pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

feat: migrate JWT verification from HS256 shared secret to JWKS

Browse Source 
Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.

- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Julian Tabel
2026-03-21 14:01:31 +01:00
parent 79ad7b9133
commit e9eccc5b21
11 changed files with 226 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/deploy.yml vendored
View File

@@ -47,7 +47,7 @@ jobs:
# Write .env from secrets (overwrites any existing file)
printf '%s\n' \
"POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}" \
"SUPABASE_JWT_SECRET=${{ secrets.SUPABASE_JWT_SECRET }}" \
"SUPABASE_URL=${{ secrets.SUPABASE_URL }}" \
| $SSH_CMD "cat > '${DEPLOY_DIR}/.env'"
$SCP_CMD docker-compose.prod.yml "root@192.168.1.10:${DEPLOY_DIR}/docker-compose.yml"