pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Fix JWT verification failing in local dev (HS256 fallback) #80

Merged
TheFurya merged 1 commits from feature/fix-jwt-verification-failing-in-local-dev-hs256-fallback into develop 2026-03-22 09:41:43 +01:00
Conversation 0 Commits 1 Files Changed 7 +40 -18
TheFurya commented 2026-03-22 09:39:21 +01:00
Owner
Copy Link

Summary

  • Local GoTrue signs JWTs with HS256, but the JWKS migration (#75) only supports RS256. The /.well-known/jwks.json endpoint returns an empty key set locally, causing 500 errors on all authenticated endpoints.
  • Added HS256 fallback: _verify_jwt tries JWKS/RS256 first, then falls back to verifying with SUPABASE_JWT_SECRET (HS256). Production (Supabase Cloud) is unaffected.
  • Added supabase_jwt_secret config setting, wired it through docker-compose.yml and .env.example files.

Test plan

  • docker compose up and verify authenticated requests (e.g. POST /api/v1/runs) no longer return 500
  • Verify JWT verification still works in production with JWKS/RS256
## Summary - Local GoTrue signs JWTs with HS256, but the JWKS migration (#75) only supports RS256. The `/.well-known/jwks.json` endpoint returns an empty key set locally, causing 500 errors on all authenticated endpoints. - Added HS256 fallback: `_verify_jwt` tries JWKS/RS256 first, then falls back to verifying with `SUPABASE_JWT_SECRET` (HS256). Production (Supabase Cloud) is unaffected. - Added `supabase_jwt_secret` config setting, wired it through `docker-compose.yml` and `.env.example` files. ## Test plan - [ ] `docker compose up` and verify authenticated requests (e.g. `POST /api/v1/runs`) no longer return 500 - [ ] Verify JWT verification still works in production with JWKS/RS256
TheFurya added 1 commit 2026-03-22 09:39:22 +01:00
fix: add HS256 fallback for JWT verification in local dev
All checks were successful
CI / backend-tests (pull_request) Successful in 29s
Details
CI / frontend-tests (pull_request) Successful in 29s
Details
af55cdd8a6 
Local GoTrue signs JWTs with HS256, but the JWKS endpoint returns an
empty key set since there are no RSA keys. Fall back to HS256 shared
secret verification when JWKS fails, using SUPABASE_JWT_SECRET.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TheFurya merged commit d98b0da410 into develop 2026-03-22 09:41:43 +01:00
TheFurya deleted branch feature/fix-jwt-verification-failing-in-local-dev-hs256-fallback 2026-03-22 09:41:44 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
TheFurya renovate
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: pokemon/nuzlocke-tracker#80
Delete Branch "feature/fix-jwt-verification-failing-in-local-dev-hs256-fallback"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?