pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: pokemon:renovate/fastapi-0.x
Branches Tags
pokemon:develop pokemon:renovate/tanstack-react-query-5.x pokemon:renovate/vitest-4.x pokemon:renovate/supabase-supabase-js-2.x-lockfile pokemon:renovate/vite-8.x pokemon:renovate/cryptography-46.x pokemon:renovate/react-router-dom-7.x pokemon:renovate/fastapi-0.x pokemon:renovate/typescript-6.x pokemon:renovate/lock-file-maintenance pokemon:main pokemon:renovate/cryptography-45.x
..
compare: pokemon:5a9848fd5f5ad142b567b7fb9fd1eb6b9f88f84a
Branches Tags
pokemon:renovate/tanstack-react-query-5.x pokemon:renovate/vitest-4.x pokemon:renovate/supabase-supabase-js-2.x-lockfile pokemon:renovate/vite-8.x pokemon:renovate/cryptography-46.x pokemon:renovate/react-router-dom-7.x pokemon:renovate/fastapi-0.x pokemon:renovate/typescript-6.x pokemon:renovate/lock-file-maintenance pokemon:main pokemon:develop pokemon:renovate/cryptography-45.x

22 Commits
renovate/f ... 5a9848fd5f

Author SHA1 Message Date
TheFurya
5a9848fd5f Merge pull request 'develop' (#87) from develop into main 
Reviewed-on: #87
 2026-03-22 11:54:20 +01:00
TheFurya
712badb69d Merge pull request 'Release: MFA, JWKS auth, run ownership, and dependency updates' (#79) from develop into main 
Reviewed-on: #79
 2026-03-22 11:42:58 +01:00
TheFurya
c40dd38c99 Merge pull request 'update beans and postgres mount path' (#73) from develop into main 
Reviewed-on: #73
 2026-03-21 12:52:48 +01:00
TheFurya
98121d9954 Merge pull request 'Release: fix TypeScript build errors blocking deploy' (#72) from develop into main 
Reviewed-on: #72
 2026-03-21 12:27:49 +01:00
TheFurya
f340f8fd0d Merge pull request 'Release: auth system, admin RBAC, and production Supabase setup' (#70) from develop into main 
Reviewed-on: #70
 2026-03-21 12:21:07 +01:00
TheFurya
d2fa9e46df Merge pull request 'develop' (#56) from develop into main 
Reviewed-on: #56
 2026-03-20 20:02:22 +01:00
TheFurya
f770e4a785 Merge pull request 'develop' (#45) from develop into main 
Reviewed-on: #45
 2026-03-20 15:16:00 +01:00
TheFurya
013a45ab56 Merge pull request 'Allow multiple games per region in Custom genlocke' (#34) from develop into main 
Reviewed-on: #34
 2026-03-17 13:35:27 +01:00
TheFurya
321b940398 Merge pull request 'Fix FK violations when pruning stale routes' (#32) from develop into main 
Reviewed-on: #32
 2026-02-21 17:56:57 +01:00
TheFurya
e21a8acc60 Merge pull request 'Housekeeping: archive beans, add seed pruning' (#31) from develop into main 
Reviewed-on: #31
 2026-02-21 17:46:57 +01:00
TheFurya
f15e530130 Merge pull request 'Release: test infrastructure, rules overhaul, and design refresh' (#30) from develop into main 
Reviewed-on: #30
 2026-02-21 16:58:14 +01:00
TheFurya
e533a3404e Merge pull request 'develop' (#25) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#25
 2026-02-16 21:19:57 +01:00
TheFurya
a944da2204 Merge pull request 'develop' (#24) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#24
 2026-02-14 11:05:17 +01:00
TheFurya
012cfb96cd Merge pull request 'develop' (#21) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#21
 2026-02-14 10:01:41 +01:00
TheFurya
e3e015852c Merge pull request 'develop' (#19) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#19
 2026-02-13 09:32:47 +01:00
TheFurya
59b4f7f28c Merge pull request 'Complete Game Data Cleanup epic' (#16) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#16
 2026-02-11 15:34:25 +01:00
TheFurya
e212251da8 Merge pull request 'Fix route ordering' (#15) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#15
 2026-02-11 15:24:11 +01:00
TheFurya
f49c8cee85 Merge pull request 'Remove old Go fetch-pokeapi tool, update README for import-pokedb (#13)' (#14) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#14
 2026-02-11 13:57:09 +01:00
TheFurya
b34f1083a3 Merge pull request 'Update README.md' (#12) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#12
 2026-02-11 13:49:04 +01:00
TheFurya
b85668c233 Merge pull request 'Update bean' (#11) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#11
 2026-02-11 13:43:16 +01:00
TheFurya
45cbff7672 Merge pull request 'Fix webp sprites not loading in production nginx' (#10) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#10
 2026-02-11 13:25:14 +01:00
TheFurya
51b47dbfb0 Merge pull request 'develop' (#9) from develop into main 
Reviewed-on: TheFurya/nuzlocke-tracker#9
 2026-02-11 13:05:12 +01:00
5 changed files with 14 additions and 76 deletions
Expand all files Collapse all files

