Skip to content

fix: correctly parse JWT ValidMethods from env by enabling split_words #2334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
singh-inder wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: correctly parse JWT ValidMethods from env by enabling split_words #2334

singh-inder wants to merge 1 commit into from

Conversation

@singh-inder
Copy link

@singh-inder singh-inder commented Jan 16, 2026
edited
Loading

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

JWT ValidMethods not parsed from env because split_words was missing on the struct tag, causing envconfig to look for GOTRUE_JWT_VALIDMETHODS instead of GOTRUE_JWT_VALID_METHODS. Since v2.71.1, cli defaults to asymmetric keys, which caused valid HS256 tokens to be rejected.

What is the new behavior?

This change adds split_words to ensure the correct env var is used. I assume that GOTRUE_JWT_VALID_METHODS is the correct env var but if it isn't, then this issue can also be solved by updating the env var passed to auth service in supabase cli to

			env = append(env, "GOTRUE_JWT_VALIDMETHODS=HS256,RS256,ES256")

Additional context

The following screenshots are from print statements I added

  1. config.JWT.ValidMethods was nil because it was looking for wrong env var. It defaulted to jwk key algorithm (ES256).

    auth/internal/conf/configuration.go

    Lines 1092 to 1097 in 645654d

    if config.JWT.ValidMethods == nil {
    config.JWT.ValidMethods = []string{}
    for _, key := range config.JWT.Keys {
    alg := GetSigningAlg(key.PublicKey)
    config.JWT.ValidMethods = append(config.JWT.ValidMethods, alg.Alg())
    }

    Screenshot 2026-01-17 041756

    Screenshot 2026-01-17 042002

  2. After
    image

@singh-inder singh-inder requested a review from a team as a code owner January 16, 2026 23:38
@singh-inder
Copy link
Author

singh-inder commented Jan 17, 2026

Maybe related:
https://github.com/orgs/supabase/discussions/41895
supabase/cli#4726

@coveralls
Copy link

coveralls commented Jan 19, 2026

Pull Request Test Coverage Report for Build 21084248505

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 68.512%
Totals Coverage Status
Change from base Build 21060916988: 0.0%
Covered Lines: 14724
Relevant Lines: 21491
💛 - Coveralls

@aantti
Copy link

aantti commented Jan 19, 2026

Also supabase/cli#4524 ?

@aantti
Copy link

aantti commented Jan 19, 2026

@hf @kangmingtay

@aantti
Copy link

aantti commented Jan 21, 2026

Possibly also supabase/supabase#42037

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@singh-inder @coveralls @aantti