Compare commits
4 Commits
5a9848fd5f
...
renovate/f
| Author | SHA1 | Date | |
|---|---|---|---|
|
2b03518291 | ||
| d8fec0e5d7 | |||
| c9b09b8250 | |||
| fde1867863 |
@@ -5,9 +5,11 @@ status: completed
|
||||
type: bug
|
||||
priority: normal
|
||||
created_at: 2026-03-22T10:51:30Z
|
||||
updated_at: 2026-03-22T10:52:46Z
|
||||
updated_at: 2026-03-22T10:59:46Z
|
||||
---
|
||||
|
||||
Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
|
||||
|
||||
## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
|
||||
|
||||
Deployed to production via PR #86 merge on 2026-03-22.
|
||||
|
||||
@@ -5,7 +5,7 @@ description = "Backend API for Another Nuzlocke Tracker"
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.14"
|
||||
dependencies = [
|
||||
"fastapi==0.135.1",
|
||||
"fastapi==0.135.3",
|
||||
"uvicorn[standard]==0.42.0",
|
||||
"pydantic==2.12.5",
|
||||
"pydantic-settings==2.13.1",
|
||||
|
||||
@@ -1,6 +1,10 @@
|
||||
from fastapi import APIRouter
|
||||
import urllib.request
|
||||
|
||||
from fastapi import APIRouter, Request
|
||||
from sqlalchemy import text
|
||||
|
||||
from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
|
||||
from app.core.config import settings
|
||||
from app.core.database import async_session
|
||||
|
||||
router = APIRouter(tags=["health"])
|
||||
@@ -23,3 +27,45 @@ async def health_check():
|
||||
async def root():
|
||||
"""Root endpoint."""
|
||||
return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
|
||||
|
||||
|
||||
@router.get("/auth-debug")
|
||||
async def auth_debug(request: Request):
|
||||
"""Temporary diagnostic endpoint for auth debugging."""
|
||||
result: dict = {}
|
||||
|
||||
# Config
|
||||
result["supabase_url"] = settings.supabase_url
|
||||
result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
|
||||
result["jwks_url"] = (
|
||||
_build_jwks_url(settings.supabase_url) if settings.supabase_url else None
|
||||
)
|
||||
|
||||
# JWKS fetch
|
||||
jwks_url = result["jwks_url"]
|
||||
if jwks_url:
|
||||
try:
|
||||
with urllib.request.urlopen(jwks_url, timeout=5) as resp:
|
||||
result["jwks_status"] = resp.status
|
||||
result["jwks_body"] = resp.read().decode()
|
||||
except Exception as e:
|
||||
result["jwks_fetch_error"] = str(e)
|
||||
|
||||
# JWKS client
|
||||
client = _get_jwks_client()
|
||||
result["jwks_client_exists"] = client is not None
|
||||
|
||||
# Token info (header only, no secrets)
|
||||
token = _extract_token(request)
|
||||
if token:
|
||||
import jwt
|
||||
|
||||
try:
|
||||
header = jwt.get_unverified_header(token)
|
||||
result["token_header"] = header
|
||||
except Exception as e:
|
||||
result["token_header_error"] = str(e)
|
||||
else:
|
||||
result["token"] = "not provided"
|
||||
|
||||
return result
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import logging
|
||||
from dataclasses import dataclass
|
||||
from uuid import UUID
|
||||
|
||||
@@ -12,6 +13,7 @@ from app.core.database import get_session
|
||||
from app.models.nuzlocke_run import NuzlockeRun
|
||||
from app.models.user import User
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
_jwks_client: PyJWKClient | None = None
|
||||
|
||||
|
||||
@@ -24,11 +26,21 @@ class AuthUser:
|
||||
role: str | None = None
|
||||
|
||||
|
||||
def _build_jwks_url(base_url: str) -> str:
|
||||
"""Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
|
||||
base = base_url.rstrip("/")
|
||||
if "/auth/v1" in base:
|
||||
return f"{base}/.well-known/jwks.json"
|
||||
# Supabase Cloud URLs need the /auth/v1 prefix;
|
||||
# local GoTrue serves JWKS at root but uses HS256 fallback anyway.
|
||||
return f"{base}/auth/v1/.well-known/jwks.json"
|
||||
|
||||
|
||||
def _get_jwks_client() -> PyJWKClient | None:
|
||||
"""Get or create a cached JWKS client."""
