pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: pokemon:5a9848fd5f5ad142b567b7fb9fd1eb6b9f88f84a
Branches Tags
pokemon:develop pokemon:renovate/tanstack-react-query-5.x pokemon:renovate/vitest-4.x pokemon:renovate/supabase-supabase-js-2.x-lockfile pokemon:renovate/vite-8.x pokemon:renovate/cryptography-46.x pokemon:renovate/react-router-dom-7.x pokemon:renovate/fastapi-0.x pokemon:renovate/typescript-6.x pokemon:renovate/lock-file-maintenance pokemon:main pokemon:renovate/cryptography-45.x
...
compare: pokemon:renovate/tanstack-react-query-5.x
Branches Tags
pokemon:renovate/tanstack-react-query-5.x pokemon:renovate/vitest-4.x pokemon:renovate/supabase-supabase-js-2.x-lockfile pokemon:renovate/vite-8.x pokemon:renovate/cryptography-46.x pokemon:renovate/react-router-dom-7.x pokemon:renovate/fastapi-0.x pokemon:renovate/typescript-6.x pokemon:renovate/lock-file-maintenance pokemon:main pokemon:develop pokemon:renovate/cryptography-45.x

4 Commits
5a9848fd5f ... renovate/t

Author SHA1 Message Date
Renovate Bot
b900fcff11 chore(deps): update dependency @tanstack/react-query to v5.97.0
All checks were successful
CI / backend-tests (pull_request) Successful in 29s
Details
CI / frontend-tests (pull_request) Successful in 27s
Details
2026-04-09 09:02:46 +00:00
Julian Tabel
d8fec0e5d7 fix:add debugging endpoint for auth issues
All checks were successful
CI / backend-tests (push) Successful in 30s
Details
CI / frontend-tests (push) Successful in 28s
Details
2026-03-22 12:15:25 +01:00
Julian Tabel
c9b09b8250 fix: fix supabase auth url
All checks were successful
CI / backend-tests (push) Successful in 30s
Details
CI / frontend-tests (push) Successful in 30s
Details
2026-03-22 12:10:03 +01:00
Julian Tabel
fde1867863 fix: add logging to debug auth issues
All checks were successful
CI / backend-tests (push) Successful in 29s
Details
CI / frontend-tests (push) Successful in 28s
Details
2026-03-22 12:01:28 +01:00
5 changed files with 80 additions and 18 deletions
Expand all files Collapse all files

4
.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md
View File

@@ -5,9 +5,11 @@ status: completed
type: bug
priority: normal
created_at: 2026-03-22T10:51:30Z
updated_at: 2026-03-22T10:52:46Z
updated_at: 2026-03-22T10:59:46Z
---
Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
Deployed to production via PR #86 merge on 2026-03-22.

48
backend/src/app/api/health.py
View File

@@ -1,6 +1,10 @@
from fastapi import APIRouter
import urllib.request
from fastapi import APIRouter, Request
from sqlalchemy import text
from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
from app.core.config import settings
from app.core.database import async_session
router = APIRouter(tags=["health"])
@@ -23,3 +27,45 @@ async def health_check():
async def root():
"""Root endpoint."""
return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
@router.get("/auth-debug")
async def auth_debug(request: Request):
"""Temporary diagnostic endpoint for auth debugging."""
result: dict = {}
# Config
result["supabase_url"] = settings.supabase_url
result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
result["jwks_url"] = (
_build_jwks_url(settings.supabase_url) if settings.supabase_url else None
)
# JWKS fetch
jwks_url = result["jwks_url"]
if jwks_url:
try:
with urllib.request.urlopen(jwks_url, timeout=5) as resp:
result["jwks_status"] = resp.status
result["jwks_body"] = resp.read().decode()
except Exception as e:
result["jwks_fetch_error"] = str(e)
# JWKS client
client = _get_jwks_client()
result["jwks_client_exists"] = client is not None
# Token info (header only, no secrets)
token = _extract_token(request)
if token:
import jwt
try:
header = jwt.get_unverified_header(token)
result["token_header"] = header
except Exception as e:
result["token_header_error"] = str(e)
else:
result["token"] = "not provided"
return result

