pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Migrate JWT verification from HS256 to JWKS #75

Merged
TheFurya merged 3 commits from feature/migrate-jwt-verification-to-jwks into develop 2026-03-22 09:26:28 +01:00
Conversation 0 Commits 3 Files Changed 11 +226 -140
TheFurya commented 2026-03-21 14:06:27 +01:00
Owner
Copy Link

Summary

  • Replace HS256 shared-secret JWT verification with JWKS-based verification using Supabase's JWKS endpoint
  • Remove SUPABASE_JWT_SECRET config in favor of SUPABASE_JWKS_URL
  • Update tests to use RSA key pairs instead of shared secrets

Test plan

  • Verify JWT tokens from Supabase are validated correctly via JWKS
  • Verify invalid/expired tokens are rejected
  • Verify JWKS key caching works as expected

🤖 Generated with Claude Code

## Summary - Replace HS256 shared-secret JWT verification with JWKS-based verification using Supabase's JWKS endpoint - Remove `SUPABASE_JWT_SECRET` config in favor of `SUPABASE_JWKS_URL` - Update tests to use RSA key pairs instead of shared secrets ## Test plan - [ ] Verify JWT tokens from Supabase are validated correctly via JWKS - [ ] Verify invalid/expired tokens are rejected - [ ] Verify JWKS key caching works as expected 🤖 Generated with [Claude Code](https://claude.com/claude-code)
TheFurya added 1 commit 2026-03-21 14:06:28 +01:00
feat: migrate JWT verification from HS256 shared secret to JWKS
All checks were successful
CI / backend-tests (pull_request) Successful in 28s
Details
CI / frontend-tests (pull_request) Successful in 28s
Details
177c02006a 
Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.

- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
TheFurya added 2 commits 2026-03-22 09:25:18 +01:00
feat: migrate JWT verification from HS256 shared secret to JWKS e9eccc5b21 
Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.

- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merge branch 'feature/migrate-jwt-verification-to-jwks' of https://gitea.nerdboden.de/pokemon/nuzlocke-tracker into feature/migrate-jwt-verification-to-jwks
All checks were successful
CI / backend-tests (pull_request) Successful in 31s
Details
CI / frontend-tests (pull_request) Successful in 29s
Details
d23e24b826
TheFurya merged commit 0ec1beac8f into develop 2026-03-22 09:26:28 +01:00
TheFurya deleted branch feature/migrate-jwt-verification-to-jwks 2026-03-22 09:26:29 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
TheFurya renovate
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: pokemon/nuzlocke-tracker#75
Delete Branch "feature/migrate-jwt-verification-to-jwks"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?