Update .env.example to list all 4 required OIDC vars (was missing OIDC_REDIRECT_URI). Fix test assertion to match username->email rename in signInWithCredentials. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
logAuthError now always logs (not dev-only). Replaced isBackendError with parseAuthError-based classification. signOut uses proper error type. Session expiry sets explicit session_expired state. Login page logs in prod. Fixed pre-existing lint violations in auth package (campsite rule). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add getAccessToken tests (5): null session, valid token, expired token, buffer window, undefined token - Add isAdmin tests (4): null session, true, false, undefined - Add getUserById/getUserByEmail null-return tests (2) - Add getClientIp tests via handleAuth (4): single IP, comma-separated, array, fallback - Fix pre-existing controller spec failure by adding better-auth vi.mock calls Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Uses parseAuthError from auth-errors module for consistent PDA-friendly error messages in signInWithCredentials. Refs #417
