Merge pull request 'Release: MFA, JWKS auth, run ownership, and dependency updates' (#79) from develop into main

Reviewed-on: #79

.beans/nuzlocke-tracker-26my--crash-show-owner-info-in-admin-pages.md

@@ -5,7 +5,7 @@ status: completed
 type: bug
 priority: high
 created_at: 2026-03-22T09:41:57Z
-updated_at: 2026-03-22T09:45:38Z
+updated_at: 2026-03-22T09:45:28Z
 parent: nuzlocke-tracker-bw1m
 blocking:
     - nuzlocke-tracker-2fp1

.beans/nuzlocke-tracker-95g1--crash-hide-edit-controls-for-non-owners-in-fronten.md

@@ -1,28 +0,0 @@
----
-# nuzlocke-tracker-95g1
-title: 'Crash: Hide edit controls for non-owners in frontend'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T09:41:57Z
-updated_at: 2026-03-22T09:46:59Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-i2va
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-i2va
-Title: Hide edit controls for non-owners in frontend
-
-## Reasons for Scrapping
-
-This crash bean is a false positive. The original task (nuzlocke-tracker-i2va) was already completed and merged to `develop` before this crash bean was created:
-- Commit `3bd24fc`: fix: hide edit controls for non-owners in frontend
-- Commit `118dbca`: chore: mark bean nuzlocke-tracker-i2va as completed
-
-No additional work required.

.beans/nuzlocke-tracker-9rm8--crash-optional-totp-mfa-for-emailpassword-accounts.md

@@ -1,11 +1,11 @@
 ---
 # nuzlocke-tracker-9rm8
 title: 'Crash: Optional TOTP MFA for email/password accounts'
-status: completed
+status: scrapped
 type: bug
 priority: high
 created_at: 2026-03-22T09:41:57Z
-updated_at: 2026-03-22T09:46:30Z
+updated_at: 2026-03-22T09:46:14Z
 parent: nuzlocke-tracker-bw1m
 blocking:
     - nuzlocke-tracker-f2hs

.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md

@@ -1,15 +0,0 @@
----
-# nuzlocke-tracker-snft
-title: Support ES256 (ECC P-256) JWT keys in backend auth
-status: completed
-type: bug
-priority: normal
-created_at: 2026-03-22T10:51:30Z
-updated_at: 2026-03-22T10:59:46Z
----
-
-Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
-
-## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
-
-Deployed to production via PR #86 merge on 2026-03-22.

.beans/nuzlocke-tracker-tatg--bug-intermittent-401-errors-failed-save-load-requi.md

@@ -5,7 +5,7 @@ status: completed
 type: bug
 priority: high
 created_at: 2026-03-21T21:50:48Z
-updated_at: 2026-03-22T09:44:54Z
+updated_at: 2026-03-22T09:01:42Z
 ---
 
 ## Problem

backend/src/app/api/health.py

@@ -1,10 +1,6 @@
-import urllib.request
-
-from fastapi import APIRouter, Request
+from fastapi import APIRouter
 from sqlalchemy import text
 
-from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
-from app.core.config import settings
 from app.core.database import async_session
 
 router = APIRouter(tags=["health"])
@@ -27,45 +23,3 @@ async def health_check():
 async def root():
     """Root endpoint."""
     return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
-
-
-@router.get("/auth-debug")
-async def auth_debug(request: Request):
-    """Temporary diagnostic endpoint for auth debugging."""
-    result: dict = {}
-
-    # Config
-    result["supabase_url"] = settings.supabase_url
-    result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
-    result["jwks_url"] = (
-        _build_jwks_url(settings.supabase_url) if settings.supabase_url else None
-    )
-
-    # JWKS fetch
-    jwks_url = result["jwks_url"]
-    if jwks_url:
-        try:
-            with urllib.request.urlopen(jwks_url, timeout=5) as resp:
-                result["jwks_status"] = resp.status
-                result["jwks_body"] = resp.read().decode()
-        except Exception as e:
-            result["jwks_fetch_error"] = str(e)
-
-    # JWKS client
-    client = _get_jwks_client()
-    result["jwks_client_exists"] = client is not None
-
-    # Token info (header only, no secrets)
-    token = _extract_token(request)
-    if token:
-        import jwt
-
-        try:
-            header = jwt.get_unverified_header(token)
-            result["token_header"] = header
-        except Exception as e:
-            result["token_header_error"] = str(e)
-    else:
-        result["token"] = "not provided"
-
-    return result

backend/src/app/core/auth.py

@@ -1,4 +1,3 @@
-import logging
 from dataclasses import dataclass
 from uuid import UUID
 
