Fix OAuth token exchange 500 error for MCP clients

The token endpoint handler consumed the request body via request.text()
to check for the `resource` parameter, but only reconstructed the
Request when `resource` was missing. When MCP clients (e.g. Claude Code)
sent `resource` in the token exchange, the body was consumed but never
rebuilt, causing Better Auth to receive an empty body and return 500.

Always reconstruct the request after reading the body. Also adds
consent page redirect URL fallback and DB migration for new OAuth
columns (require_pkce, auth_time).

Author: mortondev

apps/web/src/routes/api/auth/$.ts

@@ -43,8 +43,9 @@ export const Route = createFileRoute('/api/auth/$')({
        * Better-auth catch-all route handler
        */
       POST: async ({ request }) => {
-        // Rate-limit OAuth dynamic client registration to prevent spam/phishing
         const url = new URL(request.url)
+
+        // Rate-limit OAuth dynamic client registration to prevent spam/phishing
         if (url.pathname.endsWith('/oauth2/register')) {
           if (isRegistrationRateLimited(request)) {
             return Response.json(
@@ -54,6 +55,28 @@ export const Route = createFileRoute('/api/auth/$')({
           }
         }
 
+        // Ensure `resource` is present in token exchange requests.
+        // Without it, better-auth issues opaque tokens instead of JWTs,
+        // breaking `verifyAccessToken` in the MCP handler.
+        // Reading the body consumes the stream, so we always reconstruct
+        // the request to avoid passing a consumed body to better-auth.
+        if (url.pathname.endsWith('/oauth2/token')) {
+          const contentType = request.headers.get('content-type') ?? ''
+          if (contentType.includes('application/x-www-form-urlencoded')) {
+            const body = await request.text()
+            const params = new URLSearchParams(body)
+            if (!params.has('resource')) {
+              const { config } = await import('@/lib/server/config')
+              params.set('resource', `${config.baseUrl}/api/mcp`)
+            }
+            request = new Request(request.url, {
+              method: request.method,
+              headers: request.headers,
+              body: params.toString(),
+            })
+          }
+        }
+
         const { auth } = await import('@/lib/server/auth/index')
         return await auth.handler(request)
       },

apps/web/src/routes/oauth/consent.tsx

@@ -121,7 +121,7 @@ function ConsentPage() {
       }
 
       const data = await response.json()
-      const redirectTo = data.uri ?? data.redirectUrl
+      const redirectTo = data.url ?? data.uri ?? data.redirectUrl
       if (redirectTo) {
         window.location.href = redirectTo
       }

packages/db/drizzle/0036_glossy_revanche.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "oauth_client" ADD COLUMN "require_pkce" boolean;--> statement-breakpoint
+ALTER TABLE "oauth_refresh_token" ADD COLUMN "auth_time" timestamp with time zone;