@lenne.tech/nest-server 11.7.1 → 11.7.2

package/src/core/modules/better-auth/better-auth-user.mapper.ts

@@ -243,7 +243,6 @@ export class BetterAuthUserMapper {
     }
 
     if (!plainPassword) {
-      this.logger.debug('No plain password provided - cannot create bcrypt hash for legacy');
       return false;
     }
 
@@ -266,13 +265,7 @@ export class BetterAuthUserMapper {
         { $set: { password: bcryptHash, updatedAt: new Date() } },
       );
 
-      if (result.modifiedCount > 0) {
-        this.logger.debug(`Created bcrypt hash for legacy auth for user ${userEmail}`);
-        return true;
-      }
-
-      this.logger.debug(`No user found to sync password for ${userEmail}`);
-      return false;
+      return result.modifiedCount > 0;
     } catch (error) {
       this.logger.error(
         `Error syncing password to legacy: ${error instanceof Error ? error.message : 'Unknown error'}`,
@@ -304,7 +297,6 @@ export class BetterAuthUserMapper {
     }
 
     if (!plainPassword) {
-      this.logger.debug('No plain password provided - cannot sync to IAM');
       return false;
     }
 
@@ -315,7 +307,6 @@ export class BetterAuthUserMapper {
       // Find the user
       const user = await usersCollection.findOne({ email: userEmail });
       if (!user) {
-        this.logger.debug(`No user found with email ${userEmail} - cannot sync password to IAM`);
         return false;
       }
 
@@ -326,7 +317,6 @@ export class BetterAuthUserMapper {
       });
 
       if (!existingAccount) {
-        this.logger.debug(`No IAM credential account found for ${userEmail} - sync not needed`);
         return false;
       }
 
@@ -334,7 +324,7 @@ export class BetterAuthUserMapper {
       const scryptHash = await this.hashPasswordForBetterAuth(plainPassword);
 
       // Update the account password
-      const result = await accountCollection.updateOne(
+      await accountCollection.updateOne(
         { _id: existingAccount._id },
         {
           $set: {
@@ -344,12 +334,6 @@ export class BetterAuthUserMapper {
         },
       );
 
-      if (result.modifiedCount > 0) {
-        this.logger.debug(`Synced password change to IAM for user ${userEmail}`);
-        return true;
-      }
-
-      this.logger.debug(`Password already up to date in IAM for ${userEmail}`);
       return true;
     } catch (error) {
       this.logger.error(`Error syncing password to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`);
@@ -371,7 +355,6 @@ export class BetterAuthUserMapper {
    */
   async migrateAccountToIam(userEmail: string, plainPassword?: string): Promise<boolean> {
     if (!this.connection) {
-      this.logger.warn('No database connection available - cannot migrate account to IAM');
       return false;
     }
 
@@ -383,7 +366,6 @@ export class BetterAuthUserMapper {
       const legacyUser = await usersCollection.findOne({ email: userEmail });
 
       if (!legacyUser?.password) {
-        this.logger.debug(`No legacy user with password found for ${userEmail}`);
         return false;
       }
 
@@ -396,17 +378,12 @@ export class BetterAuthUserMapper {
         const directMatch = await bcrypt.compare(plainPassword, legacyUser.password);
         const sha256Match = await bcrypt.compare(sha256(plainPassword), legacyUser.password);
         if (!directMatch && !sha256Match) {
-          // Security: Wrong password provided for migration - reject strongly
-          this.logger.warn(
-            `SECURITY: Password verification failed for ${userEmail} - migration rejected. This may indicate an attempted unauthorized migration.`,
-          );
-          // Return false instead of throwing to avoid exposing user existence
-          // The calling code (CoreAuthService) will handle this as authentication failure
+          // Security: Wrong password provided for migration - reject
+          this.logger.warn(`Migration password verification failed for ${userEmail}`);
           return false;
         }
       } else {
         // No password provided - cannot verify, cannot migrate
-        this.logger.debug(`No password provided for ${userEmail} - migration skipped`);
         return false;
       }
 
