Merge pull request 'fix:add debugging endpoint for auth issues' (#90) from develop into main

Reviewed-on: #90

backend/src/app/api/health.py

@@ -1,6 +1,10 @@
-from fastapi import APIRouter
+import urllib.request
+
+from fastapi import APIRouter, Request
 from sqlalchemy import text
 
+from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
+from app.core.config import settings
 from app.core.database import async_session
 
 router = APIRouter(tags=["health"])
@@ -23,3 +27,45 @@ async def health_check():
 async def root():
     """Root endpoint."""
     return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
+
+
+@router.get("/auth-debug")
+async def auth_debug(request: Request):
+    """Temporary diagnostic endpoint for auth debugging."""
+    result: dict = {}
+
+    # Config
+    result["supabase_url"] = settings.supabase_url
+    result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
+    result["jwks_url"] = (
+        _build_jwks_url(settings.supabase_url) if settings.supabase_url else None
+    )
+
+    # JWKS fetch
+    jwks_url = result["jwks_url"]
+    if jwks_url:
+        try:
+            with urllib.request.urlopen(jwks_url, timeout=5) as resp:
+                result["jwks_status"] = resp.status
+                result["jwks_body"] = resp.read().decode()
+        except Exception as e:
+            result["jwks_fetch_error"] = str(e)
+
+    # JWKS client
+    client = _get_jwks_client()
+    result["jwks_client_exists"] = client is not None
+
+    # Token info (header only, no secrets)
+    token = _extract_token(request)
+    if token:
+        import jwt
+
+        try:
+            header = jwt.get_unverified_header(token)
+            result["token_header"] = header
+        except Exception as e:
+            result["token_header_error"] = str(e)
+    else:
+        result["token"] = "not provided"
+
+    return result

backend/src/app/core/auth.py

@@ -26,11 +26,21 @@ class AuthUser:
     role: str | None = None
 
 
+def _build_jwks_url(base_url: str) -> str:
+    """Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
+    base = base_url.rstrip("/")
+    if "/auth/v1" in base:
+        return f"{base}/.well-known/jwks.json"
+    # Supabase Cloud URLs need the /auth/v1 prefix;
+    # local GoTrue serves JWKS at root but uses HS256 fallback anyway.
+    return f"{base}/auth/v1/.well-known/jwks.json"
+
+
 def _get_jwks_client() -> PyJWKClient | None:
     """Get or create a cached JWKS client."""
     global _jwks_client
     if _jwks_client is None and settings.supabase_url:
-        jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
+        jwks_url = _build_jwks_url(settings.supabase_url)
         _jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
     return _jwks_client
 
@@ -80,7 +90,7 @@ def _verify_jwt(token: str) -> dict | None:
         except PyJWKSetError as e:
             logger.warning("JWKS set error: %s", e)
     else:
-        logger.debug("No JWKS client available (SUPABASE_URL not set?)")
+        logger.warning("No JWKS client available (SUPABASE_URL not set?)")
     return _verify_jwt_hs256(token)