fix:add debugging endpoint for auth issues

fix: fix supabase auth url
fix: add logging to debug auth issues
2026-03-22 12:15:25 +01:00 · 2026-03-22 12:10:03 +01:00 · 2026-03-22 12:01:28 +01:00
3 changed files with 71 additions and 9 deletions
--- a/.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md
+++ b/.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md
@@ -5,9 +5,11 @@ status: completed
 type: bug
 priority: normal
 created_at: 2026-03-22T10:51:30Z
-updated_at: 2026-03-22T10:52:46Z
+updated_at: 2026-03-22T10:59:46Z
 ---
 Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
 ## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
 Deployed to production via PR #86 merge on 2026-03-22.
--- a/backend/src/app/api/health.py
+++ b/backend/src/app/api/health.py
@@ -1,6 +1,10 @@
-from fastapi import APIRouter
+import urllib.request
 from fastapi import APIRouter, Request
 from sqlalchemy import text
 from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
 from app.core.config import settings
 from app.core.database import async_session
 router = APIRouter(tags=["health"])
@@ -23,3 +27,45 @@ async def health_check():
 async def root():
    """Root endpoint."""
    return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
@router.get("/auth-debug")
 async def auth_debug(request: Request):
    """Temporary diagnostic endpoint for auth debugging."""
    result: dict = {}
    # Config
    result["supabase_url"] = settings.supabase_url
    result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
    result["jwks_url"] = (
        _build_jwks_url(settings.supabase_url) if settings.supabase_url else None
    )
    # JWKS fetch
    jwks_url = result["jwks_url"]
    if jwks_url:
        try:
            with urllib.request.urlopen(jwks_url, timeout=5) as resp:
                result["jwks_status"] = resp.status
                result["jwks_body"] = resp.read().decode()
        except Exception as e:
            result["jwks_fetch_error"] = str(e)
    # JWKS client
    client = _get_jwks_client()
    result["jwks_client_exists"] = client is not None
    # Token info (header only, no secrets)
    token = _extract_token(request)
    if token:
        import jwt
        try:
            header = jwt.get_unverified_header(token)
            result["token_header"] = header
        except Exception as e:
            result["token_header_error"] = str(e)
    else:
        result["token"] = "not provided"
    return result
--- a/backend/src/app/core/auth.py
+++ b/backend/src/app/core/auth.py
@@ -1,3 +1,4 @@
 import logging
 from dataclasses import dataclass
 from uuid import UUID
@@ -12,6 +13,7 @@ from app.core.database import get_session
 from app.models.nuzlocke_run import NuzlockeRun
 from app.models.user import User
 logger = logging.getLogger(__name__)
 _jwks_client: PyJWKClient | None = None
@@ -24,11 +26,21 @@ class AuthUser:
    role: str | None = None
 def _build_jwks_url(base_url: str) -> str:
    """Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
    base = base_url.rstrip("/")
    if "/auth/v1" in base:
        return f"{base}/.well-known/jwks.json"
    # Supabase Cloud URLs need the /auth/v1 prefix;
    # local GoTrue serves JWKS at root but uses HS256 fallback anyway.
    return f"{base}/auth/v1/.well-known/jwks.json"
 def _get_jwks_client() -> PyJWKClient | None:
    """Get or create a cached JWKS client."""
    global _jwks_client
    if _jwks_client is None and settings.supabase_url:
-        jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
+        jwks_url = _build_jwks_url(settings.supabase_url)
        _jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
    return _jwks_client
@@ -71,12 +83,14 @@ def _verify_jwt(token: str) -> dict | None:
                algorithms=["RS256", "ES256"],
                audience="authenticated",
            )
-        except jwt.InvalidTokenError:
+        except jwt.InvalidTokenError as e:
-            pass
+            logger.warning("JWKS JWT validation failed: %s", e)
-        except PyJWKClientError:
+        except PyJWKClientError as e:
-            pass
+            logger.warning("JWKS client error: %s", e)
-        except PyJWKSetError:
+        except PyJWKSetError as e:
-            pass
+            logger.warning("JWKS set error: %s", e)
    else:
        logger.warning("No JWKS client available (SUPABASE_URL not set?)")
    return _verify_jwt_hs256(token)
Author	SHA1	Message	Date
Julian Tabel	d8fec0e5d7	fix:add debugging endpoint for auth issues All checks were successful CI / backend-tests (push) Successful in 30s Details CI / frontend-tests (push) Successful in 28s Details	2026-03-22 12:15:25 +01:00
Julian Tabel	c9b09b8250	fix: fix supabase auth url All checks were successful CI / backend-tests (push) Successful in 30s Details CI / frontend-tests (push) Successful in 30s Details	2026-03-22 12:10:03 +01:00
Julian Tabel	fde1867863	fix: add logging to debug auth issues All checks were successful CI / backend-tests (push) Successful in 29s Details CI / frontend-tests (push) Successful in 28s Details	2026-03-22 12:01:28 +01:00