@@ -13,7 +12,6 @@ from app.core.database import get_session
 from app.models.nuzlocke_run import NuzlockeRun
 from app.models.user import User
 
-logger = logging.getLogger(__name__)
 _jwks_client: PyJWKClient | None = None
 
 
@@ -26,21 +24,11 @@ class AuthUser:
     role: str | None = None
 
 
-def _build_jwks_url(base_url: str) -> str:
-    """Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
-    base = base_url.rstrip("/")
-    if "/auth/v1" in base:
-        return f"{base}/.well-known/jwks.json"
-    # Supabase Cloud URLs need the /auth/v1 prefix;
-    # local GoTrue serves JWKS at root but uses HS256 fallback anyway.
-    return f"{base}/auth/v1/.well-known/jwks.json"
-
-
 def _get_jwks_client() -> PyJWKClient | None:
     """Get or create a cached JWKS client."""
     global _jwks_client
     if _jwks_client is None and settings.supabase_url:
-        jwks_url = _build_jwks_url(settings.supabase_url)
+        jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
         _jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
     return _jwks_client
 
@@ -72,7 +60,7 @@ def _verify_jwt_hs256(token: str) -> dict | None:
 
 
 def _verify_jwt(token: str) -> dict | None:
-    """Verify JWT using JWKS (RS256/ES256), falling back to HS256 shared secret."""
+    """Verify JWT using JWKS (RS256), falling back to HS256 shared secret."""
     client = _get_jwks_client()
     if client:
         try:
@@ -80,17 +68,15 @@ def _verify_jwt(token: str) -> dict | None:
             return jwt.decode(
                 token,
                 signing_key.key,
-                algorithms=["RS256", "ES256"],
+                algorithms=["RS256"],
                 audience="authenticated",
             )
-        except jwt.InvalidTokenError as e:
-            logger.warning("JWKS JWT validation failed: %s", e)
-        except PyJWKClientError as e:
-            logger.warning("JWKS client error: %s", e)
-        except PyJWKSetError as e:
-            logger.warning("JWKS set error: %s", e)
-    else:
-        logger.warning("No JWKS client available (SUPABASE_URL not set?)")
+        except jwt.InvalidTokenError:
+            pass
+        except PyJWKClientError:
+            pass
+        except PyJWKSetError:
+            pass
     return _verify_jwt_hs256(token)
 
 

backend/tests/test_auth.py

@@ -4,7 +4,7 @@ from uuid import UUID
 
 import jwt
 import pytest
-from cryptography.hazmat.primitives.asymmetric import ec, rsa
+from cryptography.hazmat.primitives.asymmetric import rsa
 from httpx import ASGITransport, AsyncClient
 
 from app.core.auth import AuthUser, get_current_user, require_admin, require_auth
@@ -73,55 +73,6 @@ def mock_jwks_client(rsa_key_pair):
     return mock_client
 
 
-@pytest.fixture(scope="module")
-def ec_key_pair():
-    """Generate EC P-256 key pair for testing."""
-    private_key = ec.generate_private_key(ec.SECP256R1())
-    public_key = private_key.public_key()
-    return private_key, public_key
-
-
-@pytest.fixture
-def valid_es256_token(ec_key_pair):
-    """Generate a valid ES256 JWT token."""
-    private_key, _ = ec_key_pair
-    payload = {
-        "sub": "user-456",
-        "email": "ec-user@example.com",
-        "role": "authenticated",
-        "aud": "authenticated",
-        "exp": int(time.time()) + 3600,
-    }
-    return jwt.encode(payload, private_key, algorithm="ES256")
-
-
-@pytest.fixture
-def mock_jwks_client_ec(ec_key_pair):
-    """Create a mock JWKS client that returns our test EC public key."""
-    _, public_key = ec_key_pair
-    mock_client = MagicMock()
-    mock_signing_key = MagicMock()
-    mock_signing_key.key = public_key
-    mock_client.get_signing_key_from_jwt.return_value = mock_signing_key
-    return mock_client
-
-
-async def test_get_current_user_valid_es256_token(
-    valid_es256_token, mock_jwks_client_ec
-):
-    """Test get_current_user works with ES256 (ECC P-256) tokens."""
-    with patch("app.core.auth._get_jwks_client", return_value=mock_jwks_client_ec):
-
-        class MockRequest:
-            headers = {"Authorization": f"Bearer {valid_es256_token}"}
-
-        user = get_current_user(MockRequest())
-        assert user is not None
-        assert user.id == "user-456"
-        assert user.email == "ec-user@example.com"
-        assert user.role == "authenticated"
-
-
 async def test_get_current_user_valid_token(valid_token, mock_jwks_client):
     """Test get_current_user returns user for valid token."""
     with patch("app.core.auth._get_jwks_client", return_value=mock_jwks_client):

