NestJS uses /api/v1 prefix. This adds a passthrough controller to
handle the native Better Auth routes and properly verify user emails.
- Add BetterAuthPassthroughController for /api/auth/* routes
- Add verifyEmail method to BetterAuthService
- Exclude /api/auth/* from global prefix in main.ts
- Register passthrough controller in AuthModule
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add metrics module to calendar, chat, clock, contacts backends
- Add metrics module to mana-core-auth service
- Expose /metrics endpoint for Prometheus scraping
- Track HTTP requests, response times, and custom business metrics
Co-Authored-By: Claude <noreply@anthropic.com>
Update helmet middleware to allow cross-origin resource policy and
opener policy for proper CORS functionality with frontend apps.
Also add debug logging for configured CORS origins.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add shared-feedback-types package with TypeScript types
- Add shared-feedback-service package with factory function
- Add shared-feedback-ui package with Svelte 5 components
- Add feedback module to mana-core-auth backend
- Add AI service using Gemini 2.0 Flash for title/category generation
- Add database schema and migration for feedback tables
- Integrate feedback page into Chat web app
- Add CORS support for X-App-Id header
- Add COMMANDS.md documentation for all dev commands
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
