@lenne.tech/nest-server 11.7.1 → 11.7.3

package/src/core/modules/better-auth/README.md

@@ -10,8 +10,11 @@ Integration of the [better-auth](https://better-auth.com) authentication framewo
 CoreModule.forRoot(envConfig),  // IAM-only (new projects)
 BetterAuthModule.forRoot({ config: envConfig.betterAuth, fallbackSecrets: [envConfig.jwt?.secret] }),
 
-// 3. Configure in config.env.ts:
-betterAuth: { jwt: {}, twoFactor: {}, passkey: {} }
+// 3. Configure in config.env.ts (minimal - JWT enabled by default):
+betterAuth: true  // or betterAuth: {} for same effect
+
+// With optional features:
+betterAuth: { twoFactor: {}, passkey: {} }
 ```
 
 **Quick Links:** [Integration Checklist](./INTEGRATION-CHECKLIST.md) | [REST API](#rest-api-endpoints) | [GraphQL API](#graphql-api) | [Configuration](#configuration)
@@ -36,11 +39,11 @@ betterAuth: { jwt: {}, twoFactor: {}, passkey: {} }
 
 ## Features
 
-### Built-in Plugins (Explicit Configuration)
+### Built-in Plugins
 
-- **JWT Tokens** - For API clients and stateless authentication
-- **Two-Factor Authentication (2FA)** - TOTP-based second factor
-- **Passkey/WebAuthn** - Passwordless authentication
+- **JWT Tokens** - For API clients and stateless authentication (**enabled by default**)
+- **Two-Factor Authentication (2FA)** - TOTP-based second factor (opt-in)
+- **Passkey/WebAuthn** - Passwordless authentication (opt-in)
 
 ### Core Features
 
@@ -93,7 +96,9 @@ https://github.com/lenneTech/nest-server/tree/develop/src/server/modules/better-
 **Copy from:** Reference implementation
 
 **WHY must ALL decorators be re-declared?**
-GraphQL schema is built from decorators at compile time. The parent class (`CoreBetterAuthResolver`) is marked as `isAbstract: true`, so its methods are not registered in the schema. You MUST re-declare `@Query`, `@Mutation`, `@Roles`, `@UseGuards` decorators in the child class for the methods to appear in the GraphQL schema.
+GraphQL schema is built from decorators at compile time. The parent class (`CoreBetterAuthResolver`) is marked as `isAbstract: true`, so its methods are not registered in the schema. You MUST re-declare `@Query`, `@Mutation`, `@Roles` decorators in the child class for the methods to appear in the GraphQL schema.
+
+**Note:** `@UseGuards(AuthGuard(JWT))` is NOT needed when using `@Roles(S_USER)` or `@Roles(ADMIN)` because `RolesGuard` already extends `AuthGuard(JWT)` internally.
 
 ### Step 3: Create BetterAuth Controller
 **Create:** `src/server/modules/better-auth/better-auth.controller.ts`
@@ -149,22 +154,28 @@ Add `betterAuth` configuration block. See reference for all available options in
 
 ## Quick Reference
 
+**Configuration formats:**
+```typescript
+betterAuth: true               // Enable with all defaults (JWT enabled)
+betterAuth: false              // Disable completely
+betterAuth: {}                 // Same as true
+betterAuth: { ... }            // Enable with custom settings
+betterAuth: { enabled: false } // Disable (allows pre-configuration)
+```
+
 **Default values (used when not configured):**
 
+- **JWT**: Enabled by default
 - **Secret**: Falls back to `jwt.secret` → `jwt.refresh.secret` → auto-generated
 - **Base URL**: `http://localhost:3000`
 - **Base Path**: `/iam`
-- **Passkey Origin**: `http://localhost:3000`
-- **Passkey rpId**: `localhost`
-- **Passkey rpName**: `Nest Server`
+- **2FA/Passkey**: Disabled (opt-in)
 
 To **explicitly disable** Better-Auth:
 
 ```typescript
 const config = {
-  betterAuth: {
-    enabled: false,
-  },
+  betterAuth: false,  // or betterAuth: { enabled: false }
 };
 ```
 
@@ -330,28 +341,29 @@ const config = {
 export default {
   // ... other config
 
-  // OPTIONAL: Better-Auth configuration
-  // Omit entirely for default behavior, or customize as needed:
+  // MINIMAL: Just enable BetterAuth (JWT enabled by default)
+  betterAuth: true,
+
+  // OR with customization:
   betterAuth: {
     // enabled: true by default - only set to false to disable
     // secret: auto-generated if not set (see Security section above)
     // baseUrl: 'http://localhost:3000', // Default