frontend/package-lock.json

@@ -1389,9 +1389,9 @@
       "license": "MIT"
     },
     "node_modules/@supabase/auth-js": {
-      "version": "2.103.0",
-      "resolved": "https://registry.npmjs.org/@supabase/auth-js/-/auth-js-2.103.0.tgz",
-      "integrity": "sha512-6zAanO6c+6gpHOlt5Lb9TlBBkJdZiUWkWCJKAxzkywBDcwaHlLJKXnjQGX6GyVCyKRR1e7sTq4re/yRTH6U/9A==",
+      "version": "2.99.3",
+      "resolved": "https://registry.npmjs.org/@supabase/auth-js/-/auth-js-2.99.3.tgz",
+      "integrity": "sha512-vMEVLA1kGGYd/kdsJSwtjiFUZM1nGfrz2DWmgMBZtocV48qL+L2+4QpIkueXyBEumMQZFEyhz57i/5zGHjvdBw==",
       "license": "MIT",
       "dependencies": {
         "tslib": "2.8.1"
@@ -1401,9 +1401,9 @@
       }
     },
     "node_modules/@supabase/functions-js": {
-      "version": "2.103.0",
-      "resolved": "https://registry.npmjs.org/@supabase/functions-js/-/functions-js-2.103.0.tgz",
-      "integrity": "sha512-YrneV2NjskUkkmkZ2Jt2n3elBgbWzV4Y1M9MM370z2Zd5ZPFqFbY8KIoPwuNjtAGE9YrpKBxnbZqeF07BiN9Og==",
+      "version": "2.99.3",
+      "resolved": "https://registry.npmjs.org/@supabase/functions-js/-/functions-js-2.99.3.tgz",
+      "integrity": "sha512-6tk2zrcBkzKaaBXPOG5nshn30uJNFGOH9LxOnE8i850eQmsX+jVm7vql9kTPyvUzEHwU4zdjSOkXS9M+9ukMVA==",
       "license": "MIT",
       "dependencies": {
         "tslib": "2.8.1"
@@ -1412,16 +1412,10 @@
         "node": ">=20.0.0"
       }
     },
-    "node_modules/@supabase/phoenix": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/@supabase/phoenix/-/phoenix-0.4.0.tgz",
-      "integrity": "sha512-RHSx8bHS02xwfHdAbX5Lpbo6PXbgyf7lTaXTlwtFDPwOIw64NnVRwFAXGojHhjtVYI+PEPNSWwkL90f4agN3bw==",
-      "license": "MIT"
-    },
     "node_modules/@supabase/postgrest-js": {
-      "version": "2.103.0",
-      "resolved": "https://registry.npmjs.org/@supabase/postgrest-js/-/postgrest-js-2.103.0.tgz",
-      "integrity": "sha512-rC3sRxYdPZymkp2CZR1MiNQgbOleD01bGsW8VxEKRR5nMkLZ1NgAS1QTQf78Wh30czFyk505ZYr9Od8/mWT2TA==",
+      "version": "2.99.3",
+      "resolved": "https://registry.npmjs.org/@supabase/postgrest-js/-/postgrest-js-2.99.3.tgz",
+      "integrity": "sha512-8HxEf+zNycj7Z8+ONhhlu+7J7Ha+L6weyCtdEeK2mN5OWJbh6n4LPU4iuJ5UlCvvNnbSXMoutY7piITEEAgl2g==",
       "license": "MIT",
       "dependencies": {
         "tslib": "2.8.1"
@@ -1431,12 +1425,12 @@
       }
     },
     "node_modules/@supabase/realtime-js": {
-      "version": "2.103.0",
-      "resolved": "https://registry.npmjs.org/@supabase/realtime-js/-/realtime-js-2.103.0.tgz",
-      "integrity": "sha512-gcPtXzZ6izyyBVf2of7K3dEt8CScPJn8VcSlQq6oWL9QoE1kqfQl0oFrOMHd5qrcADewxI7OxxosLB8W4XqtIQ==",
+      "version": "2.99.3",
