.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md

@@ -5,9 +5,11 @@ status: completed
 type: bug
 priority: normal
 created_at: 2026-03-22T10:51:30Z
-updated_at: 2026-03-22T10:52:46Z
+updated_at: 2026-03-22T10:59:46Z
 ---
 
 Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
 
 ## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
+
+Deployed to production via PR #86 merge on 2026-03-22.

backend/src/app/core/auth.py

@@ -1,3 +1,4 @@
+import logging
 from dataclasses import dataclass
 from uuid import UUID
 
@@ -12,6 +13,7 @@ from app.core.database import get_session
 from app.models.nuzlocke_run import NuzlockeRun
 from app.models.user import User
 
+logger = logging.getLogger(__name__)
 _jwks_client: PyJWKClient | None = None
 
 
@@ -71,12 +73,14 @@ def _verify_jwt(token: str) -> dict | None:
                 algorithms=["RS256", "ES256"],
                 audience="authenticated",
             )
-        except jwt.InvalidTokenError:
-            pass
-        except PyJWKClientError:
-            pass
-        except PyJWKSetError:
-            pass
+        except jwt.InvalidTokenError as e:
+            logger.warning("JWKS JWT validation failed: %s", e)
+        except PyJWKClientError as e:
+            logger.warning("JWKS client error: %s", e)
+        except PyJWKSetError as e:
+            logger.warning("JWKS set error: %s", e)
+    else:
+        logger.debug("No JWKS client available (SUPABASE_URL not set?)")
     return _verify_jwt_hs256(token)