     // basePath: '/iam', // Default
 
-    // JWT Plugin (enabled by default when config block is present)
-    // Set enabled: false to explicitly disable
+    // JWT Plugin - ENABLED BY DEFAULT (no config needed)
+    // Only add this block to customize or explicitly disable
     jwt: {
-      expiresIn: '15m',
+      expiresIn: '30m',  // Default: '15m'
+      // enabled: false,  // Uncomment to disable JWT
     },
 
-    // Two-Factor Authentication (enabled by default when config block is present)
-    // Set enabled: false to explicitly disable
+    // Two-Factor Authentication (opt-in - requires config block)
     twoFactor: {
       appName: 'My Application',
     },
 
-    // Passkey/WebAuthn (enabled by default when config block is present)
-    // Set enabled: false to explicitly disable
+    // Passkey/WebAuthn (opt-in - requires config block)
     passkey: {
       rpId: 'localhost',
       rpName: 'My Application',
@@ -515,23 +527,25 @@ Better-Auth provides a rich plugin ecosystem. This module uses a **hybrid approa
 - **Built-in plugins** (JWT, 2FA, Passkey): Explicitly configured with typed options
 - **Additional plugins**: Dynamically added via the `plugins` array
 
-### Built-in Plugins (Explicit Configuration)
+### Built-in Plugins
 
-These plugins are enabled by default when their config block is present. **All properties have sensible defaults**, so an empty block `{}` is sufficient!
+| Plugin             | Default State | Minimal Config to Enable | Default Values                                                                    |
+| ------------------ | ------------- | ------------------------ | --------------------------------------------------------------------------------- |
+| **JWT**            | **ENABLED**   | *(none needed)*          | `expiresIn: '15m'`                                                                |
+| **Two-Factor**     | Disabled      | `twoFactor: {}`          | `appName: 'Nest Server'`                                                          |
+| **Passkey**        | Disabled      | `passkey: {}`            | `origin: 'http://localhost:3000'`, `rpId: 'localhost'`, `rpName: 'Nest Server'`   |
 
-| Plugin             | Minimal Config       | Default Values                                                                    |
-| ------------------ | -------------------- | --------------------------------------------------------------------------------- |
-| **JWT**            | `jwt: {}`            | `expiresIn: '15m'`                                                                |
-| **Two-Factor**     | `twoFactor: {}`      | `appName: 'Nest Server'`                                                          |
-| **Passkey**        | `passkey: {}`        | `origin: 'http://localhost:3000'`, `rpId: 'localhost'`, `rpName: 'Nest Server'`   |
+**JWT is enabled by default** - no configuration needed. 2FA and Passkey require explicit configuration.
 
 #### Minimal Syntax (Recommended for Development)
 
 ```typescript
 const config = {
+  // JWT is enabled automatically with BetterAuth
+  betterAuth: true,  // or betterAuth: {}
+
+  // To also enable 2FA and Passkey:
   betterAuth: {
-    // Just add empty blocks - all defaults are applied!
-    jwt: {},
     twoFactor: {},
     passkey: {},
   },
@@ -554,17 +568,20 @@ const config = {
 };
 ```
 
-#### Disabling a Plugin
+#### Disabling Plugins
 
 ```typescript
 const config = {
   betterAuth: {
-    jwt: { enabled: false }, // Explicitly disable JWT
-    twoFactor: {}, // 2FA still enabled with defaults
+    jwt: false,               // Disable JWT (or jwt: { enabled: false })
+    twoFactor: {},            // 2FA enabled with defaults
+    passkey: { enabled: false }, // Passkey explicitly disabled
   },
 };
 ```
 
+**Note:** JWT is the only plugin enabled by default. To disable it, use `jwt: false` or `jwt: { enabled: false }`.
+
 ### Dynamic Plugins (plugins Array)
 
 For all other Better-Auth plugins, use the `plugins` array. This provides maximum flexibility without requiring updates to this package.
