fix(auth): restore BetterAuth OAuth2 flow and compose wiring #426

jason.woltje · 2026-02-18T05:39:04Z

jason.woltje commented

2026-02-18 05:39:04 +00:00

Summary\n- set BetterAuth from (fallback ) with production safety checks\n- align OIDC redirect validation and plugin config to and pass explicit \n- preserve BetterAuth/better-call HTTP error status/body in auth controller for actionable client errors\n- update login OAuth callback URL to absolute origin in web app\n- update all docker compose variants and for and corrected OIDC redirect defaults\n- update auth docs to match the callback path and env expectations\n\n## Verification\n-

RUN v4.0.18 /home/jwoltje/src/mosaic-stack/apps/api

stdout | src/auth/auth.controller.spec.ts
[dotenv@17.2.4] injecting env (5) from .env.test -- tip: 🔐 prevent building .env in docker: https://dotenvx.com/prebuild

stdout | src/auth/auth.config.spec.ts
[dotenv@17.2.4] injecting env (5) from .env.test -- tip: 🗂️ backup and recover secrets: https://dotenvx.com/ops

✓ src/auth/auth.config.spec.ts (59 tests) 21ms
✓ src/auth/auth.controller.spec.ts (18 tests) 38ms

Test Files 2 passed (2)
Tests 77 passed (77)
Start at 23:39:00
Duration 591ms (transform 275ms, setup 80ms, import 497ms, tests 59ms, environment 0ms)\n-
RUN v3.2.4 /home/jwoltje/src/mosaic-stack/apps/web

✓ src/app/(auth)/login/page.test.tsx (33 tests) 819ms

Test Files 1 passed (1)
Tests 33 passed (33)
Start at 23:39:01
Duration 1.80s (transform 132ms, setup 110ms, collect 248ms, tests 819ms, environment 272ms, prepare 103ms)

## Summary\n- set BetterAuth from (fallback ) with production safety checks\n- align OIDC redirect validation and plugin config to and pass explicit \n- preserve BetterAuth/better-call HTTP error status/body in auth controller for actionable client errors\n- update login OAuth callback URL to absolute origin in web app\n- update all docker compose variants and for and corrected OIDC redirect defaults\n- update auth docs to match the callback path and env expectations\n\n## Verification\n- RUN v4.0.18 /home/jwoltje/src/mosaic-stack/apps/api stdout | src/auth/auth.controller.spec.ts [dotenv@17.2.4] injecting env (5) from .env.test -- tip: 🔐 prevent building .env in docker: https://dotenvx.com/prebuild stdout | src/auth/auth.config.spec.ts [dotenv@17.2.4] injecting env (5) from .env.test -- tip: 🗂️ backup and recover secrets: https://dotenvx.com/ops ✓ src/auth/auth.config.spec.ts (59 tests) 21ms ✓ src/auth/auth.controller.spec.ts (18 tests) 38ms Test Files 2 passed (2) Tests 77 passed (77) Start at 23:39:00 Duration 591ms (transform 275ms, setup 80ms, import 497ms, tests 59ms, environment 0ms)\n- RUN v3.2.4 /home/jwoltje/src/mosaic-stack/apps/web ✓ src/app/(auth)/login/page.test.tsx (33 tests) 819ms Test Files 1 passed (1) Tests 33 passed (33) Start at 23:39:01 Duration 1.80s (transform 132ms, setup 110ms, collect 248ms, tests 819ms, environment 272ms, prepare 103ms)

jason.woltje added 1 commit 2026-02-18 05:39:04 +00:00

fix(auth): restore BetterAuth OIDC flow across api/web/compose

ci/woodpecker/push/infra Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/push/api Pipeline was successful

Details

dedc1af080

jason.woltje commented

2026-02-18 05:39:46 +00:00

Clean PR summary (body was shell-mangled during CLI submission):

Set BetterAuth base URL from BETTER_AUTH_URL (fallback NEXT_PUBLIC_API_URL) with production safety validation.
Align OIDC redirect validation and plugin redirect URI to /auth/oauth2/callback/... and pass explicit redirectURI in genericOAuth config.
Preserve BetterAuth/better-call status/body in AuthController instead of collapsing to generic 500.
Update web OAuth callbackURL to an absolute origin URL.
Update docker-compose.yml, docker/docker-compose.build.yml, and docker-compose.swarm.portainer.yml to include BETTER_AUTH_URL and corrected OIDC redirect defaults.
Update .env.example and docs to match callback path/env changes.

Verification:

pnpm --filter @mosaic/api exec vitest run src/auth/auth.config.spec.ts src/auth/auth.controller.spec.ts
pnpm --filter @mosaic/web exec vitest run 'src/app/(auth)/login/page.test.tsx'

Clean PR summary (body was shell-mangled during CLI submission): - Set BetterAuth base URL from BETTER_AUTH_URL (fallback NEXT_PUBLIC_API_URL) with production safety validation. - Align OIDC redirect validation and plugin redirect URI to /auth/oauth2/callback/... and pass explicit redirectURI in genericOAuth config. - Preserve BetterAuth/better-call status/body in AuthController instead of collapsing to generic 500. - Update web OAuth callbackURL to an absolute origin URL. - Update docker-compose.yml, docker/docker-compose.build.yml, and docker-compose.swarm.portainer.yml to include BETTER_AUTH_URL and corrected OIDC redirect defaults. - Update .env.example and docs to match callback path/env changes. Verification: - pnpm --filter @mosaic/api exec vitest run src/auth/auth.config.spec.ts src/auth/auth.controller.spec.ts - pnpm --filter @mosaic/web exec vitest run 'src/app/(auth)/login/page.test.tsx'

jason.woltje merged commit 2c3c1f67ac into develop

2026-02-18 05:44:19 +00:00

jason.woltje deleted branch fix/authentik-betterauth-interop

2026-02-18 05:44:20 +00:00

jason.woltje referenced this issue from a commit

2026-02-18 05:44:20 +00:00

Merge pull request 'fix(auth): restore BetterAuth OAuth2 flow and compose wiring' (#426) from fix/authentik-betterauth-interop into develop

jason.woltje referenced this issue from a commit

2026-02-21 20:43:13 +00:00

Merge develop into main

jason.woltje referenced this issue from a commit

2026-02-21 20:52:48 +00:00