@@ -433,8 +410,6 @@ export class BetterAuthUserMapper {
             },
           },
         );
-
-        this.logger.debug(`Added Better-Auth id ${stringId} to legacy user ${userEmail}`);
       }
 
       // Check if credential account already exists
@@ -445,23 +420,11 @@ export class BetterAuthUserMapper {
       });
 
       if (existingAccount) {
-        this.logger.debug(`Credential account already exists for ${userEmail}`);
         return true;
       }
 
-      // Create the credential account
-      // If we have the plain password, create a Better-Auth compatible scrypt hash
-      // Otherwise, migration is not possible (legacy bcrypt hash is not compatible)
-      let passwordHash: string;
-      if (plainPassword) {
-        // Better-Auth uses scrypt with format: salt:hash (both hex encoded)
-        passwordHash = await this.hashPasswordForBetterAuth(plainPassword);
-        this.logger.debug(`Created Better-Auth compatible scrypt hash for ${userEmail}`);
-      } else {
-        // Without plain password, we cannot migrate - Better-Auth uses scrypt, Legacy uses bcrypt
-        this.logger.warn(`Cannot migrate ${userEmail} without plain password - hash formats are incompatible`);
-        return false;
-      }
+      // Create the credential account with Better-Auth compatible scrypt hash
+      const passwordHash = await this.hashPasswordForBetterAuth(plainPassword);
 
       const now = new Date();
       // Store account matching Better-Auth's format:
@@ -477,7 +440,6 @@ export class BetterAuthUserMapper {
         userId: userMongoId,
       });
 
-      this.logger.debug(`Created IAM credential account for legacy user ${userEmail}`);
       return true;
     } catch (error) {
       this.logger.error(`Error migrating account to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`);
@@ -685,22 +647,15 @@ export class BetterAuthUserMapper {
       const user = await usersCollection.findOne({ email: newEmail });
 
       if (!user) {
-        this.logger.debug(`No user found with new email ${newEmail}`);
         return false;
       }
 
       // Invalidate all existing sessions for this user
       // This forces re-authentication with the new email
       if (user._id) {
-        const deleteResult = await sessionCollection.deleteMany({ userId: user._id });
-        if (deleteResult.deletedCount > 0) {
-          this.logger.debug(
-            `Invalidated ${deleteResult.deletedCount} sessions after email change for user ${newEmail}`,
-          );
-        }
+        await sessionCollection.deleteMany({ userId: user._id });
       }
 
-      this.logger.debug(`Email change synced from Legacy to IAM: ${oldEmail} → ${newEmail}`);
       return true;
     } catch (error) {
       this.logger.error(
@@ -744,13 +699,7 @@ export class BetterAuthUserMapper {
         { returnDocument: 'after' },
       );
 
-      if (!result) {
-        this.logger.debug(`No user found with iamId ${userId}`);
-        return false;
-      }
-
-      this.logger.debug(`Email change synced from IAM to Legacy for user ${userId}: → ${newEmail}`);
-      return true;
+      return !!result;
     } catch (error) {
       this.logger.error(
         `Error syncing email change from IAM: ${error instanceof Error ? error.message : 'Unknown error'}`,
@@ -807,7 +756,6 @@ export class BetterAuthUserMapper {
       }
 
       if (!user) {
-        this.logger.debug(`No user found with identifier ${userIdentifier}`);
         return { accountsDeleted: 0, sessionsDeleted: 0, success: false, userDeleted: false };
       }
 
@@ -874,12 +822,6 @@ export class BetterAuthUserMapper {
       const accountsResult = await accountCollection.deleteMany({ userId: userObjectId });
       const accountsDeleted = accountsResult.deletedCount;
 
