fix: resolve jwks when initialising realtime tenant

sweatybridge · sweatybridge · commit 36de7c411fca · 2025-10-07T04:06:28.000+08:00
diff --git a/internal/db/start/start.go b/internal/db/start/start.go
@@ -272,7 +272,7 @@ func InitSchema14(ctx context.Context, conn *pgx.Conn) error {
 	return file.ExecBatch(ctx, conn)
 }
 
-func initRealtimeJob(host string) utils.DockerJob {
+func initRealtimeJob(host, jwks string) utils.DockerJob {
 	return utils.DockerJob{
 		Image: utils.Config.Realtime.Image,
 		Env: []string{
@@ -284,6 +284,7 @@ func initRealtimeJob(host string) utils.DockerJob {
 			"DB_NAME=postgres",
 			"DB_AFTER_CONNECT_QUERY=SET search_path TO _realtime",
 			"DB_ENC_KEY=" + utils.Config.Realtime.EncryptionKey,
+			fmt.Sprintf("API_JWT_JWKS=%s", jwks),
 			"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			"APP_NAME=realtime",
@@ -341,7 +342,11 @@ func initSchema15(ctx context.Context, host string) error {
 	// Apply service migrations
 	var initJobs []utils.DockerJob
 	if utils.Config.Realtime.Enabled {
-		initJobs = append(initJobs, initRealtimeJob(host))
+		jwks, err := utils.Config.Auth.ResolveJWKS(context.Background())
+		if err != nil {
+			return err
+		}
+		initJobs = append(initJobs, initRealtimeJob(host, jwks))
 	}
 	if utils.Config.Storage.Enabled {
 		initJobs = append(initJobs, initStorageJob(host))
diff --git a/internal/start/start.go b/internal/start/start.go
@@ -146,7 +146,7 @@ func run(ctx context.Context, fsys afero.Fs, excludedContainers []string, dbConf
 		excluded[name] = true
 	}
 
-	jwks, err := utils.Config.Auth.ResolveJWKS(ctx, fsys)
+	jwks, err := utils.Config.Auth.ResolveJWKS(ctx)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -28,7 +28,6 @@ import (
 	"github.com/go-errors/errors"
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/joho/godotenv"
-	"github.com/spf13/afero"
 	"github.com/spf13/viper"
 	"github.com/supabase/cli/pkg/cast"
 	"github.com/supabase/cli/pkg/fetcher"
@@ -1428,7 +1427,7 @@ type (
 // ResolveJWKS creates the JWKS from the JWT secret and Third-Party Auth
 // configs by resolving the JWKS via the OIDC discovery URL.
 // It always returns a JWKS string, except when there's an error fetching.
-func (a *auth) ResolveJWKS(ctx context.Context, fsys afero.Fs) (string, error) {
+func (a *auth) ResolveJWKS(ctx context.Context) (string, error) {
 	var jwks remoteJWKS
 
 	if issuerURL := a.ThirdParty.IssuerURL(); issuerURL != "" {

Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ func run(ctx context.Context, fsys afero.Fs, excludedContainers []string, dbConf`
`146`	`146`	`excluded[name] = true`
`147`	`147`	`}`
`148`	`148`
`149`		`- jwks, err := utils.Config.Auth.ResolveJWKS(ctx, fsys)`
	`149`	`+ jwks, err := utils.Config.Auth.ResolveJWKS(ctx)`
`150`	`150`	`if err != nil {`
`151`	`151`	`return err`
`152`	`152`	`}`