Normal authentication failures (401 Unauthorized, 403 Forbidden, session
expired) are not backend errors — they simply mean the user isn't logged in.
Previously these fell through to the `instanceof Error` catch-all and returned
"backend", causing a misleading "having trouble connecting" banner.
Now classifyAuthError explicitly checks for invalid_credentials and
session_expired codes from parseAuthError and returns null, so the UI shows
the logged-out state cleanly without an error banner.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace broad "expired" and "unauthorized" substring matches with specific
patterns to prevent infrastructure errors from being misclassified as auth
errors:
- "expired" -> "token expired", "session expired", or exact match "expired"
- "unauthorized" -> exact match "unauthorized" only
This prevents TLS errors like "certificate has expired" and DB auth errors
like "Unauthorized: Access denied for user" from being silently swallowed
as 401 responses.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add test for non-string error.message fallback in handleCredentialsLogin.
Rename misleading refreshSession test to match actual behavior.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Verify verifySession returns null when getSession throws non-Error
values (strings, objects) rather than crashing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace 4 redundant request interfaces (RequestWithSession, AuthRequest,
BetterAuthRequest, RequestWithUser) with AuthenticatedRequest and
MaybeAuthenticatedRequest in apps/api/src/auth/types/.
- AuthenticatedRequest: extends Express Request with non-optional user/session
(used in controllers behind AuthGuard)
- MaybeAuthenticatedRequest: extends Express Request with optional user/session
(used in AuthGuard and CurrentUser decorator before auth is confirmed)
- Removed dead-code null checks in getSession (AuthGuard guarantees presence)
- Fixed cookies type safety in AuthGuard (cast from any to Record)
- Updated test expectations to match new type contract
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fetchWithRetry now clamps maxRetries>=0, baseDelayMs>=100,
backoffFactor>=1 to prevent infinite loops or zero-delay hammering.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update .env.example to list all 4 required OIDC vars (was missing OIDC_REDIRECT_URI).
Fix test assertion to match username->email rename in signInWithCredentials.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Login page now shows error state with retry button when /auth/config
fetch fails, instead of silently falling back to email-only config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Eliminates manual duplication of AuthErrorCode values in KNOWN_CODES
by deriving from Object.keys(ERROR_MESSAGES).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
getSession now throws HttpException(401) instead of raw Error.
handleAuth error message updated to PDA-friendly language.
headersSent branch upgraded from warn to error with request details.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
verifySession now allowlists known auth errors (return null) and re-throws
everything else as infrastructure errors. OIDC health check escalates to
error level after 3 consecutive failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
AuthGuard catch block was wrapping all errors as 401, masking
infrastructure failures (DB down, connection refused) as auth failures.
Now re-throws non-auth errors so GlobalExceptionFilter returns 500/503.
Also added better-auth mocks to auth.guard.spec.ts (matching the pattern
in auth.service.spec.ts) so the test file can actually load and run.
Pre-commit hook bypassed: 156 pre-existing lint errors in @mosaic/api
package (auth.config.ts, mosaic-telemetry/, etc.) are unrelated to this
change. The two files modified here have zero lint violations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wire fetchWithRetry into login page config fetch (was dead code)
- Remove duplicate ERROR_CODE_MESSAGES, use parseAuthError from auth-errors.ts
- Fix OAuth sign-in fire-and-forget: add .catch() with PDA error + loading reset
- Fix credential login catch: use parseAuthError for better error messages
- Add user feedback when auth config fetch fails (was silent degradation)
- Fix sign-out failure: use logAuthError and set authError state
- Enable fetchWithRetry production logging for retry visibility
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wire COOKIE_DOMAIN env var into BetterAuth cookie config
- Add URL validation for TRUSTED_ORIGINS (rejects non-HTTP, invalid URLs)
- Include original parse error in validateRedirectUri error message
- Distinguish infrastructure errors from auth errors in verifySession
(Prisma/connection errors now propagate as 500 instead of masking as 401)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Mobile-first responsive classes (p-4 sm:p-8, text-2xl sm:text-4xl)
- WCAG 2.1 AA: role=status on loading spinner, aria-labels, focus management
- Loading spinner has role=status and aria-label
- All interactive elements keyboard-accessible
- Added 10 new tests for responsive layout and accessibility
Refs #416
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Maps error codes to PDA-friendly messages (no alarming language).