-      if (sessionsDeleted > 0 || accountsDeleted > 0) {
-        this.logger.debug(
-          `Cleaned up IAM data for user ${userId}: accounts=${accountsDeleted}, sessions=${sessionsDeleted}`,
-        );
-      }
-
       return {
         accountsDeleted,
         sessionsDeleted,
@@ -914,13 +856,7 @@ export class BetterAuthUserMapper {
         $or: [{ iamId: iamUserId }, { id: iamUserId }],
       });
 
-      if (result.deletedCount > 0) {
-        this.logger.debug(`Cleaned up Legacy user for IAM user ${iamUserId}`);
-        return true;
-      }
-
-      this.logger.debug(`No Legacy user found for IAM user ${iamUserId}`);
-      return false;
+      return result.deletedCount > 0;
     } catch (error) {
       this.logger.error(`Error cleaning up Legacy data: ${error instanceof Error ? error.message : 'Unknown error'}`);
       return false;
@@ -1043,10 +979,6 @@ export class BetterAuthUserMapper {
       // Can disable legacy auth only if ALL users are fully migrated
       const canDisableLegacyAuth = totalUsers > 0 && fullyMigratedUsers === totalUsers;
 
-      this.logger.debug(
-        `Migration status: ${fullyMigratedUsers}/${totalUsers} users migrated (${migrationPercentage}%)`,
-      );
-
       return {
         canDisableLegacyAuth,
         fullyMigratedUsers,

package/src/core/modules/better-auth/better-auth.config.ts

@@ -168,42 +168,48 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
  * Builds the plugins array based on configuration.
  * Merges built-in plugins (jwt, twoFactor, passkey) with custom plugins from config.
  *
- * Plugins are enabled by default when their configuration block is present.
- * Set `enabled: false` to explicitly disable a configured plugin.
+ * Plugins accept both boolean and object configuration:
+ * - `true` or `{}`: Enable with defaults
+ * - `{ option: value }`: Enable with custom settings
+ * - `false` or `{ enabled: false }`: Disable
+ * - `undefined`: Disabled (default)
  */
 function buildPlugins(config: IBetterAuth): BetterAuthPlugin[] {
   const plugins: BetterAuthPlugin[] = [];
 
   // JWT Plugin for API client compatibility
-  // Enabled by default when jwt config is present, unless explicitly disabled
-  if (config.jwt && config.jwt.enabled !== false) {
+  // JWT is enabled by default unless explicitly disabled (jwt: false or jwt: { enabled: false })
+  const jwtExplicitlyDisabled =
+    config.jwt === false || (typeof config.jwt === 'object' && config.jwt?.enabled === false);
+  if (!jwtExplicitlyDisabled) {
+    const jwtConfig = typeof config.jwt === 'object' ? config.jwt : {};
     plugins.push(
       jwt({
         jwt: {
-          expirationTime: config.jwt.expiresIn || '15m',
+          expirationTime: jwtConfig.expiresIn || '15m',
         },
       }),
     );
   }
 
   // Two-Factor Authentication Plugin
-  // Enabled by default when twoFactor config is present, unless explicitly disabled
-  if (config.twoFactor && config.twoFactor.enabled !== false) {
+  const twoFactorConfig = getPluginConfig(config.twoFactor);
+  if (twoFactorConfig) {
     plugins.push(
       twoFactor({
-        issuer: config.twoFactor.appName || 'Nest Server',
+        issuer: twoFactorConfig.appName || 'Nest Server',
       }),
     );
   }
 
   // Passkey/WebAuthn Plugin
-  // Enabled by default when passkey config is present, unless explicitly disabled
-  if (config.passkey && config.passkey.enabled !== false) {
+  const passkeyConfig = getPluginConfig(config.passkey);
+  if (passkeyConfig) {
     plugins.push(
       passkey({
-        origin: config.passkey.origin || 'http://localhost:3000',
-        rpID: config.passkey.rpId || 'localhost',
-        rpName: config.passkey.rpName || 'Nest Server',
+        origin: passkeyConfig.origin || 'http://localhost:3000',
+        rpID: passkeyConfig.rpId || 'localhost',
+        rpName: passkeyConfig.rpName || 'Nest Server',
       }),
     );
   }
@@ -322,6 +328,29 @@ function getAutoGeneratedSecret(): string {
   return cachedAutoGeneratedSecret;
 }
 