@@ -733,9 +750,9 @@ To explicitly disable Better-Auth:
 
 ```typescript
 const config = {
-  betterAuth: {
-    enabled: false,
-  },
+  betterAuth: false,  // Simple boolean
+  // or
+  betterAuth: { enabled: false },  // Allows pre-configuration
 };
 ```
 
@@ -749,10 +766,30 @@ When enabled, Better-Auth exposes the following endpoints at the configured `bas
 | `/iam/sign-in/email`        | POST   | Sign in with email/password  |
 | `/iam/sign-out`             | GET    | Sign out (invalidate session)|
 | `/iam/session`              | GET    | Get current session          |
+| `/iam/token`                | GET    | Get fresh JWT token          |
 | `/iam/forgot-password`      | POST   | Request password reset       |
 | `/iam/reset-password`       | POST   | Reset password with token    |
 | `/iam/verify-email`         | POST   | Verify email address         |
 
+### JWT Token Endpoint
+
+The `/iam/token` endpoint returns a fresh JWT token for the current session. Use this when your JWT has expired but your session is still valid.
+
+**Request:**
+```bash
+curl -X GET https://api.example.com/iam/token \
+  -H "Cookie: better-auth.session_token=..."
+```
+
+**Response:**
+```json
+{
+  "token": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLiJ9..."
+}
+```
+
+**Use case:** Microservice authentication - pass the JWT to other services that verify tokens via JWKS (`/iam/jwks`) without database access.
+
 ### Social Login Endpoints
 
 | Endpoint                   | Method | Description           |
@@ -781,12 +818,14 @@ In addition to REST endpoints, Better-Auth provides GraphQL queries and mutation
 
 ### Queries
 
-| Query                    | Arguments | Return Type                  | Description                     |
-| ------------------------ | --------- | ---------------------------- | ------------------------------- |
-| `betterAuthEnabled`      | -         | `Boolean`                    | Check if Better-Auth is enabled |
-| `betterAuthFeatures`     | -         | `BetterAuthFeaturesModel`    | Get enabled features status     |
-| `betterAuthSession`      | -         | `BetterAuthSessionModel`     | Get current session (auth req.) |
-| `betterAuthListPasskeys` | -         | `[BetterAuthPasskeyModel]`   | List user's passkeys (auth req.)|
+| Query                    | Arguments | Return Type                  | Description                       |
+| ------------------------ | --------- | ---------------------------- | --------------------------------- |
+| `betterAuthEnabled`      | -         | `Boolean`                    | Check if Better-Auth is enabled   |
+| `betterAuthFeatures`     | -         | `BetterAuthFeaturesModel`    | Get enabled features status       |
+| `betterAuthSession`      | -         | `BetterAuthSessionModel`     | Get current session (auth req.)   |
+| `betterAuthToken`        | -         | `String`                     | Get fresh JWT token (auth req.)   |
+| `betterAuthListPasskeys` | -         | `[BetterAuthPasskeyModel]`   | List user's passkeys (auth req.)  |
+| `betterAuthMigrationStatus` | -      | `BetterAuthMigrationStatusModel` | Migration status (admin only) |
 
 ### Mutations
 

package/src/core/modules/better-auth/better-auth-rate-limiter.service.ts

@@ -100,7 +100,7 @@ export class BetterAuthRateLimiter {
     };
 
     if (this.config.enabled) {
-      this.logger.log(`Rate limiting enabled: ${this.config.max} requests per ${this.config.windowSeconds}s`);
+      this.logger.debug(`Rate limiting enabled: ${this.config.max} requests per ${this.config.windowSeconds}s`);
     }
   }
 

package/src/core/modules/better-auth/better-auth-user.mapper.ts

@@ -243,7 +243,6 @@ export class BetterAuthUserMapper {
     }
 
     if (!plainPassword) {
-      this.logger.debug('No plain password provided - cannot create bcrypt hash for legacy');
       return false;
     }
 
@@ -266,13 +265,7 @@ export class BetterAuthUserMapper {
         { $set: { password: bcryptHash, updatedAt: new Date() } },
       );
 
-      if (result.modifiedCount > 0) {
-        this.logger.debug(`Created bcrypt hash for legacy auth for user ${userEmail}`);
-        return true;
-      }
-
-      this.logger.debug(`No user found to sync password for ${userEmail}`);
-      return false;
+      return result.modifiedCount > 0;
     } catch (error) {
       this.logger.error(