4
.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md
View File

@@ -5,11 +5,9 @@ status: completed
type: bug type: bug
priority: normal priority: normal
created_at: 2026-03-22T10:51:30Z created_at: 2026-03-22T10:51:30Z
updated_at: 2026-03-22T10:59:46Z updated_at: 2026-03-22T10:52:46Z
--- ---
Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly. Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures. ## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
Deployed to production via PR #86 merge on 2026-03-22.

2
backend/pyproject.toml
View File

@@ -5,7 +5,7 @@ description = "Backend API for Another Nuzlocke Tracker"
readme = "README.md" readme = "README.md"
requires-python = ">=3.14" requires-python = ">=3.14"
dependencies = [ dependencies = [
"fastapi==0.135.3", "fastapi==0.135.1",
"uvicorn[standard]==0.42.0", "uvicorn[standard]==0.42.0",
"pydantic==2.12.5", "pydantic==2.12.5",
"pydantic-settings==2.13.1", "pydantic-settings==2.13.1",

48
backend/src/app/api/health.py
View File

@@ -1,10 +1,6 @@
import urllib.request from fastapi import APIRouter
from fastapi import APIRouter, Request
from sqlalchemy import text from sqlalchemy import text
from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
from app.core.config import settings
from app.core.database import async_session from app.core.database import async_session
router = APIRouter(tags=["health"]) router = APIRouter(tags=["health"])
@@ -27,45 +23,3 @@ async def health_check():
async def root(): async def root():
"""Root endpoint.""" """Root endpoint."""
return {"message": "Nuzlocke Tracker API", "docs": "/docs"} return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
@router.get("/auth-debug")
async def auth_debug(request: Request):
"""Temporary diagnostic endpoint for auth debugging."""
result: dict = {}
# Config
result["supabase_url"] = settings.supabase_url
result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
result["jwks_url"] = (
_build_jwks_url(settings.supabase_url) if settings.supabase_url else None
)
# JWKS fetch
jwks_url = result["jwks_url"]
if jwks_url:
try:
with urllib.request.urlopen(jwks_url, timeout=5) as resp:
result["jwks_status"] = resp.status
result["jwks_body"] = resp.read().decode()
except Exception as e:
result["jwks_fetch_error"] = str(e)
# JWKS client
client = _get_jwks_client()
result["jwks_client_exists"] = client is not None
# Token info (header only, no secrets)
token = _extract_token(request)
if token:
import jwt
try:
header = jwt.get_unverified_header(token)
result["token_header"] = header
except Exception as e:
result["token_header_error"] = str(e)
else:
result["token"] = "not provided"
return result

28
backend/src/app/core/auth.py
View File

@@ -1,4 +1,3 @@
import logging
from dataclasses import dataclass from dataclasses import dataclass
from uuid import UUID from uuid import UUID
@@ -13,7 +12,6 @@ from app.core.database import get_session
from app.models.nuzlocke_run import NuzlockeRun from app.models.nuzlocke_run import NuzlockeRun
from app.models.user import User from app.models.user import User
logger = logging.getLogger(__name__)
_jwks_client: PyJWKClient | None = None _jwks_client: PyJWKClient | None = None
@@ -26,21 +24,11 @@ class AuthUser:
role: str | None = None role: str | None = None
def _build_jwks_url(base_url: str) -> str:
"""Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
base = base_url.rstrip("/")
if "/auth/v1" in base:
return f"{base}/.well-known/jwks.json"
# Supabase Cloud URLs need the /auth/v1 prefix;
# local GoTrue serves JWKS at root but uses HS256 fallback anyway.
return f"{base}/auth/v1/.well-known/jwks.json"
def _get_jwks_client() -> PyJWKClient | None: def _get_jwks_client() -> PyJWKClient | None:
"""Get or create a cached JWKS client.""" """Get or create a cached JWKS client."""
global _jwks_client global _jwks_client
if _jwks_client is None and settings.supabase_url: if _jwks_client is None and settings.supabase_url:
jwks_url = _build_jwks_url(settings.supabase_url) jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
_jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300) _jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
return _jwks_client return _jwks_client
@@ -83,14 +71,12 @@ def _verify_jwt(token: str) -> dict | None:
algorithms=["RS256", "ES256"], algorithms=["RS256", "ES256"],
audience="authenticated", audience="authenticated",
) )
except jwt.InvalidTokenError as e: except jwt.InvalidTokenError:
logger.warning("JWKS JWT validation failed: %s", e) pass
except PyJWKClientError as e: except PyJWKClientError:
logger.warning("JWKS client error: %s", e) pass
except PyJWKSetError as e: except PyJWKSetError:
logger.warning("JWKS set error: %s", e) pass
else:
logger.warning("No JWKS client available (SUPABASE_URL not set?)")
return _verify_jwt_hs256(token) return _verify_jwt_hs256(token)