+/**
+ * Gets plugin configuration as object, handling boolean shorthand.
+ * Returns undefined if disabled, or the config object if enabled.
+ */
+function getPluginConfig<T extends { enabled?: boolean }>(config: boolean | T | undefined): T | undefined {
+  if (!isPluginEnabled(config)) return undefined;
+  if (typeof config === 'boolean') return {} as T;
+  return config;
+}
+
+/**
+ * Checks if a plugin configuration is enabled.
+ * Supports both boolean and object configuration:
+ * - `true` or `{}` or `{ enabled: true }` → enabled
+ * - `false` or `{ enabled: false }` → disabled
+ * - `undefined` → disabled
+ */
+function isPluginEnabled<T extends { enabled?: boolean }>(config: boolean | T | undefined): boolean {
+  if (config === undefined) return false;
+  if (typeof config === 'boolean') return config;
+  return config.enabled !== false;
+}
+
 /**
  * Checks if a secret has valid minimum length (32 characters)
  */
@@ -416,8 +445,9 @@ function validateConfig(config: IBetterAuth, fallbackSecrets?: (string | undefin
   }
 
   // Validate passkey origin
-  if (config.passkey?.enabled && config.passkey.origin && !isValidUrl(config.passkey.origin)) {
-    errors.push(`Invalid passkey origin format: ${config.passkey.origin}`);
+  const passkeyConfig = typeof config.passkey === 'object' ? config.passkey : null;
+  if (passkeyConfig?.enabled && passkeyConfig.origin && !isValidUrl(passkeyConfig.origin)) {
+    errors.push(`Invalid passkey origin format: ${passkeyConfig.origin}`);
   }
 
   // Validate social providers dynamically

package/src/core/modules/better-auth/better-auth.middleware.ts

@@ -49,7 +49,7 @@ export class BetterAuthMiddleware implements NestMiddleware {
     }
 
     try {
-      // Get session from Better-Auth
+      // Strategy 1: Try session-based authentication (cookies)
       const session = await this.getSession(req);
 
       if (session?.user) {
@@ -63,7 +63,69 @@ export class BetterAuthMiddleware implements NestMiddleware {
         if (mappedUser) {
           // Attach the mapped user to the request
           // This makes it compatible with @CurrentUser() and RolesGuard
-          req.user = mappedUser;
+          // Set _authenticatedViaBetterAuth flag so AuthGuard skips Passport JWT verification
+          req.user = { ...mappedUser, _authenticatedViaBetterAuth: true };
+          return next();
+        }
+      }
+
+      // Strategy 2: Try Authorization header (Bearer token)
+      // The token could be a BetterAuth JWT, a Legacy JWT, or a session token
+      if (req.headers.authorization) {
+        const authHeader = req.headers.authorization;
+        const token = authHeader.startsWith('Bearer ') ? authHeader.substring(7) : authHeader;
+        const tokenParts = token.split('.').length;
+
+        // Check if token looks like a JWT (has 3 parts)
+        if (tokenParts === 3) {
+          // Decode JWT payload to check if it's a Legacy JWT or BetterAuth JWT
+          // Legacy JWTs have 'id' claim, BetterAuth JWTs have 'sub' claim
+          const isLegacyJwt = this.isLegacyJwt(token);
+          if (isLegacyJwt) {
+            // Legacy JWT - skip BetterAuth processing, let Passport handle it
+            return next();
+          }
+
+          // Try BetterAuth JWT verification
+          if (this.betterAuthService.isJwtEnabled()) {
+            const jwtPayload = await this.betterAuthService.verifyJwtFromRequest(req);
+
+            if (jwtPayload?.sub) {
+              // JWT payload contains user info - create a session-like user object
+              const sessionUser: BetterAuthSessionUser = {
+                email: jwtPayload.email || '',
+                emailVerified: jwtPayload.emailVerified,
+                id: jwtPayload.sub,
+                name: jwtPayload.name,
+              };
+
+              req.betterAuthUser = sessionUser;
+
+              // Map the JWT user to our User model with hasRole()
+              const mappedUser = await this.userMapper.mapSessionUser(sessionUser);
+
+              if (mappedUser) {
+                req.user = { ...mappedUser, _authenticatedViaBetterAuth: true };
+                return next();
+              }
+            }
+          }
+        }
+
+        // If user is still not set, try session token verification as fallback
+        // This handles both non-JWT tokens and JWTs that couldn't be verified
+        if (!req.user) {
+          const sessionResult = await this.betterAuthService.getSessionByToken(token);
+          if (sessionResult?.user) {
+            req.betterAuthSession = { session: sessionResult.session, user: sessionResult.user };
+            req.betterAuthUser = sessionResult.user;
+
+            const mappedUser = await this.userMapper.mapSessionUser(sessionResult.user);
+            if (mappedUser) {
+              req.user = { ...mappedUser, _authenticatedViaBetterAuth: true };
+              return next();
+            }
+          }
         }
       }
     } catch (error) {
@@ -75,6 +137,27 @@ export class BetterAuthMiddleware implements NestMiddleware {
     next();
   }
 
