From ac0a04e71f555e870a7788ee666fdefaa79a9120 Mon Sep 17 00:00:00 2001
From: Julian Tabel <juliantabel.jt@gmail.com>
Date: Sun, 22 Mar 2026 09:56:58 +0100
Subject: [PATCH] fix: catch PyJWKSetError in JWT verification fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PyJWKSetError is not a subclass of PyJWKClientError — they are siblings
under PyJWTError. The empty JWKS key set error was not being caught.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/src/app/core/auth.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/src/app/core/auth.py b/backend/src/app/core/auth.py
index 8423779..4446a3f 100644
--- a/backend/src/app/core/auth.py
+++ b/backend/src/app/core/auth.py
@@ -3,7 +3,7 @@ from uuid import UUID
 
 import jwt
 from fastapi import Depends, HTTPException, Request, status
-from jwt import PyJWKClient, PyJWKClientError
+from jwt import PyJWKClient, PyJWKClientError, PyJWKSetError
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -75,6 +75,8 @@ def _verify_jwt(token: str) -> dict | None:
             pass
         except PyJWKClientError:
             pass
+        except PyJWKSetError:
+            pass
     return _verify_jwt_hs256(token)