8
backend/uv.lock generated
View File

@@ -65,7 +65,7 @@ requires-dist = [
{ name = "alembic", specifier = "==1.18.4" }, { name = "alembic", specifier = "==1.18.4" },
{ name = "asyncpg", specifier = "==0.31.0" }, { name = "asyncpg", specifier = "==0.31.0" },
{ name = "cryptography", specifier = "==45.0.3" }, { name = "cryptography", specifier = "==45.0.3" },
{ name = "fastapi", specifier = "==0.135.3" }, { name = "fastapi", specifier = "==0.135.1" },
{ name = "httpx", marker = "extra == 'dev'", specifier = "==0.28.1" }, { name = "httpx", marker = "extra == 'dev'", specifier = "==0.28.1" },
{ name = "pydantic", specifier = "==2.12.5" }, { name = "pydantic", specifier = "==2.12.5" },
{ name = "pydantic-settings", specifier = "==2.13.1" }, { name = "pydantic-settings", specifier = "==2.13.1" },
@@ -216,7 +216,7 @@ wheels = [
[[package]] [[package]]
name = "fastapi" name = "fastapi"
version = "0.135.3" version = "0.135.1"
source = { registry = "https://pypi.org/simple" } source = { registry = "https://pypi.org/simple" }
dependencies = [ dependencies = [
{ name = "annotated-doc" }, { name = "annotated-doc" },
@@ -225,9 +225,9 @@ dependencies = [
{ name = "typing-extensions" }, { name = "typing-extensions" },
{ name = "typing-inspection" }, { name = "typing-inspection" },
] ]
sdist = { url = "https://files.pythonhosted.org/packages/f7/e6/7adb4c5fa231e82c35b8f5741a9f2d055f520c29af5546fd70d3e8e1cd2e/fastapi-0.135.3.tar.gz", hash = "sha256:bd6d7caf1a2bdd8d676843cdcd2287729572a1ef524fc4d65c17ae002a1be654", size = 396524, upload-time = "2026-04-01T16:23:58.188Z" } sdist = { url = "https://files.pythonhosted.org/packages/e7/7b/f8e0211e9380f7195ba3f3d40c292594fd81ba8ec4629e3854c353aaca45/fastapi-0.135.1.tar.gz", hash = "sha256:d04115b508d936d254cea545b7312ecaa58a7b3a0f84952535b4c9afae7668cd", size = 394962, upload-time = "2026-03-01T18:18:29.369Z" }
wheels = [ wheels = [
{ url = "https://files.pythonhosted.org/packages/84/a4/5caa2de7f917a04ada20018eccf60d6cc6145b0199d55ca3711b0fc08312/fastapi-0.135.3-py3-none-any.whl", hash = "sha256:9b0f590c813acd13d0ab43dd8494138eb58e484bfac405db1f3187cfc5810d98", size = 117734, upload-time = "2026-04-01T16:23:59.328Z" }, { url = "https://files.pythonhosted.org/packages/e4/72/42e900510195b23a56bde950d26a51f8b723846bfcaa0286e90287f0422b/fastapi-0.135.1-py3-none-any.whl", hash = "sha256:46e2fc5745924b7c840f71ddd277382af29ce1cdb7d5eab5bf697e3fb9999c9e", size = 116999, upload-time = "2026-03-01T18:18:30.831Z" },
] ]
[[package]] [[package]]