+  /**
+   * Checks if a JWT token is a Legacy Auth JWT (has 'id' claim but no 'sub' claim)
+   * Legacy JWTs use 'id' for user ID, BetterAuth JWTs use 'sub'
+   */
+  private isLegacyJwt(token: string): boolean {
+    try {
+      const parts = token.split('.');
+      if (parts.length !== 3) return false;
+
+      // Decode the payload (second part)
+      const payloadStr = Buffer.from(parts[1], 'base64url').toString('utf-8');
+      const payload = JSON.parse(payloadStr);
+
+      // Legacy JWT has 'id' claim (and typically 'deviceId', 'tokenId')
+      // BetterAuth JWT has 'sub' claim
+      return payload.id !== undefined && payload.sub === undefined;
+    } catch {
+      return false;
+    }
+  }
+
   /**
    * Gets the session from Better-Auth
    */

package/src/core/modules/better-auth/better-auth.module.ts

@@ -20,7 +20,7 @@ import { BetterAuthUserMapper } from './better-auth-user.mapper';
 import { BetterAuthInstance, createBetterAuthInstance } from './better-auth.config';
 import { BetterAuthMiddleware } from './better-auth.middleware';
 import { BetterAuthResolver } from './better-auth.resolver';
-import { BetterAuthService } from './better-auth.service';
+import { BETTER_AUTH_CONFIG, BetterAuthService } from './better-auth.service';
 import { CoreBetterAuthController } from './core-better-auth.controller';
 import { CoreBetterAuthResolver } from './core-better-auth.resolver';
 
@@ -34,9 +34,13 @@ export const BETTER_AUTH_INSTANCE = 'BETTER_AUTH_INSTANCE';
  */
 export interface BetterAuthModuleOptions {
   /**
-   * Better-auth configuration
+   * Better-auth configuration.
+   * Accepts:
+   * - `true`: Enable with all defaults (including JWT)
+   * - `false`: Disable BetterAuth
+   * - `{ ... }`: Enable with custom configuration
    */
-  config: IBetterAuth;
+  config: boolean | IBetterAuth;
 
   /**
    * Custom controller class to use instead of the default CoreBetterAuthController.
@@ -100,6 +104,20 @@ export interface BetterAuthModuleOptions {
   resolver?: Type<CoreBetterAuthResolver>;
 }
 