|
||||
global _jwks_client
|
||||
if _jwks_client is None and settings.supabase_url:
|
||||
jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
|
||||
jwks_url = _build_jwks_url(settings.supabase_url)
|
||||
_jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
|
||||
return _jwks_client
|
||||
|
||||
@@ -71,12 +83,14 @@ def _verify_jwt(token: str) -> dict | None:
|
||||
algorithms=["RS256", "ES256"],
|
||||
audience="authenticated",
|
||||
)
|
||||
except jwt.InvalidTokenError:
|
||||
pass
|
||||
except PyJWKClientError:
|
||||
pass
|
||||
except PyJWKSetError:
|
||||
pass
|
||||
except jwt.InvalidTokenError as e:
|
||||
logger.warning("JWKS JWT validation failed: %s", e)
|
||||
except PyJWKClientError as e:
|
||||
logger.warning("JWKS client error: %s", e)
|
||||
except PyJWKSetError as e:
|
||||
logger.warning("JWKS set error: %s", e)
|
||||
else:
|
||||
logger.warning("No JWKS client available (SUPABASE_URL not set?)")
|
||||
return _verify_jwt_hs256(token)
|
||||
|
||||
|
||||
|
||||
8
backend/uv.lock
generated
8
backend/uv.lock
generated
@@ -65,7 +65,7 @@ requires-dist = [
|
||||
{ name = "alembic", specifier = "==1.18.4" },
|
||||
{ name = "asyncpg", specifier = "==0.31.0" },
|
||||
{ name = "cryptography", specifier = "==45.0.3" },
|
||||
{ name = "fastapi", specifier = "==0.135.1" },
|
||||
{ name = "fastapi", specifier = "==0.135.3" },
|
||||
{ name = "httpx", marker = "extra == 'dev'", specifier = "==0.28.1" },
|
||||
{ name = "pydantic", specifier = "==2.12.5" },
|
||||
{ name = "pydantic-settings", specifier = "==2.13.1" },
|
||||
@@ -216,7 +216,7 @@ wheels = [
|
||||
|
||||
[[package]]
|
||||
name = "fastapi"
|
||||
version = "0.135.1"
|
||||
version = "0.135.3"
|
||||
source = { registry = "https://pypi.org/simple" }
|
||||
dependencies = [
|
||||
{ name = "annotated-doc" },
|
||||
@@ -225,9 +225,9 @@ dependencies = [
|
||||
{ name = "typing-extensions" },
|
||||
{ name = "typing-inspection" },
|
||||
]
|
||||
sdist = { url = "https://files.pythonhosted.org/packages/e7/7b/f8e0211e9380f7195ba3f3d40c292594fd81ba8ec4629e3854c353aaca45/fastapi-0.135.1.tar.gz", hash = "sha256:d04115b508d936d254cea545b7312ecaa58a7b3a0f84952535b4c9afae7668cd", size = 394962, upload-time = "2026-03-01T18:18:29.369Z" }
|
||||
sdist = { url = "https://files.pythonhosted.org/packages/f7/e6/7adb4c5fa231e82c35b8f5741a9f2d055f520c29af5546fd70d3e8e1cd2e/fastapi-0.135.3.tar.gz", hash = "sha256:bd6d7caf1a2bdd8d676843cdcd2287729572a1ef524fc4d65c17ae002a1be654", size = 396524, upload-time = "2026-04-01T16:23:58.188Z" }
|
||||
wheels = [
|
||||
{ url = "https://files.pythonhosted.org/packages/e4/72/42e900510195b23a56bde950d26a51f8b723846bfcaa0286e90287f0422b/fastapi-0.135.1-py3-none-any.whl", hash = "sha256:46e2fc5745924b7c840f71ddd277382af29ce1cdb7d5eab5bf697e3fb9999c9e", size = 116999, upload-time = "2026-03-01T18:18:30.831Z" },
|
||||
{ url = "https://files.pythonhosted.org/packages/84/a4/5caa2de7f917a04ada20018eccf60d6cc6145b0199d55ca3711b0fc08312/fastapi-0.135.3-py3-none-any.whl", hash = "sha256:9b0f590c813acd13d0ab43dd8494138eb58e484bfac405db1f3187cfc5810d98", size = 117734, upload-time = "2026-04-01T16:23:59.328Z" },
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
||||
Reference in New Issue
Block a user