pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

feat: migrate JWT verification from HS256 shared secret to JWKS

Browse Source 
Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.

- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Julian Tabel
2026-03-21 14:01:31 +01:00
parent 79ad7b9133
commit e9eccc5b21
11 changed files with 226 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md
View File

@@ -1,21 +1,11 @@
---
# nuzlocke-tracker-t9aj
title: Migrate JWT verification from HS256 shared secret to asymmetric keys (JWKS)
<<<<<<< Updated upstream
status: todo
type: task
priority: low
created_at: 2026-03-21T11:14:29Z
updated_at: 2026-03-21T13:01:46Z
---
The backend currently verifies Supabase JWTs using an HS256 shared secret (`SUPABASE_JWT_SECRET`). Supabase recommends migrating to asymmetric keys (RS256) for better security.\n\nInstead of storing a shared secret, the backend would fetch public keys from Supabase's JWKS endpoint (`https://<project>.supabase.co/.well-known/jwks.json`) and verify tokens against those.\n\n## Changes needed\n\n- [ ] Update `backend/src/app/core/auth.py` to fetch and cache JWKS public keys\n- [ ] Change `jwt.decode` from `HS256` to `RS256` with the fetched public key\n- [ ] Remove `SUPABASE_JWT_SECRET` from config, docker-compose, deploy workflow, and .env files\n- [ ] Update tests\n\n## References\n\n- https://supabase.com/docs/guides/auth/signing-keys\n- https://supabase.com/docs/guides/auth/jwts
=======
status: completed
type: task
priority: low
created_at: 2026-03-21T11:14:29Z
updated_at: 2026-03-22T08:14:34Z
updated_at: 2026-03-21T13:01:33Z
---
The backend currently verifies Supabase JWTs using an HS256 shared secret (`SUPABASE_JWT_SECRET`). Supabase recommends migrating to asymmetric keys (RS256) for better security.\n\nInstead of storing a shared secret, the backend would fetch public keys from Supabase's JWKS endpoint (`https://<project>.supabase.co/.well-known/jwks.json`) and verify tokens against those.\n\n## Changes needed\n\n- [x] Update `backend/src/app/core/auth.py` to fetch and cache JWKS public keys\n- [x] Change `jwt.decode` from `HS256` to `RS256` with the fetched public key\n- [x] Remove `SUPABASE_JWT_SECRET` from config, docker-compose, deploy workflow, and .env files\n- [x] Update tests\n\n## References\n\n- https://supabase.com/docs/guides/auth/signing-keys\n- https://supabase.com/docs/guides/auth/jwts
@@ -23,13 +13,14 @@ The backend currently verifies Supabase JWTs using an HS256 shared secret (`SUPA
## Summary of Changes
Migrated JWT verification from HS256 shared secret to RS256 asymmetric key verification using JWKS:
- Added `cryptography==45.0.3` dependency for RS256 support
- Updated `auth.py` to use `PyJWKClient` for fetching and caching JWKS public keys from `{SUPABASE_URL}/.well-known/jwks.json`
- Changed JWT verification from HS256 to RS256
- Removed `supabase_jwt_secret` from config.py
- Updated docker-compose.yml: removed `SUPABASE_JWT_SECRET`, backend now uses JWKS from GoTrue URL
- Updated docker-compose.prod.yml: replaced `SUPABASE_JWT_SECRET` with `SUPABASE_URL`
- Updated deploy.yml: deploy workflow now writes `SUPABASE_URL` instead of `SUPABASE_JWT_SECRET`
- Updated .env.example files: removed `SUPABASE_JWT_SECRET` references
- Rewrote tests to use RS256 tokens with mocked JWKS client
- **auth.py**: Added `PyJWKClient` that fetches and caches public keys from Supabase's JWKS endpoint (`SUPABASE_URL/.well-known/jwks.json`). Keys are cached for 1 hour.
- **config.py**: Removed `supabase_jwt_secret` setting
- **pyproject.toml**: Changed `PyJWT` to `PyJWT[crypto]` for RS256 support
- **docker-compose.yml**: Configured local GoTrue for RS256 with mounted dev key
- **docker-compose.prod.yml**: Replaced `SUPABASE_JWT_SECRET` with `SUPABASE_URL`
- **deploy.yml**: Updated to pass `SUPABASE_URL` instead of `SUPABASE_JWT_SECRET`
- **tests**: Updated to use mocked JWKS client with RSA key pairs
>>>>>>> Stashed changes
**Note:** For production, add `SUPABASE_URL` to your GitHub secrets (should point to your Supabase project URL like `https://your-project.supabase.co`).