         `Error syncing password to legacy: ${error instanceof Error ? error.message : 'Unknown error'}`,
@@ -304,7 +297,6 @@ export class BetterAuthUserMapper {
     }
 
     if (!plainPassword) {
-      this.logger.debug('No plain password provided - cannot sync to IAM');
       return false;
     }
 
@@ -315,7 +307,6 @@ export class BetterAuthUserMapper {
       // Find the user
       const user = await usersCollection.findOne({ email: userEmail });
       if (!user) {
-        this.logger.debug(`No user found with email ${userEmail} - cannot sync password to IAM`);
         return false;
       }
 
@@ -326,7 +317,6 @@ export class BetterAuthUserMapper {
       });
 
       if (!existingAccount) {
-        this.logger.debug(`No IAM credential account found for ${userEmail} - sync not needed`);
         return false;
       }
 
@@ -334,7 +324,7 @@ export class BetterAuthUserMapper {
       const scryptHash = await this.hashPasswordForBetterAuth(plainPassword);
 
       // Update the account password
-      const result = await accountCollection.updateOne(
+      await accountCollection.updateOne(
         { _id: existingAccount._id },
         {
           $set: {
@@ -344,12 +334,6 @@ export class BetterAuthUserMapper {
         },
       );
 
-      if (result.modifiedCount > 0) {
-        this.logger.debug(`Synced password change to IAM for user ${userEmail}`);
-        return true;
-      }
-
-      this.logger.debug(`Password already up to date in IAM for ${userEmail}`);
       return true;
     } catch (error) {
       this.logger.error(`Error syncing password to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`);
@@ -371,7 +355,6 @@ export class BetterAuthUserMapper {
    */
   async migrateAccountToIam(userEmail: string, plainPassword?: string): Promise<boolean> {
     if (!this.connection) {
-      this.logger.warn('No database connection available - cannot migrate account to IAM');
       return false;
     }
 
@@ -383,7 +366,6 @@ export class BetterAuthUserMapper {
       const legacyUser = await usersCollection.findOne({ email: userEmail });
 
       if (!legacyUser?.password) {
-        this.logger.debug(`No legacy user with password found for ${userEmail}`);
         return false;
       }
 
@@ -396,17 +378,12 @@ export class BetterAuthUserMapper {
         const directMatch = await bcrypt.compare(plainPassword, legacyUser.password);
         const sha256Match = await bcrypt.compare(sha256(plainPassword), legacyUser.password);
         if (!directMatch && !sha256Match) {
-          // Security: Wrong password provided for migration - reject strongly
-          this.logger.warn(
-            `SECURITY: Password verification failed for ${userEmail} - migration rejected. This may indicate an attempted unauthorized migration.`,
-          );
-          // Return false instead of throwing to avoid exposing user existence
-          // The calling code (CoreAuthService) will handle this as authentication failure
+          // Security: Wrong password provided for migration - reject
+          this.logger.warn(`Migration password verification failed for ${userEmail}`);
           return false;
         }
       } else {
         // No password provided - cannot verify, cannot migrate
-        this.logger.debug(`No password provided for ${userEmail} - migration skipped`);
         return false;
       }
 
@@ -433,8 +410,6 @@ export class BetterAuthUserMapper {
             },
           },
         );
-
-        this.logger.debug(`Added Better-Auth id ${stringId} to legacy user ${userEmail}`);
       }
 
       // Check if credential account already exists
@@ -445,23 +420,11 @@ export class BetterAuthUserMapper {
       });
 
       if (existingAccount) {
-        this.logger.debug(`Credential account already exists for ${userEmail}`);
         return true;
       }
 
-      // Create the credential account
-      // If we have the plain password, create a Better-Auth compatible scrypt hash
-      // Otherwise, migration is not possible (legacy bcrypt hash is not compatible)
-      let passwordHash: string;
-      if (plainPassword) {
-        // Better-Auth uses scrypt with format: salt:hash (both hex encoded)
-        passwordHash = await this.hashPasswordForBetterAuth(plainPassword);
-        this.logger.debug(`Created Better-Auth compatible scrypt hash for ${userEmail}`);
-      } else {
-        // Without plain password, we cannot migrate - Better-Auth uses scrypt, Legacy uses bcrypt