28
backend/src/app/core/auth.py
View File

@@ -1,3 +1,4 @@
import logging
from dataclasses import dataclass
from uuid import UUID
@@ -12,6 +13,7 @@ from app.core.database import get_session
from app.models.nuzlocke_run import NuzlockeRun
from app.models.user import User
logger = logging.getLogger(__name__)
_jwks_client: PyJWKClient | None = None
@@ -24,11 +26,21 @@ class AuthUser:
role: str | None = None
def _build_jwks_url(base_url: str) -> str:
"""Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
base = base_url.rstrip("/")
if "/auth/v1" in base:
return f"{base}/.well-known/jwks.json"
# Supabase Cloud URLs need the /auth/v1 prefix;
# local GoTrue serves JWKS at root but uses HS256 fallback anyway.
return f"{base}/auth/v1/.well-known/jwks.json"
def _get_jwks_client() -> PyJWKClient | None:
"""Get or create a cached JWKS client."""
global _jwks_client
if _jwks_client is None and settings.supabase_url:
jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
jwks_url = _build_jwks_url(settings.supabase_url)
_jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
return _jwks_client
@@ -71,12 +83,14 @@ def _verify_jwt(token: str) -> dict | None:
algorithms=["RS256", "ES256"],
audience="authenticated",
)
except jwt.InvalidTokenError:
pass
except PyJWKClientError:
pass
except PyJWKSetError:
pass
except jwt.InvalidTokenError as e:
logger.warning("JWKS JWT validation failed: %s", e)
except PyJWKClientError as e:
logger.warning("JWKS client error: %s", e)
except PyJWKSetError as e:
logger.warning("JWKS set error: %s", e)
else:
logger.warning("No JWKS client available (SUPABASE_URL not set?)")
return _verify_jwt_hs256(token)

16
frontend/package-lock.json generated
View File

@@ -13,7 +13,7 @@
"@dnd-kit/utilities": "3.2.2",
"@supabase/supabase-js": "^2.99.3",
"@tailwindcss/typography": "^0.5.19",
"@tanstack/react-query": "5.94.5",
"@tanstack/react-query": "5.97.0",
"react": "19.2.4",
"react-dom": "19.2.4",
"react-markdown": "^10.1.0",
@@ -1817,9 +1817,9 @@
}
},
"node_modules/@tanstack/query-core": {
"version": "5.94.5",
"resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.94.5.tgz",
"integrity": "sha512-Vx1JJiBURW/wdNGP45afjrqn0LfxYwL7K/bSrQvNRtyLGF1bxQPgUXCpzscG29e+UeFOh9hz1KOVala0N+bZiA==",
"version": "5.97.0",
"resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.97.0.tgz",
"integrity": "sha512-QdpLP5VzVMgo4VtaPppRA2W04UFjIqX+bxke/ZJhE5cfd5UPkRzqIAJQt9uXkQJjqE8LBOMbKv7f8HCsZltXlg==",
"license": "MIT",
"funding": {
"type": "github",
@@ -1827,12 +1827,12 @@
}
},
"node_modules/@tanstack/react-query": {
"version": "5.94.5",
"resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.94.5.tgz",
"integrity": "sha512-1wmrxKFkor+q8l+ygdHmv0Sq5g84Q3p4xvuJ7AdSIAhQQ7udOt+ZSZ19g1Jea3mHqtlTslLGJsmC4vHFgP0P3A==",
"version": "5.97.0",
"resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.97.0.tgz",
"integrity": "sha512-y4So4eGcQoK2WVMAcDNZE9ofB/p5v1OlKvtc1F3uqHwrtifobT7q+ZnXk2mRkc8E84HKYSlAE9z6HXl2V0+ySQ==",
"license": "MIT",
"dependencies": {
"@tanstack/query-core": "5.94.5"
"@tanstack/query-core": "5.97.0"
},
"funding": {
"type": "github",

2
frontend/package.json
View File

@@ -21,7 +21,7 @@
"@dnd-kit/utilities": "3.2.2",
"@supabase/supabase-js": "^2.99.3",
"@tailwindcss/typography": "^0.5.19",
"@tanstack/react-query": "5.94.5",
"@tanstack/react-query": "5.97.0",
"react": "19.2.4",
"react-dom": "19.2.4",
"react-markdown": "^10.1.0",