fix: trust Supabase's JWT verification in Edge Functions

justanotheratom · claude · justanotheratom · commit a6d14baf6b7b · 2025-12-13T10:21:14.000+05:30
Instead of re-verifying JWTs with JWKS (which had network issues within Edge Functions), now trusts that Supabase's edge runtime already verified the token before our code runs. - Production: decode JWT payload without cryptographic verification - Local dev: still verify HS256 with JWT_SECRET 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/supabase/functions/ingredicheck/index.ts b/supabase/functions/ingredicheck/index.ts
@@ -26,15 +26,8 @@ app.use(async (ctx, next) => {
     } catch (error) {
         const detail = error instanceof Error ? error.message : 'Unauthorized'
         ctx.response.status = 401
-        // Format error response to match test expectations
-        // Handle various auth error formats that might come from different environments
-        let errorMessage = 'Unauthorized'
-        if (detail.includes('Missing authorization header') ||
-            detail.includes("Auth header is not") ||
-            detail.includes('No valid user found')) {
-            errorMessage = 'Error: Missing authorization header'
-        }
-        ctx.response.body = { error: errorMessage }
+        // Return full error detail for debugging auth issues
+        ctx.response.body = { error: detail }
         return
     }
 
diff --git a/supabase/functions/shared/auth.ts b/supabase/functions/shared/auth.ts
@@ -58,53 +58,56 @@ export async function decodeUserIdFromRequest(ctx: Context): Promise<string> {
         return ctx.state.userId
     }
 
-    const diagnostics: AuthDiagnostics = {
-        hasToken: false,
-        jwksAvailable: JWKS !== null,
-        supabaseUrlSet: supabaseUrl.length > 0,
-        jwtSecretSet: jwtSecret.length > 0,
-    }
-
     const token = parseAuthorizationHeader(ctx)
     if (!token) {
         throw new Error('Missing authorization header')
     }
-    diagnostics.hasToken = true
-
-    // Decode token header to see algorithm (without verification)
-    try {
-        const headerB64 = token.split('.')[0]
-        const headerJson = new TextDecoder().decode(base64UrlToUint8Array(headerB64))
-        const header = JSON.parse(headerJson) as Record<string, unknown>
-        diagnostics.tokenAlg = header['alg'] as string
-        diagnostics.tokenKid = header['kid'] as string
-    } catch {
-        // ignore parsing errors
-    }
 
-    // Try JWKS first (production path - asymmetric keys)
-    const { userId: jwksUserId, error: jwksError } = await verifyJwtWithJwksWithError(token)
-    let userId = jwksUserId
-    if (jwksError) {
-        diagnostics.jwksError = jwksError
-    }
+    // In production, Supabase's edge runtime already verifies the JWT before
+    // our code runs (as evidenced by auth_user being populated in request metadata).
+    // We can safely decode the payload without re-verifying the signature.
+    // This avoids JWKS fetch issues within Edge Functions.
 
-    // Fall back to HS256 if JWKS verification fails and JWT_SECRET is available
-    if (!userId && jwtSecret) {
-        const { userId: hmacUserId, error: hmacError } = await verifyJwtWithHmacWithError(token)
-        userId = hmacUserId
-        if (hmacError) {
-            diagnostics.hmacError = hmacError
+    // For local development with JWT_SECRET, we still verify the HS256 signature.
+    if (jwtSecret) {
+        const userId = await verifyJwtWithHmac(token)
+        if (userId) {
+            ctx.state.userId = userId
+            return userId
         }
     }
 
-    if (userId && userId.length > 0) {
+    // Production path: decode JWT payload directly (Supabase already verified it)
+    const userId = decodeJwtPayloadWithoutVerification(token)
+    if (userId) {
         ctx.state.userId = userId
         return userId
     }
 
-    console.log('[Auth] Diagnostics:', JSON.stringify(diagnostics))
-    throw new Error(`Unauthorized: ${JSON.stringify(diagnostics)}`)
+    throw new Error('Unauthorized: Could not extract user ID from token')
+}
+
+function decodeJwtPayloadWithoutVerification(token: string): string | null {
+    try {
+        const parts = token.split('.')
+        if (parts.length !== 3) return null
+
+        const payloadB64 = parts[1]
+        const payloadJson = new TextDecoder().decode(base64UrlToUint8Array(payloadB64))
+        const payload = JSON.parse(payloadJson) as Record<string, unknown>
+
+        // Check expiration
+        const now = Math.floor(Date.now() / 1000)
+        const exp = payload?.exp
+        if (typeof exp === 'number' && now >= exp) {
+            return null // Token expired
+        }
+
+        const sub = payload?.sub
+        return typeof sub === 'string' ? sub : null
+    } catch {
+        return null
+    }
 }
 
 async function verifyJwtWithJwks(token: string): Promise<string | null> {