-        this.logger.warn(`Cannot migrate ${userEmail} without plain password - hash formats are incompatible`);
-        return false;
-      }
+      // Create the credential account with Better-Auth compatible scrypt hash
+      const passwordHash = await this.hashPasswordForBetterAuth(plainPassword);
 
       const now = new Date();
       // Store account matching Better-Auth's format:
@@ -477,7 +440,6 @@ export class BetterAuthUserMapper {
         userId: userMongoId,
       });
 
-      this.logger.debug(`Created IAM credential account for legacy user ${userEmail}`);
       return true;
     } catch (error) {
       this.logger.error(`Error migrating account to IAM: ${error instanceof Error ? error.message : 'Unknown error'}`);
@@ -685,22 +647,15 @@ export class BetterAuthUserMapper {
       const user = await usersCollection.findOne({ email: newEmail });
 
       if (!user) {
-        this.logger.debug(`No user found with new email ${newEmail}`);
         return false;
       }
 
       // Invalidate all existing sessions for this user
       // This forces re-authentication with the new email
       if (user._id) {
-        const deleteResult = await sessionCollection.deleteMany({ userId: user._id });
-        if (deleteResult.deletedCount > 0) {
-          this.logger.debug(
-            `Invalidated ${deleteResult.deletedCount} sessions after email change for user ${newEmail}`,
-          );
-        }
+        await sessionCollection.deleteMany({ userId: user._id });
       }
 
-      this.logger.debug(`Email change synced from Legacy to IAM: ${oldEmail} → ${newEmail}`);
       return true;
     } catch (error) {
       this.logger.error(
@@ -744,13 +699,7 @@ export class BetterAuthUserMapper {
         { returnDocument: 'after' },
       );
 
-      if (!result) {
-        this.logger.debug(`No user found with iamId ${userId}`);
-        return false;
-      }
-
-      this.logger.debug(`Email change synced from IAM to Legacy for user ${userId}: → ${newEmail}`);
-      return true;
+      return !!result;
     } catch (error) {
       this.logger.error(
         `Error syncing email change from IAM: ${error instanceof Error ? error.message : 'Unknown error'}`,
@@ -807,7 +756,6 @@ export class BetterAuthUserMapper {
       }
 
       if (!user) {
-        this.logger.debug(`No user found with identifier ${userIdentifier}`);
         return { accountsDeleted: 0, sessionsDeleted: 0, success: false, userDeleted: false };
       }
 
@@ -874,12 +822,6 @@ export class BetterAuthUserMapper {
       const accountsResult = await accountCollection.deleteMany({ userId: userObjectId });
       const accountsDeleted = accountsResult.deletedCount;
 
-      if (sessionsDeleted > 0 || accountsDeleted > 0) {
-        this.logger.debug(
-          `Cleaned up IAM data for user ${userId}: accounts=${accountsDeleted}, sessions=${sessionsDeleted}`,
-        );
-      }
-
       return {
         accountsDeleted,
         sessionsDeleted,
@@ -914,13 +856,7 @@ export class BetterAuthUserMapper {
         $or: [{ iamId: iamUserId }, { id: iamUserId }],
       });
 
-      if (result.deletedCount > 0) {
-        this.logger.debug(`Cleaned up Legacy user for IAM user ${iamUserId}`);
-        return true;
-      }
-
-      this.logger.debug(`No Legacy user found for IAM user ${iamUserId}`);
-      return false;
+      return result.deletedCount > 0;
     } catch (error) {
       this.logger.error(`Error cleaning up Legacy data: ${error instanceof Error ? error.message : 'Unknown error'}`);
       return false;
@@ -1043,10 +979,6 @@ export class BetterAuthUserMapper {
       // Can disable legacy auth only if ALL users are fully migrated
       const canDisableLegacyAuth = totalUsers > 0 && fullyMigratedUsers === totalUsers;
 
-      this.logger.debug(
-        `Migration status: ${fullyMigratedUsers}/${totalUsers} users migrated (${migrationPercentage}%)`,
-      );
-
       return {
         canDisableLegacyAuth,
         fullyMigratedUsers,

package/src/core/modules/better-auth/better-auth.config.ts

@@ -168,42 +168,48 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
  * Builds the plugins array based on configuration.
  * Merges built-in plugins (jwt, twoFactor, passkey) with custom plugins from config.
  *
- * Plugins are enabled by default when their configuration block is present.