+      "resolved": "https://registry.npmjs.org/@supabase/realtime-js/-/realtime-js-2.99.3.tgz",
+      "integrity": "sha512-c1azgZ2nZPczbY5k5u5iFrk1InpxN81IvNE+UBAkjrBz3yc5ALLJNkeTQwbJZT4PZBuYXEzqYGLMuh9fdTtTMg==",
       "license": "MIT",
       "dependencies": {
-        "@supabase/phoenix": "^0.4.0",
+        "@types/phoenix": "^1.6.6",
         "@types/ws": "^8.18.1",
         "tslib": "2.8.1",
         "ws": "^8.18.2"
@@ -1446,9 +1440,9 @@
       }
     },
     "node_modules/@supabase/storage-js": {
-      "version": "2.103.0",
-      "resolved": "https://registry.npmjs.org/@supabase/storage-js/-/storage-js-2.103.0.tgz",
-      "integrity": "sha512-DHmlvdAXwtOmZNbkIZi4lkobPR3XjIzoOgzoz5duMf6G+sDeY015YrzMJCnqdccuYr7X5x4yYuSwF//RoN2dvQ==",
+      "version": "2.99.3",
+      "resolved": "https://registry.npmjs.org/@supabase/storage-js/-/storage-js-2.99.3.tgz",
+      "integrity": "sha512-lOfIm4hInNcd8x0i1LWphnLKxec42wwbjs+vhaVAvR801Vda0UAMbTooUY6gfqgQb8v29GofqKuQMMTAsl6w/w==",
       "license": "MIT",
       "dependencies": {
         "iceberg-js": "^0.8.1",
@@ -1459,16 +1453,16 @@
       }
     },
     "node_modules/@supabase/supabase-js": {
-      "version": "2.103.0",
-      "resolved": "https://registry.npmjs.org/@supabase/supabase-js/-/supabase-js-2.103.0.tgz",
-      "integrity": "sha512-j/6q5+LtXbR/YOLSLhy7Na74RD1cV2v+KwIIuuqMEjk1JpLEEyu0ynwDHpGoxMncDQl+R5FogaVqZm+85lZvtw==",
+      "version": "2.99.3",
+      "resolved": "https://registry.npmjs.org/@supabase/supabase-js/-/supabase-js-2.99.3.tgz",
+      "integrity": "sha512-GuPbzoEaI51AkLw9VGhLNvnzw4PHbS3p8j2/JlvLeZNQMKwZw4aEYQIDBRtFwL5Nv7/275n9m4DHtakY8nCvgg==",
       "license": "MIT",
       "dependencies": {
-        "@supabase/auth-js": "2.103.0",
-        "@supabase/functions-js": "2.103.0",
-        "@supabase/postgrest-js": "2.103.0",
-        "@supabase/realtime-js": "2.103.0",
-        "@supabase/storage-js": "2.103.0"
+        "@supabase/auth-js": "2.99.3",
+        "@supabase/functions-js": "2.99.3",
+        "@supabase/postgrest-js": "2.99.3",
+        "@supabase/realtime-js": "2.99.3",
+        "@supabase/storage-js": "2.99.3"
       },
       "engines": {
         "node": ">=20.0.0"
@@ -2032,6 +2026,12 @@
         "undici-types": "~7.18.0"
       }
     },
+    "node_modules/@types/phoenix": {
+      "version": "1.6.7",
+      "resolved": "https://registry.npmjs.org/@types/phoenix/-/phoenix-1.6.7.tgz",
+      "integrity": "sha512-oN9ive//QSBkf19rfDv45M7eZPi0eEXylht2OLEXicu5b4KoQ1OzXIw+xDSGWxSxe1JmepRR/ZH283vsu518/Q==",
+      "license": "MIT"
+    },
     "node_modules/@types/react": {
       "version": "19.2.14",
       "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",