pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

feat: migrate JWT verification from HS256 shared secret to JWKS
All checks were successful
CI / backend-tests (pull_request) Successful in 28s
Details
CI / frontend-tests (pull_request) Successful in 28s
Details

Browse Source 
Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.

- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Julian Tabel
2026-03-21 14:01:31 +01:00
parent a12958ae32
commit 177c02006a
11 changed files with 233 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.env.example
View File

@@ -2,15 +2,13 @@
DEBUG=true
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/nuzlocke
# Supabase Auth (backend)
# Supabase Auth (backend uses JWKS from this URL for JWT verification)
# For local dev with GoTrue container:
SUPABASE_URL=http://localhost:9999
SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlzcyI6InN1cGFiYXNlIiwiaWF0IjoxNzc0MDQwNjEzLCJleHAiOjIwODk0MDA2MTN9.EV6tRj7gLqoiT-l2vDFw_67myqRjwpcZTuRb3Xs1nr4
SUPABASE_JWT_SECRET=super-secret-jwt-token-with-at-least-32-characters-long
# For production, replace with your Supabase cloud values:
# SUPABASE_URL=https://your-project.supabase.co
# SUPABASE_ANON_KEY=your-anon-key
# SUPABASE_JWT_SECRET=your-jwt-secret
# Frontend settings (used by Vite)
VITE_API_URL=http://localhost:8000