Merge pull request 'develop' (#87) from develop into main

Reviewed-on: #87

.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md

@@ -5,11 +5,9 @@ status: completed
 type: bug
 priority: normal
 created_at: 2026-03-22T10:51:30Z
-updated_at: 2026-03-22T10:59:46Z
+updated_at: 2026-03-22T10:52:46Z
 ---
 
 Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
 
 ## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
-
-Deployed to production via PR #86 merge on 2026-03-22.

backend/src/app/api/health.py

@@ -1,10 +1,6 @@
-import urllib.request
+from fastapi import APIRouter
-
-from fastapi import APIRouter, Request
 from sqlalchemy import text
 
-from app.core.auth import _build_jwks_url, _extract_token, _get_jwks_client
-from app.core.config import settings
 from app.core.database import async_session
 
 router = APIRouter(tags=["health"])
@@ -27,45 +23,3 @@ async def health_check():
 async def root():
     """Root endpoint."""
     return {"message": "Nuzlocke Tracker API", "docs": "/docs"}
-
-
-@router.get("/auth-debug")
-async def auth_debug(request: Request):
-    """Temporary diagnostic endpoint for auth debugging."""
-    result: dict = {}
-
-    # Config
-    result["supabase_url"] = settings.supabase_url
-    result["has_jwt_secret"] = bool(settings.supabase_jwt_secret)
-    result["jwks_url"] = (
-        _build_jwks_url(settings.supabase_url) if settings.supabase_url else None
-    )
-
-    # JWKS fetch
-    jwks_url = result["jwks_url"]
-    if jwks_url:
-        try:
-            with urllib.request.urlopen(jwks_url, timeout=5) as resp:
-                result["jwks_status"] = resp.status
-                result["jwks_body"] = resp.read().decode()
-        except Exception as e:
-            result["jwks_fetch_error"] = str(e)
-
-    # JWKS client
-    client = _get_jwks_client()
-    result["jwks_client_exists"] = client is not None
-
-    # Token info (header only, no secrets)
-    token = _extract_token(request)
-    if token:
-        import jwt
-
-        try:
-            header = jwt.get_unverified_header(token)
-            result["token_header"] = header
-        except Exception as e:
-            result["token_header_error"] = str(e)
-    else:
-        result["token"] = "not provided"
-
-    return result

backend/src/app/core/auth.py

@@ -1,4 +1,3 @@
-import logging
 from dataclasses import dataclass
 from uuid import UUID
 
@@ -13,7 +12,6 @@ from app.core.database import get_session
 from app.models.nuzlocke_run import NuzlockeRun
 from app.models.user import User
 
-logger = logging.getLogger(__name__)
 _jwks_client: PyJWKClient | None = None
 
 
@@ -26,21 +24,11 @@ class AuthUser:
     role: str | None = None
 
 
-def _build_jwks_url(base_url: str) -> str:
-    """Build the JWKS URL, adding /auth/v1 prefix for Supabase Cloud."""
-    base = base_url.rstrip("/")
-    if "/auth/v1" in base:
-        return f"{base}/.well-known/jwks.json"
-    # Supabase Cloud URLs need the /auth/v1 prefix;
-    # local GoTrue serves JWKS at root but uses HS256 fallback anyway.
-    return f"{base}/auth/v1/.well-known/jwks.json"
-
-
 def _get_jwks_client() -> PyJWKClient | None:
     """Get or create a cached JWKS client."""
     global _jwks_client
     if _jwks_client is None and settings.supabase_url:
-        jwks_url = _build_jwks_url(settings.supabase_url)
+        jwks_url = f"{settings.supabase_url.rstrip('/')}/.well-known/jwks.json"
         _jwks_client = PyJWKClient(jwks_url, cache_jwk_set=True, lifespan=300)
     return _jwks_client
 
@@ -83,14 +71,12 @@ def _verify_jwt(token: str) -> dict | None:
                 algorithms=["RS256", "ES256"],
                 audience="authenticated",
             )
-        except jwt.InvalidTokenError as e:
+        except jwt.InvalidTokenError:
-            logger.warning("JWKS JWT validation failed: %s", e)
+            pass
-        except PyJWKClientError as e:
+        except PyJWKClientError:
-            logger.warning("JWKS client error: %s", e)
+            pass
-        except PyJWKSetError as e:
+        except PyJWKSetError:
-            logger.warning("JWKS set error: %s", e)
+            pass
-    else:
-        logger.warning("No JWKS client available (SUPABASE_URL not set?)")
     return _verify_jwt_hs256(token)
 
 

frontend/package-lock.json

@@ -13,7 +13,7 @@
         "@dnd-kit/utilities": "3.2.2",
         "@supabase/supabase-js": "^2.99.3",
         "@tailwindcss/typography": "^0.5.19",
-        "@tanstack/react-query": "5.97.0",
+        "@tanstack/react-query": "5.94.5",
         "react": "19.2.4",
         "react-dom": "19.2.4",
         "react-markdown": "^10.1.0",
@@ -1817,9 +1817,9 @@
       }
     },
     "node_modules/@tanstack/query-core": {
-      "version": "5.97.0",
+      "version": "5.94.5",
-      "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.97.0.tgz",
+      "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.94.5.tgz",
-      "integrity": "sha512-QdpLP5VzVMgo4VtaPppRA2W04UFjIqX+bxke/ZJhE5cfd5UPkRzqIAJQt9uXkQJjqE8LBOMbKv7f8HCsZltXlg==",
+      "integrity": "sha512-Vx1JJiBURW/wdNGP45afjrqn0LfxYwL7K/bSrQvNRtyLGF1bxQPgUXCpzscG29e+UeFOh9hz1KOVala0N+bZiA==",
       "license": "MIT",
       "funding": {
         "type": "github",
@@ -1827,12 +1827,12 @@
       }
     },
     "node_modules/@tanstack/react-query": {
-      "version": "5.97.0",
+      "version": "5.94.5",
-      "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.97.0.tgz",
+      "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.94.5.tgz",
-      "integrity": "sha512-y4So4eGcQoK2WVMAcDNZE9ofB/p5v1OlKvtc1F3uqHwrtifobT7q+ZnXk2mRkc8E84HKYSlAE9z6HXl2V0+ySQ==",
+      "integrity": "sha512-1wmrxKFkor+q8l+ygdHmv0Sq5g84Q3p4xvuJ7AdSIAhQQ7udOt+ZSZ19g1Jea3mHqtlTslLGJsmC4vHFgP0P3A==",
       "license": "MIT",
       "dependencies": {
-        "@tanstack/query-core": "5.97.0"
+        "@tanstack/query-core": "5.94.5"
       },
       "funding": {
         "type": "github",

frontend/package.json

@@ -21,7 +21,7 @@
     "@dnd-kit/utilities": "3.2.2",
     "@supabase/supabase-js": "^2.99.3",
     "@tailwindcss/typography": "^0.5.19",
-    "@tanstack/react-query": "5.97.0",
+    "@tanstack/react-query": "5.94.5",
     "react": "19.2.4",
     "react-dom": "19.2.4",
     "react-markdown": "^10.1.0",