+/**
+ * Normalizes betterAuth config from boolean | IBetterAuth to IBetterAuth | null
+ * - `true` → `{}` (enabled with defaults)
+ * - `false` → `null` (disabled)
+ * - `undefined` → `null` (disabled for backward compatibility)
+ * - `{ ... }` → `{ ... }` (pass through)
+ */
+function normalizeBetterAuthConfig(config: boolean | IBetterAuth | undefined): IBetterAuth | null {
+  if (config === undefined || config === null) return null;
+  if (config === true) return {};
+  if (config === false) return null;
+  return config;
+}
+
 /**
  * BetterAuthModule provides integration with the better-auth authentication framework.
  *
@@ -178,12 +196,12 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
       // Apply rate limiting to Better-Auth endpoints only
       if (BetterAuthModule.currentConfig?.rateLimit?.enabled) {
         consumer.apply(BetterAuthRateLimitMiddleware).forRoutes(`${basePath}/*path`);
-        BetterAuthModule.logger.log(`Rate limiting enabled for ${basePath}/*path endpoints`);
+        BetterAuthModule.logger.debug(`Rate limiting middleware registered for ${basePath}/*path endpoints`);
       }
 
       // Apply session middleware to all routes
       consumer.apply(BetterAuthMiddleware).forRoutes('(.*)'); // New path-to-regexp syntax for wildcard
-      BetterAuthModule.logger.log('BetterAuthMiddleware registered for all routes');
+      BetterAuthModule.logger.debug('BetterAuthMiddleware registered for all routes');
     }
   }
 
@@ -224,7 +242,10 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
    * @returns Dynamic module configuration
    */
   static forRoot(options: BetterAuthModuleOptions): DynamicModule {
-    const { config, controller, fallbackSecrets, resolver } = options;
+    const { config: rawConfig, controller, fallbackSecrets, resolver } = options;
+
+    // Normalize config: true → {}, false/undefined → null
+    const config = normalizeBetterAuthConfig(rawConfig);
 
     // Store config for middleware configuration
     this.currentConfig = config;
@@ -233,12 +254,11 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
     // Store custom resolver if provided
     this.customResolver = resolver || null;
 
-    // If better-auth is explicitly disabled, return minimal module
+    // If better-auth is disabled (config is null or enabled: false), return minimal module
     // Note: We don't provide middleware classes when disabled because they depend on BetterAuthService
     // and won't be used anyway (middleware is only applied when enabled)
-    // BetterAuth is enabled by default unless explicitly set to false
-    if (config?.enabled === false) {
-      this.logger.debug('BetterAuth is explicitly disabled - skipping initialization');
+    if (config === null || config?.enabled === false) {
+      this.logger.debug('BetterAuth is disabled - skipping initialization');
       this.betterAuthEnabled = false;
       return {
         exports: [BETTER_AUTH_INSTANCE, BetterAuthService, BetterAuthUserMapper, BetterAuthRateLimiter],
@@ -285,15 +305,16 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
           inject: [ConfigService],
           provide: BETTER_AUTH_INSTANCE,
           useFactory: async (configService: ConfigService) => {
-            const config = configService.get<IBetterAuth>('betterAuth');
-
-            // Store config for middleware configuration
-            this.currentConfig = config || null;
-
-            // BetterAuth is enabled by default unless explicitly set to false
-            if (config?.enabled === false) {
-              this.logger.debug('BetterAuth is explicitly disabled');
+            // Get raw config (can be boolean or object)
+            const rawConfig = configService.get<boolean | IBetterAuth>('betterAuth');
+            // Normalize: true → {}, false/undefined → null
+            const config = normalizeBetterAuthConfig(rawConfig);
+
+            // BetterAuth is disabled if config is null or enabled: false
+            if (config === null || config?.enabled === false) {
+              this.logger.debug('BetterAuth is disabled');
               this.betterAuthEnabled = false;
+              this.currentConfig = config;
               return null;
             }
 
@@ -315,6 +336,10 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
             // with fallback to jwt.secret, jwt.refresh.secret, or auto-generation
             this.authInstance = createBetterAuthInstance({ config, db, fallbackSecrets });
 
