@lenne.tech/nest-server 11.10.2 → 11.10.4

package/src/core/modules/better-auth/core-better-auth-api.middleware.ts

@@ -1,8 +1,9 @@
-import { Injectable, Logger, NestMiddleware } from '@nestjs/common';
+import { Injectable, Logger, NestMiddleware, Optional } from '@nestjs/common';
 import { NextFunction, Request, Response } from 'express';
 
 import { isProduction } from '../../common/helpers/logging.helper';
-import { extractSessionToken, sendWebResponse, toWebRequest } from './core-better-auth-web.helper';
+import { CoreBetterAuthChallengeService } from './core-better-auth-challenge.service';
+import { extractSessionToken, sendWebResponse, signCookieValue, toWebRequest } from './core-better-auth-web.helper';
 import { CoreBetterAuthService } from './core-better-auth.service';
 
 /**
@@ -25,6 +26,22 @@ const CONTROLLER_HANDLED_PATHS = [
   '/session',
 ];
 
+/**
+ * Passkey paths that generate challenges
+ */
+const PASSKEY_GENERATE_PATHS = [
+  '/passkey/generate-register-options',
+  '/passkey/generate-authenticate-options',
+];
+
+/**
+ * Passkey paths that verify challenges
+ */
+const PASSKEY_VERIFY_PATHS = [
+  '/passkey/verify-registration',
+  '/passkey/verify-authentication',
+];
+
 /**
  * Middleware that forwards Better Auth API requests to the native Better Auth handler.
  *
@@ -35,22 +52,35 @@ const CONTROLLER_HANDLED_PATHS = [
  * - Magic link authentication
  * - Email verification
  *
- * The middleware:
- * 1. Checks if the request path starts with the Better Auth base path (e.g., /iam)
- * 2. Skips paths that need nest-server-specific logic (sign-in, sign-up, session)
- * 3. Extracts session token and signs cookies for Better Auth compatibility
- * 4. Converts the Express request to a Web Standard Request
- * 5. Calls Better Auth's native handler and sends the response
+ * For JWT mode (cookieless), this middleware provides an adapter for Passkey challenges:
+ * 1. On generate: Extracts Better Auth's verificationToken from Set-Cookie and stores mapping
+ * 2. On verify: Injects verificationToken as cookie so Better Auth can find the challenge
  *
- * IMPORTANT: Cookie signing is handled here to ensure Better Auth receives
- * properly signed session cookies for all plugin endpoints.
+ * This approach maintains full compatibility with Better Auth's internal mechanisms.
  */
 @Injectable()
 export class CoreBetterAuthApiMiddleware implements NestMiddleware {
   private readonly logger = new Logger(CoreBetterAuthApiMiddleware.name);
   private readonly isProd = isProduction();
+  private loggedChallengeStorageMode = false;
 
-  constructor(private readonly betterAuthService: CoreBetterAuthService) {}
+  constructor(
+    private readonly betterAuthService: CoreBetterAuthService,
+    @Optional() private readonly challengeService?: CoreBetterAuthChallengeService,
+  ) {}
+
+  /**
+   * Check if database challenge storage should be used.
+   * This is checked dynamically because the ChallengeService initializes in onModuleInit.
+   */
+  private useDbChallengeStorage(): boolean {
+    const enabled = this.challengeService?.isEnabled() ?? false;
+    if (enabled && !this.loggedChallengeStorageMode) {
+      this.logger.log('Passkey challenge storage: database (JWT mode compatible)');
+      this.loggedChallengeStorageMode = true;
+    }
+    return enabled;
+  }
 
   async use(req: Request, res: Response, next: NextFunction) {
     // Skip if Better-Auth is not enabled
@@ -59,13 +89,17 @@ export class CoreBetterAuthApiMiddleware implements NestMiddleware {
     }
 
     const basePath = this.betterAuthService.getBasePath();
-    const requestPath = req.path;
+    // Use originalUrl to get full path for IAM endpoints, but fallback to req.path
+    // The originalUrl contains the original request path as sent by client
+    const requestPath = req.originalUrl?.split('?')[0] || req.path;
 
     // Only handle requests that start with the Better Auth base path
     if (!requestPath.startsWith(basePath)) {
       return next();
     }
 
+    this.logger.debug(`API Middleware handling: ${req.method} ${requestPath}`);
+
     // Get the path relative to the base path
     const relativePath = requestPath.slice(basePath.length);
 
@@ -81,19 +115,49 @@ export class CoreBetterAuthApiMiddleware implements NestMiddleware {
       return next();
     }
 
