fix(auth): enforce OAuth policy after 2FA

[BunsDev]

Motivation

• Better-Auth's twoFactor plugin defers final session issuance to /two-factor/* endpoints, which were not included in the post-callback policy cleanup, allowing OAuth/social sign-ins to bypass workspace SSO and auth-method restrictions for 2FA-enabled accounts.

Description

• Normalize hook path handling with normalizeAuthPath so policy code matches both @opencoven-feedback/... prefixed route ids and raw auth endpoint paths.
• Treat two-factor verification endpoints as session-creating callback paths and add TWO_FACTOR_SESSION_COMPLETION_PATHS so they are considered by post-session policy logic.
• Carry the first-factor provider across the 2FA challenge using a short-lived signed cookie (quackback.2fa_policy_provider, 10 minutes) via rememberTwoFactorPolicyProvider and consumeTwoFactorPolicyProvider so the /two-factor/* completion can be evaluated against the same OAuth policy as the original callback.
• Update handleCallbackPolicyCleanup to remember the provider when a callback defers final session issuance and to recover & apply the existing SSO hard-binding / auth-method revocation logic on the two-factor verification endpoints; make token revocation conditional and normalize redirect targets/paths.
• Add regression coverage: extend apps/web/src/lib/server/auth/__tests__/hooks-callback-cleanup.test.ts with tests that assert the provider is remembered on deferred callbacks and that /two-factor/verify-totp enforces the same OAuth policy.

Testing

• Added unit tests exercising the deferred-2FA provider remember/consume flow and enforcement in apps/web/src/lib/server/auth/__tests__/hooks-callback-cleanup.test.ts (tests committed with the change).
• Performed repository checks: git diff --check passed locally.
• Attempted static/run checks (bun --check and bun run test), but test/runtime validation could not be executed in this environment because bun install --frozen-lockfile failed fetching dependencies (npm registry 403s) and vitest/other test runner deps were not available, so the test suite was not run here.

---

Codex Task

[Copilot]

Pull request overview

This PR closes a policy enforcement gap where Better-Auth’s 2FA flow defers final session issuance to /two-factor/* endpoints, allowing OAuth/social sign-ins to bypass workspace SSO hard-binding and auth-method restrictions for 2FA-enabled accounts. It does this by normalizing hook path handling, treating 2FA verification endpoints as session-creating, and persisting the first-factor provider across the 2FA challenge so the completion endpoint can be evaluated against the same OAuth policy.

Changes:

• Normalize Better-Auth hook ctx.path values so policy checks work with both @opencoven-feedback/...-prefixed route ids and raw auth endpoint paths.
• Extend the post-session cleanup logic to include /two-factor/* session completion endpoints and carry the first-factor provider through 2FA via a short-lived signed cookie.
• Add regression tests to ensure deferred OAuth callbacks remember the provider and that /two-factor/verify-totp enforces the same OAuth policy.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
apps/web/src/lib/server/auth/hooks.ts	Normalizes auth paths, adds 2FA completion handling to post-session policy enforcement, and remembers/consumes the first-factor OAuth provider via a signed cookie.
apps/web/src/lib/server/auth/tests/hooks-callback-cleanup.test.ts	Adds tests covering the deferred-2FA provider remember/consume flow and enforcement on /two-factor/verify-totp.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.