From f17687d2fa20b36009eeef45c7f56d25a11658c6 Mon Sep 17 00:00:00 2001 From: Julian Tabel Date: Sat, 21 Mar 2026 22:50:19 +0100 Subject: [PATCH] fix: resolve merge conflict in bean t9aj Co-Authored-By: Claude Opus 4.6 (1M context) --- ...r-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md b/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md index d98bae8..621b7ad 100644 --- a/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md +++ b/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md @@ -5,7 +5,7 @@ status: todo type: task priority: low created_at: 2026-03-21T11:14:29Z -updated_at: 2026-03-21T11:14:29Z +updated_at: 2026-03-21T13:01:46Z --- The backend currently verifies Supabase JWTs using an HS256 shared secret (`SUPABASE_JWT_SECRET`). Supabase recommends migrating to asymmetric keys (RS256) for better security.\n\nInstead of storing a shared secret, the backend would fetch public keys from Supabase's JWKS endpoint (`https://.supabase.co/.well-known/jwks.json`) and verify tokens against those.\n\n## Changes needed\n\n- [ ] Update `backend/src/app/core/auth.py` to fetch and cache JWKS public keys\n- [ ] Change `jwt.decode` from `HS256` to `RS256` with the fetched public key\n- [ ] Remove `SUPABASE_JWT_SECRET` from config, docker-compose, deploy workflow, and .env files\n- [ ] Update tests\n\n## References\n\n- https://supabase.com/docs/guides/auth/signing-keys\n- https://supabase.com/docs/guides/auth/jwts