-    if (!this.isProd) {
-      this.logger.debug(`Forwarding to Better Auth handler: ${req.method} ${requestPath}`);
-    }
+    this.logger.debug(`Forwarding to Better Auth handler: ${req.method} ${requestPath}`);
 
     try {
+      // Check if this is a passkey request that needs DB challenge handling
+      const useDbStorage = this.useDbChallengeStorage();
+      const isPasskeyGenerate = useDbStorage && PASSKEY_GENERATE_PATHS.some((p) => relativePath === p);
+      const isPasskeyVerify = useDbStorage && PASSKEY_VERIFY_PATHS.some((p) => relativePath === p);
+
       // Extract session token from cookies or Authorization header
       const sessionToken = extractSessionToken(req, basePath);
 
       // Get config for cookie signing
       const config = this.betterAuthService.getConfig();
+      const cookieName = this.challengeService?.getCookieName() || 'better-auth.better-auth-passkey';
+
+      // For passkey verify requests with DB storage, inject the verificationToken as a cookie
+      let challengeIdToDelete: string | undefined;
+      if (isPasskeyVerify && this.challengeService) {
+        const challengeId = req.body?.challengeId;
+        this.logger.debug(`Passkey verify: challengeId=${challengeId ? `${challengeId.substring(0, 8)}...` : 'MISSING'}, body keys=${Object.keys(req.body || {}).join(', ')}`);
+        if (challengeId) {
+          const verificationToken = await this.challengeService.getVerificationToken(challengeId);
+          if (verificationToken) {
+            // Sign the verificationToken and inject it as a cookie
+            const signedToken = signCookieValue(verificationToken, config.secret || '');
+
+            // Add the challenge cookie to the request headers
+            const existingCookies = req.headers.cookie || '';
+            req.headers.cookie = existingCookies
+              ? `${existingCookies}; ${cookieName}=${signedToken}`
+              : `${cookieName}=${signedToken}`;
+
+            challengeIdToDelete = challengeId;
+
+            this.logger.debug(`Injected verificationToken for passkey verification`);
+          } else {
+            // Challenge mapping not found - let Better Auth handle the error
+            this.logger.debug(`Challenge mapping not found: ${challengeId.substring(0, 8)}...`);
+          }
+        }
+      }
 
       // Convert Express request to Web Standard Request with proper cookie signing
-      // This ensures Better Auth receives signed cookies for session validation
       const webRequest = await toWebRequest(req, {
         basePath,
         baseUrl: this.betterAuthService.getBaseUrl(),
@@ -105,8 +169,84 @@ export class CoreBetterAuthApiMiddleware implements NestMiddleware {
       // Call Better Auth's native handler
       const response = await authInstance.handler(webRequest);
 
-      if (!this.isProd) {
-        this.logger.debug(`Better Auth handler response: ${response.status}`);
+      this.logger.debug(`Better Auth handler response: ${response.status}`);
+
+      // For passkey generate requests with DB storage, extract verificationToken and store mapping
+      if (isPasskeyGenerate && response.ok && this.challengeService) {
+        // Extract verificationToken from Set-Cookie header
+        const setCookieHeaders = response.headers.getSetCookie?.() || [];
+        let verificationToken: null | string = null;
+
+        for (const cookieHeader of setCookieHeaders) {
+          if (cookieHeader.startsWith(`${cookieName}=`)) {
+            // Extract the cookie value (before the first semicolon and after the equals sign)
+            const cookieValue = cookieHeader.split(';')[0].split('=')[1];
+            // URL decode and extract the token part (before the signature dot)
+            const decodedValue = decodeURIComponent(cookieValue);
+            // The signed cookie format is: value.signature
+            verificationToken = decodedValue.split('.')[0];
+            break;
+          }
+        }
+
+        if (verificationToken) {
+          // Clone the response to read the body
+          const responseClone = response.clone();
+          const responseBody = await responseClone.json();
+
+          // Get user ID from response or session
+          const userId = responseBody?.user?.id || sessionToken || 'anonymous';
+          const type = relativePath.includes('register') ? 'registration' : 'authentication';
+
+          // Store the mapping: challengeId → verificationToken
+          const challengeId = await this.challengeService.storeChallengeMapping(
+            verificationToken,
+            userId,
+            type as 'authentication' | 'registration',
+          );
+
+          // Add challengeId to the response body
+          const enhancedBody = {
+            ...responseBody,
+            challengeId,
+          };
+
+          // Create new headers WITHOUT the Set-Cookie for the passkey challenge
+          // (we don't want cookies in JWT mode)
+          const newHeaders = new Headers();
+          response.headers.forEach((value, key) => {
+            if (key.toLowerCase() !== 'set-cookie') {
+              newHeaders.set(key, value);
+            }
+          });
+          // Re-add non-passkey Set-Cookie headers
+          for (const cookieHeader of setCookieHeaders) {
+            if (!cookieHeader.startsWith(`${cookieName}=`)) {
+              newHeaders.append('Set-Cookie', cookieHeader);
+            }
+          }
+
+          // Create a new response with the enhanced body and filtered headers
+          const enhancedResponse = new Response(JSON.stringify(enhancedBody), {
+            headers: newHeaders,
+            status: response.status,
+            statusText: response.statusText,
+          });
+
+          this.logger.debug(`Stored challenge mapping with ID: ${challengeId.substring(0, 8)}...`);
+
+          // Send the enhanced response
+          await sendWebResponse(res, enhancedResponse);
+
+          return;
+        } else {
+          this.logger.warn('Could not extract verificationToken from Set-Cookie header');
+        }
+      }
+
+      // Clean up the used challenge mapping after verification (success or failure)
+      if (challengeIdToDelete && this.challengeService) {
+        await this.challengeService.deleteChallengeMapping(challengeIdToDelete);
       }
 
