pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity
Files
c40dd38c99a31bad52e38d42c07b6a7ae0cd7022
nuzlocke-tracker/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md
Julian Tabel a12958ae32
All checks were successful
CI / backend-tests (push) Successful in 27s
Details
CI / frontend-tests (push) Successful in 29s
Details
update beans and postgres mount path
2026-03-21 12:51:35 +01:00

12 lines
1010 B
Markdown
Raw Blame History

---
# nuzlocke-tracker-t9aj
title: Migrate JWT verification from HS256 shared secret to asymmetric keys (JWKS)
status: todo
type: task
priority: low
created_at: 2026-03-21T11:14:29Z
updated_at: 2026-03-21T11:14:29Z
---
The backend currently verifies Supabase JWTs using an HS256 shared secret (`SUPABASE_JWT_SECRET`). Supabase recommends migrating to asymmetric keys (RS256) for better security.\n\nInstead of storing a shared secret, the backend would fetch public keys from Supabase's JWKS endpoint (`https://<project>.supabase.co/.well-known/jwks.json`) and verify tokens against those.\n\n## Changes needed\n\n- [ ] Update `backend/src/app/core/auth.py` to fetch and cache JWKS public keys\n- [ ] Change `jwt.decode` from `HS256` to `RS256` with the fetched public key\n- [ ] Remove `SUPABASE_JWT_SECRET` from config, docker-compose, deploy workflow, and .env files\n- [ ] Update tests\n\n## References\n\n- https://supabase.com/docs/guides/auth/signing-keys\n- https://supabase.com/docs/guides/auth/jwts
Reference in New Issue View Git Blame Copy Permalink