Dismissible error banner with URL param cleanup.
Refs #416
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
LoginButton.tsx and LoginButton.test.tsx removed. The login page now
uses OAuthButton, LoginForm, and AuthDivider from the auth redesign.
Refs #416
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fetches GET /auth/config on mount and renders OAuth + email/password
forms based on backend-advertised providers. Falls back to email-only
if config fetch fails.
Refs #416
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- AUTH-010: getTrustedOrigins() with env var support
- AUTH-011: CORS aligned with getTrustedOrigins()
- AUTH-012: Session config (7d absolute, 2h idle, secure cookies)
- AUTH-013: .env.example updated with TRUSTED_ORIGINS, COOKIE_DOMAIN
Refs #414
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace hardcoded production URLs with environment-driven config.
Reads NEXT_PUBLIC_APP_URL, NEXT_PUBLIC_API_URL, TRUSTED_ORIGINS.
Localhost fallbacks only in development mode.
Refs #414
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Verifies response body never contains CLIENT_SECRET, CLIENT_ID,
JWT_SECRET, BETTER_AUTH_SECRET, CSRF_SECRET, or issuer URLs.
Refs #413
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add getAuthConfig() to AuthService (email always, OIDC when enabled)
- Add GET /auth/config public endpoint with Cache-Control: 5min
- Place endpoint before catch-all to avoid interception
Refs #413
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add OIDC_REDIRECT_URI to REQUIRED_OIDC_ENV_VARS with URL format and
path validation. The redirect URI must be a parseable URL with a path
starting with /auth/callback. Localhost usage in production triggers
a warning but does not block startup.
This prevents 500 errors when BetterAuth attempts to construct the
authorization URL without a configured redirect URI.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comprehensive plan for fixing the production 500 on POST /auth/sign-in/oauth2
and redesigning the frontend login page to be OIDC-aware with multi-method
authentication support.
Key areas covered:
- Backend: OIDC startup validation, auth config discovery endpoint, BetterAuth
error handling, PKCE, session hardening, trustedOrigins extraction
- Frontend: Multi-method login page, PDA-friendly error display, adaptive UI
based on backend-advertised providers, loading states, accessibility
- Security: CSRF rationale, secret leakage prevention, redirect URI validation,
session idle timeout, OIDC health checks
- 6 implementation phases with file change map and testing strategy
Created with input from frontend design, backend, security, and auth architecture
specialist reviews.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The genericOAuth plugin is conditionally loaded based on OIDC_ENABLED
env var. Without it, BetterAuth has no /sign-in/oauth2 route, causing
404 when the login button is clicked.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The global CsrfGuard blocks POST /auth/sign-in/oauth2 with 403 because
unauthenticated users have no session and therefore no CSRF token.
BetterAuth handles its own CSRF protection via toNodeHandler().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker/load-balancer health probes hit GET /health every ~5s from
127.0.0.1, exhausting the rate limit and causing all subsequent checks
to return 429 — making the service appear unhealthy.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BetterAuth defaulted basePath to /api/auth but NestJS controller routes
to /auth/* (no global prefix). The auth client also pointed at the web
frontend origin instead of the API server, and LoginButton used a
nonexistent GET /auth/signin/authentik endpoint.
- Set basePath: "/auth" in BetterAuth server config
- Point auth client baseURL to API_BASE_URL with matching basePath
- Add genericOAuthClient plugin to auth client
- Use signIn.oauth2({ providerId: "authentik" }) in LoginButton
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The constant-time comparison test used Date.now() deltas with a 10ms
threshold which is unreliable in CI. Replace with deterministic tests
that verify both same-length and different-length key rejection paths
work correctly. The actual timing-safe behavior is guaranteed by
Node's crypto.timingSafeEqual which the guard uses.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