       // Convert Web Standard Response to Express response using shared helper

package/src/core/modules/better-auth/core-better-auth-challenge.service.ts

@@ -0,0 +1,254 @@
+import { Injectable, Logger, OnModuleInit, Optional } from '@nestjs/common';
+import { InjectConnection } from '@nestjs/mongoose';
+import * as crypto from 'crypto';
+import { Collection, Document } from 'mongodb';
+import { Connection } from 'mongoose';
+
+import { IBetterAuth } from '../../common/interfaces/server-options.interface';
+import { ConfigService } from '../../common/services/config.service';
+
+/**
+ * WebAuthn challenge mapping document structure.
+ *
+ * This stores a mapping from our challengeId to Better Auth's verificationToken.
+ * Better Auth stores the actual challenge in its verification collection.
+ */
+interface WebAuthnChallengeMappingDocument extends Document {
+  /** Our unique challenge ID (returned to client) */
+  challengeId: string;
+  /** Creation timestamp */
+  createdAt: Date;
+  /** Expiration timestamp (TTL index) */
+  expiresAt: Date;
+  /** Type of operation */
+  type: 'authentication' | 'registration';
+  /** User ID this challenge belongs to */
+  userId: string;
+  /** Better Auth's verification token (from their cookie) */
+  verificationToken: string;
+}
+
+/**
+ * Service for managing WebAuthn challenge mappings in MongoDB.
+ *
+ * This service provides an alternative to cookie-based challenge storage,
+ * enabling Passkey authentication in JWT-only (cookieless) mode.
+ *
+ * ## How it works (Adapter approach):
+ * 1. When `generateRegisterOptions` or `generateAuthenticateOptions` is called,
+ *    Better Auth stores its verificationToken in a cookie and the challenge in its DB
+ * 2. We extract the verificationToken from the Set-Cookie header
+ * 3. We store a mapping: challengeId → verificationToken in our collection
+ * 4. We return challengeId to the client (not the verificationToken for security)
+ * 5. When `verifyRegistration` or `verifyAuthentication` is called,
+ *    we inject the verificationToken as a cookie so Better Auth can find the challenge
+ *
+ * ## Why this approach?
+ * - Better Auth stores challenges in its `verification` collection using verificationToken as key
+ * - We don't duplicate the challenge storage, we just bridge the cookie gap
+ * - Full compatibility with Better Auth updates
+ * - Better Auth handles all WebAuthn logic natively
+ *
+ * ## Security considerations:
+ * - Challenges expire automatically via MongoDB TTL index
+ * - Each challengeId can only be used once (deleted after use)
+ * - verificationToken is never exposed to the client (only challengeId)
+ * - Challenges are bound to a specific user
+ */
+@Injectable()
+export class CoreBetterAuthChallengeService implements OnModuleInit {
+  private readonly logger = new Logger(CoreBetterAuthChallengeService.name);
+  private collection: Collection<WebAuthnChallengeMappingDocument> | null = null;
+  private ttlSeconds: number = 300; // 5 minutes default
+  private enabled: boolean = false;
+
+  constructor(
+    @Optional() @InjectConnection() private readonly connection: Connection,
+    @Optional() private readonly configService?: ConfigService,
+  ) {}
+
+  /**
+   * Initialize the collection and ensure TTL index exists
+   */
+  async onModuleInit() {
+    // ConfigService may not be available in test environments
+    if (!this.configService) {
+      return;
+    }
+
+    // Read config in onModuleInit to ensure it's fully loaded
+    const config = this.configService.get<IBetterAuth>('betterAuth') || {};
+    const passkeyConfig = typeof config.passkey === 'object' ? config.passkey : null;
+
+    // Database challenge storage is the default because:
+    // 1. Works everywhere (same-origin, cross-origin, JWT mode)
+    // 2. No cookie handling issues
+    // 3. Enables cookieless passkey authentication
+    //
+    // Disable database storage when:
+    // - Passkey is explicitly disabled (passkey: false OR passkey: { enabled: false })
+    // - Cookie storage is explicitly configured (passkey.challengeStorage: 'cookie')
+    const isPasskeyDisabled = config.passkey === false || passkeyConfig?.enabled === false;
+    const useCookieStorage = passkeyConfig?.challengeStorage === 'cookie';
+
+    this.enabled = !isPasskeyDisabled && !useCookieStorage;
+
+    if (useCookieStorage) {
+      this.logger.log('Using cookie-based challenge storage (explicitly configured)');
+    }
+    this.ttlSeconds = passkeyConfig?.challengeTtlSeconds || 300;
+
+    if (!this.enabled) {
+      return;
+    }
+
+    try {
+      if (!this.connection) {
+        this.logger.warn('MongoDB connection not available, challenge storage disabled');