- * Set `enabled: false` to explicitly disable a configured plugin.
+ * Plugins accept both boolean and object configuration:
+ * - `true` or `{}`: Enable with defaults
+ * - `{ option: value }`: Enable with custom settings
+ * - `false` or `{ enabled: false }`: Disable
+ * - `undefined`: Disabled (default)
  */
 function buildPlugins(config: IBetterAuth): BetterAuthPlugin[] {
   const plugins: BetterAuthPlugin[] = [];
 
   // JWT Plugin for API client compatibility
-  // Enabled by default when jwt config is present, unless explicitly disabled
-  if (config.jwt && config.jwt.enabled !== false) {
+  // JWT is enabled by default unless explicitly disabled (jwt: false or jwt: { enabled: false })
+  const jwtExplicitlyDisabled =
+    config.jwt === false || (typeof config.jwt === 'object' && config.jwt?.enabled === false);
+  if (!jwtExplicitlyDisabled) {
+    const jwtConfig = typeof config.jwt === 'object' ? config.jwt : {};
     plugins.push(
       jwt({
         jwt: {
-          expirationTime: config.jwt.expiresIn || '15m',
+          expirationTime: jwtConfig.expiresIn || '15m',
         },
       }),
     );
   }
 
   // Two-Factor Authentication Plugin
-  // Enabled by default when twoFactor config is present, unless explicitly disabled
-  if (config.twoFactor && config.twoFactor.enabled !== false) {
+  const twoFactorConfig = getPluginConfig(config.twoFactor);
+  if (twoFactorConfig) {
     plugins.push(
       twoFactor({
-        issuer: config.twoFactor.appName || 'Nest Server',
+        issuer: twoFactorConfig.appName || 'Nest Server',
       }),
     );
   }
 
   // Passkey/WebAuthn Plugin
-  // Enabled by default when passkey config is present, unless explicitly disabled
-  if (config.passkey && config.passkey.enabled !== false) {
+  const passkeyConfig = getPluginConfig(config.passkey);
+  if (passkeyConfig) {
     plugins.push(
       passkey({
-        origin: config.passkey.origin || 'http://localhost:3000',
-        rpID: config.passkey.rpId || 'localhost',
-        rpName: config.passkey.rpName || 'Nest Server',
+        origin: passkeyConfig.origin || 'http://localhost:3000',
+        rpID: passkeyConfig.rpId || 'localhost',
+        rpName: passkeyConfig.rpName || 'Nest Server',
       }),
     );
   }
@@ -322,6 +328,29 @@ function getAutoGeneratedSecret(): string {
   return cachedAutoGeneratedSecret;
 }
 
+/**
+ * Gets plugin configuration as object, handling boolean shorthand.
+ * Returns undefined if disabled, or the config object if enabled.
+ */
+function getPluginConfig<T extends { enabled?: boolean }>(config: boolean | T | undefined): T | undefined {
+  if (!isPluginEnabled(config)) return undefined;
+  if (typeof config === 'boolean') return {} as T;
+  return config;
+}
+
+/**
+ * Checks if a plugin configuration is enabled.
+ * Supports both boolean and object configuration:
+ * - `true` or `{}` or `{ enabled: true }` → enabled
+ * - `false` or `{ enabled: false }` → disabled
+ * - `undefined` → disabled
+ */
+function isPluginEnabled<T extends { enabled?: boolean }>(config: boolean | T | undefined): boolean {
+  if (config === undefined) return false;
+  if (typeof config === 'boolean') return config;
+  return config.enabled !== false;
+}
+
 /**
  * Checks if a secret has valid minimum length (32 characters)
  */
@@ -416,8 +445,9 @@ function validateConfig(config: IBetterAuth, fallbackSecrets?: (string | undefin
   }
 
   // Validate passkey origin
-  if (config.passkey?.enabled && config.passkey.origin && !isValidUrl(config.passkey.origin)) {
-    errors.push(`Invalid passkey origin format: ${config.passkey.origin}`);
+  const passkeyConfig = typeof config.passkey === 'object' ? config.passkey : null;
+  if (passkeyConfig?.enabled && passkeyConfig.origin && !isValidUrl(passkeyConfig.origin)) {
+    errors.push(`Invalid passkey origin format: ${passkeyConfig.origin}`);
   }
 
   // Validate social providers dynamically