+            // IMPORTANT: Store the config AFTER createBetterAuthInstance mutates it
+            // This ensures BetterAuthService has access to the resolved secret (with fallback applied)
+            this.currentConfig = config;
+
             if (this.authInstance) {
               this.logger.log('BetterAuth initialized successfully');
               this.logEnabledFeatures(config);
@@ -323,13 +348,22 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
             return this.authInstance;
           },
         },
+        // Provide the resolved config for BetterAuthService
+        {
+          provide: BETTER_AUTH_CONFIG,
+          useFactory: () => this.currentConfig,
+        },
         // BetterAuthService needs to be a factory that explicitly depends on BETTER_AUTH_INSTANCE
         // to ensure proper initialization order
         {
-          inject: [BETTER_AUTH_INSTANCE, ConfigService],
+          inject: [BETTER_AUTH_INSTANCE, BETTER_AUTH_CONFIG, getConnectionToken()],
           provide: BetterAuthService,
-          useFactory: (authInstance: BetterAuthInstance | null, configService: ConfigService) => {
-            return new BetterAuthService(authInstance, configService);
+          useFactory: (
+            authInstance: BetterAuthInstance | null,
+            resolvedConfig: IBetterAuth | null,
+            connection: Connection,
+          ) => {
+            return new BetterAuthService(authInstance, connection, resolvedConfig);
           },
         },
         BetterAuthUserMapper,
@@ -399,6 +433,10 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
               this.authInstance = createBetterAuthInstance({ config, db, fallbackSecrets });
             }
 
+            // IMPORTANT: Store the config AFTER createBetterAuthInstance mutates it
+            // This ensures BetterAuthService has access to the resolved secret (with fallback applied)
+            this.currentConfig = config;
+
             if (this.authInstance && !this.initLogged) {
               this.initLogged = true;
               this.logger.log('BetterAuth initialized');
@@ -408,13 +446,22 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
             return this.authInstance;
           },
         },
+        // Provide the resolved config for BetterAuthService
+        {
+          provide: BETTER_AUTH_CONFIG,
+          useFactory: () => this.currentConfig,
+        },
         // BetterAuthService needs to be a factory that explicitly depends on BETTER_AUTH_INSTANCE
         // to ensure proper initialization order
         {
-          inject: [BETTER_AUTH_INSTANCE, ConfigService],
+          inject: [BETTER_AUTH_INSTANCE, BETTER_AUTH_CONFIG, getConnectionToken()],
           provide: BetterAuthService,
-          useFactory: (authInstance: BetterAuthInstance | null, configService: ConfigService) => {
-            return new BetterAuthService(authInstance, configService);
+          useFactory: (
+            authInstance: BetterAuthInstance | null,
+            resolvedConfig: IBetterAuth | null,
+            connection: Connection,
+          ) => {
+            return new BetterAuthService(authInstance, connection, resolvedConfig);
           },
         },
         BetterAuthUserMapper,
@@ -434,14 +481,23 @@ export class BetterAuthModule implements NestModule, OnModuleInit {
   private static logEnabledFeatures(config: IBetterAuth): void {
     const features: string[] = [];
 
+    // Helper to check if a plugin is enabled
+    // Supports: true, { enabled: true }, { ... } (enabled by default when config block present)
+    // Disabled only when: false or { enabled: false }
+    const isPluginEnabled = <T extends { enabled?: boolean }>(value: boolean | T | undefined): boolean => {
+      if (value === undefined || value === false) return false;
+      if (value === true) return true;
+      return value.enabled !== false;
+    };
+
     // Plugins are enabled by default when config block is present
-    if (config.jwt && config.jwt.enabled !== false) {
+    if (isPluginEnabled(config.jwt)) {
       features.push('JWT');
     }
-    if (config.twoFactor && config.twoFactor.enabled !== false) {
+    if (isPluginEnabled(config.twoFactor)) {
       features.push('2FA/TOTP');
     }
-    if (config.passkey && config.passkey.enabled !== false) {
+    if (isPluginEnabled(config.passkey)) {
       features.push('Passkey/WebAuthn');
     }