+        this.enabled = false;
+        return;
+      }
+
+      const db = this.connection.db;
+      if (!db) {
+        this.logger.warn('Database not available, challenge storage disabled');
+        this.enabled = false;
+        return;
+      }
+
+      // Get or create the collection
+      this.collection = db.collection<WebAuthnChallengeMappingDocument>('webauthn_challenge_mappings');
+
+      // Ensure TTL index exists for automatic cleanup
+      await this.collection.createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+
+      // Index for fast lookups
+      await this.collection.createIndex({ challengeId: 1 }, { unique: true });
+      await this.collection.createIndex({ verificationToken: 1 });
+
+      this.logger.log('WebAuthn challenge storage initialized (database mode)');
+    } catch (error) {
+      this.logger.error(`Failed to initialize challenge storage: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+  }
+
+  /**
+   * Check if database challenge storage is enabled
+   */
+  isEnabled(): boolean {
+    return this.enabled && this.collection !== null;
+  }
+
+  /**
+   * Store a mapping from challengeId to Better Auth's verificationToken.
+   *
+   * @param verificationToken - Better Auth's verification token from the cookie
+   * @param userId - User ID this challenge belongs to
+   * @param type - Type of operation (registration or authentication)
+   * @returns Challenge ID to be passed to the client
+   */
+  async storeChallengeMapping(
+    verificationToken: string,
+    userId: string,
+    type: 'authentication' | 'registration',
+  ): Promise<string> {
+    if (!this.collection) {
+      throw new Error('Challenge storage not initialized');
+    }
+
+    // Generate a unique challenge ID for the client
+    const challengeId = crypto.randomBytes(32).toString('base64url');
+
+    const now = new Date();
+    const expiresAt = new Date(now.getTime() + this.ttlSeconds * 1000);
+
+    await this.collection.insertOne({
+      challengeId,
+      createdAt: now,
+      expiresAt,
+      type,
+      userId,
+      verificationToken,
+    } as WebAuthnChallengeMappingDocument);
+
+    this.logger.debug(`Stored ${type} challenge mapping for user ${userId.substring(0, 8)}...`);
+
+    return challengeId;
+  }
+
+  /**
+   * Retrieve the verificationToken for a given challengeId.
+   *
+   * @param challengeId - The challenge ID returned from storeChallengeMapping
+   * @returns The verificationToken or null if not found/expired
+   */
+  async getVerificationToken(challengeId: string): Promise<null | string> {
+    if (!this.collection) {
+      return null;
+    }
+
+    const doc = await this.collection.findOne({ challengeId });
+
+    if (!doc) {
+      this.logger.debug(`Challenge mapping not found: ${challengeId.substring(0, 8)}...`);
+      return null;
+    }
+
+    // Check if expired (shouldn't happen with TTL, but double-check)
+    if (doc.expiresAt < new Date()) {
+      this.logger.debug(`Challenge mapping expired: ${challengeId.substring(0, 8)}...`);
+      return null;
+    }
+
+    return doc.verificationToken;
+  }
+
+  /**
+   * Delete a challenge mapping (after use or on error)
+   *
+   * @param challengeId - The challenge ID to delete
+   */
+  async deleteChallengeMapping(challengeId: string): Promise<void> {
+    if (!this.collection) {
+      return;
+    }
+
+    await this.collection.deleteOne({ challengeId });
+    this.logger.debug(`Deleted challenge mapping: ${challengeId.substring(0, 8)}...`);
+  }
+
+  /**
+   * Delete all challenge mappings for a user (e.g., on logout or account deletion)
+   *
+   * @param userId - User ID whose challenge mappings should be deleted
+   */
+  async deleteUserChallengeMappings(userId: string): Promise<void> {
+    if (!this.collection) {
+      return;
+    }
+
+    const result = await this.collection.deleteMany({ userId });
+    if (result.deletedCount > 0) {
+      this.logger.debug(`Deleted ${result.deletedCount} challenge mappings for user ${userId.substring(0, 8)}...`);
+    }
+  }
+
+  /**
+   * Get the TTL in seconds for challenge mappings
+   */
+  getTtlSeconds(): number {
+    return this.ttlSeconds;
+  }
+
+  /**
+   * Get the cookie name used by Better Auth for passkey challenges
+   */
+  getCookieName(): string {
+    if (!this.configService) {
+      return 'better-auth.better-auth-passkey';
+    }
+    const config = this.configService.get<IBetterAuth>('betterAuth') || {};
+    const passkeyConfig = typeof config.passkey === 'object' ? config.passkey : null;
+    return passkeyConfig?.webAuthnChallengeCookie || 'better-auth.better-auth-passkey';
+  }
+}

