From fde1867863fcbc350bc062ff5a66b1609d430801 Mon Sep 17 00:00:00 2001 From: Julian Tabel Date: Sun, 22 Mar 2026 12:01:28 +0100 Subject: [PATCH] fix: add logging to debug auth issues --- ...t-es256-ecc-p-256-jwt-keys-in-backend-auth.md | 4 +++- backend/src/app/core/auth.py | 16 ++++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md b/.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md index dd0ea72..14eff6c 100644 --- a/.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md +++ b/.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md @@ -5,9 +5,11 @@ status: completed type: bug priority: normal created_at: 2026-03-22T10:51:30Z -updated_at: 2026-03-22T10:52:46Z +updated_at: 2026-03-22T10:59:46Z --- Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly. ## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures. + +Deployed to production via PR #86 merge on 2026-03-22. diff --git a/backend/src/app/core/auth.py b/backend/src/app/core/auth.py index 77fc491..84cffaf 100644 --- a/backend/src/app/core/auth.py +++ b/backend/src/app/core/auth.py @@ -1,3 +1,4 @@ +import logging from dataclasses import dataclass from uuid import UUID @@ -12,6 +13,7 @@ from app.core.database import get_session from app.models.nuzlocke_run import NuzlockeRun from app.models.user import User +logger = logging.getLogger(__name__) _jwks_client: PyJWKClient | None = None @@ -71,12 +73,14 @@ def _verify_jwt(token: str) -> dict | None: algorithms=["RS256", "ES256"], audience="authenticated", ) - except jwt.InvalidTokenError: - pass - except PyJWKClientError: - pass - except PyJWKSetError: - pass + except jwt.InvalidTokenError as e: + logger.warning("JWKS JWT validation failed: %s", e) + except PyJWKClientError as e: + logger.warning("JWKS client error: %s", e) + except PyJWKSetError as e: + logger.warning("JWKS set error: %s", e) + else: + logger.debug("No JWKS client available (SUPABASE_URL not set?)") return _verify_jwt_hs256(token)