Local GoTrue signs JWTs with HS256, but the JWKS endpoint returns an
empty key set since there are no RSA keys. Fall back to HS256 shared
secret verification when JWKS fails, using SUPABASE_JWT_SECRET.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.
- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mount frontend/public into the api container so the export can write
badge/sprite images. Skip re-downloading URLs that are already local
paths from a previous export.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Go to .tool-versions, update .gitignore for Go build output and
cache, document seed data regeneration in README, and change API port
from 8000 to 8080 in docker-compose.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Seed the database with Pokemon game data for 5 games (FireRed, LeafGreen,
Emerald, HeartGold, SoulSilver) using pokebase. Includes Alembic migrations
for route unique constraints and encounter level ranges, a two-phase seed
system (offline fetch to JSON, then idempotent upserts), and Dockerfile
updates for the seed runner.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