package/src/core/modules/better-auth/core-better-auth-user.mapper.ts

@@ -163,7 +163,7 @@ export class CoreBetterAuthUserMapper {
       // User doesn't exist in our database yet
       // This can happen if they signed up through Better-Auth but not legacy auth
       // Return a user with default roles (S_USER since they're authenticated)
-      this.logger.debug(`Better-Auth user ${sessionUser.email} not found in users collection`);
+      this.logger.debug(`Better-Auth user ${maskEmail(sessionUser.email)} not found in users collection`);
 
       return this.createMappedUser({
         email: sessionUser.email,

package/src/core/modules/better-auth/core-better-auth-web.helper.ts

@@ -77,6 +77,49 @@ export function extractSessionToken(req: Request, basePath: string = 'iam'): nul
   return null;
 }
 
+/**
+ * Checks if a cookie value appears to be already signed.
+ *
+ * A signed cookie has the format: `value.base64signature` where the signature
+ * is a base64-encoded string. This function checks if the value contains a dot
+ * followed by what looks like a base64 signature (not a JWT which has 2 dots).
+ *
+ * Note: This also handles URL-encoded signed cookies.
+ *
+ * @param value - The cookie value to check
+ * @returns true if the value appears to be already signed
+ */
+export function isAlreadySigned(value: string): boolean {
+  if (!value) {
+    return false;
+  }
+
+  // First, try to URL-decode the value (signed cookies from signCookieValue are URL-encoded)
+  let decodedValue = value;
+  try {
+    decodedValue = decodeURIComponent(value);
+  } catch {
+    // If decoding fails, use the original value
+  }
+
+  // A JWT has exactly 2 dots (header.payload.signature)
+  // A signed cookie has exactly 1 dot (value.signature)
+  const dotCount = (decodedValue.match(/\./g) || []).length;
+
+  if (dotCount !== 1) {
+    return false;
+  }
+
+  // Check if the part after the dot looks like a base64 signature
+  const lastDotIndex = decodedValue.lastIndexOf('.');
+  const potentialSignature = decodedValue.substring(lastDotIndex + 1);
+
+  // Base64 signature should be non-empty and contain only valid base64 characters
+  // HMAC-SHA256 base64 signatures are typically 44 characters (32 bytes -> 44 base64 chars with padding)
+  const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+  return potentialSignature.length >= 20 && base64Regex.test(potentialSignature);
+}
+
 /**
  * Parses a Cookie header string into an object.
  *
@@ -165,6 +208,25 @@ export function signCookieValue(value: string, secret: string): string {
   return encodeURIComponent(signedValue);
 }
 
+/**
+ * Signs a cookie value only if it's not already signed.
+ *
+ * This prevents double-signing which would make the cookie invalid.
+ *
+ * @param value - The cookie value to potentially sign
+ * @param secret - The secret to use for signing
+ * @param logger - Optional logger for debug output
+ * @returns The signed cookie value (URL-encoded) or the original if already signed
+ */
+export function signCookieValueIfNeeded(value: string, secret: string, logger?: Logger): string {
+  if (isAlreadySigned(value)) {
+    logger?.debug?.('Cookie value appears to be already signed, skipping signing');
+    // Return URL-encoded to match signCookieValue behavior
+    return value.includes('%') ? value : encodeURIComponent(value);
+  }
+  return signCookieValue(value, secret);
+}
+
 /**
  * Converts an Express Request to a Web Standard Request.
  *
@@ -201,9 +263,10 @@ export async function toWebRequest(req: Request, options: ToWebRequestOptions):
     const existingCookieString = headers.get('cookie') || '';
 
     // Sign the session token for Better Auth (if secret is provided)
+    // IMPORTANT: Only sign if not already signed to prevent double-signing
     let signedToken: string;
     if (secret) {
-      signedToken = signCookieValue(sessionToken, secret);
+      signedToken = signCookieValueIfNeeded(sessionToken, secret, logger);
     } else {
       logger?.warn('No Better Auth secret configured - cookies will not be signed');
       signedToken = sessionToken;

package/src/core/modules/better-auth/core-better-auth.controller.ts

@@ -18,7 +18,7 @@ import { Request, Response } from 'express';
 
 import { Roles } from '../../common/decorators/roles.decorator';
 import { RoleEnum } from '../../common/enums/role.enum';
-import { isProduction, maskToken } from '../../common/helpers/logging.helper';
+import { maskEmail, maskToken } from '../../common/helpers/logging.helper';
 import { ConfigService } from '../../common/services/config.service';
 import { BetterAuthSignInResponse, hasSession, hasUser, requires2FA } from './better-auth.types';
 import { BetterAuthSessionUser, CoreBetterAuthUserMapper } from './core-better-auth-user.mapper';
@@ -235,7 +235,7 @@ export class CoreBetterAuthController {
     try {
       const migrated = await this.userMapper.migrateAccountToIam(input.email, input.password);
       if (migrated) {
-        this.logger.debug(`Migrated legacy user ${input.email} to IAM`);
+        this.logger.debug(`Migrated legacy user ${maskEmail(input.email)} to IAM`);
       }
     } catch (error) {
       // Migration failure is not fatal - user might not exist in legacy or already migrated
@@ -262,9 +262,7 @@ export class CoreBetterAuthController {
       // When 2FA is required, we need to use the native Better Auth handler
       // because api.signInEmail() doesn't return the session token needed for 2FA verification
       if (requires2FA(response)) {
-        if (!isProduction()) {
-          this.logger.debug(`2FA required for ${input.email}, forwarding to native handler for cookie handling`);
-        }
+        this.logger.debug(`2FA required for ${maskEmail(input.email)}, forwarding to native handler for cookie handling`);
 
         // Forward to native Better Auth handler which sets the session cookie correctly
         // We need to modify the request body to use the normalized password
@@ -740,17 +738,13 @@ export class CoreBetterAuthController {
       throw new InternalServerErrorException('Better-Auth not initialized');
     }
 
-    if (!isProduction()) {
-      this.logger.debug(`Forwarding to Better Auth: ${req.method} ${req.path}`);
-    }
+    this.logger.debug(`Forwarding to Better Auth: ${req.method} ${req.path}`);
 
     try {
       // Extract session token from the validated middleware session or cookies
       const sessionToken = this.getSessionTokenFromRequest(req);
 
-      if (!isProduction()) {
-        this.logger.debug(`Session token for forwarding: ${maskToken(sessionToken)}`);
-      }
+      this.logger.debug(`Session token for forwarding: ${maskToken(sessionToken)}`);
 
       // Get config for signing cookies
       const config = this.betterAuthService.getConfig();
@@ -767,9 +761,7 @@ export class CoreBetterAuthController {
       // Call Better Auth's native handler
       const response = await authInstance.handler(webRequest);
 
-      if (!isProduction()) {
-        this.logger.debug(`Better Auth handler response status: ${response.status}`);
-      }
+      this.logger.debug(`Better Auth handler response status: ${response.status}`);
 
       // Send the response back
       await sendWebResponse(res, response);