Fix critical issues from code review

- Use python-jose (already in dependencies) instead of PyJWT for JWT decoding - Make unknown Supabase key roles fail fast per alpha principles - Skip all JWT validations (not just signature) when checking role - Update tests to expect failure for unknown roles Fixes: - No need to add PyJWT dependency - python-jose provides JWT functionality - Unknown key types now raise ConfigurationError instead of warning - JWT decode properly skips all validations to only check role claim
2025-12-30 21:49:30 -05:00 · 2025-08-16 00:23:37 +03:00
parent 3800280f2e
commit 4004090b45
2 changed files with 28 additions and 18 deletions
--- a/python/src/server/config/config.py
+++ b/python/src/server/config/config.py
@@ -6,7 +6,7 @@ import os
 from dataclasses import dataclass
 from urllib.parse import urlparse

-import jwt
+from jose import jwt


 class ConfigurationError(Exception):
@@ -64,7 +64,18 @@ def validate_supabase_key(supabase_key: str) -> tuple[bool, str]:
    try:
        # Decode JWT without verification to check the 'role' claim
        # We don't verify the signature since we only need to check the role
-        decoded = jwt.decode(supabase_key, options={"verify_signature": False})
+        # Also skip all other validations (aud, exp, etc) since we only care about the role
+        decoded = jwt.decode(
+            supabase_key, 
+            '', 
+            options={
+                "verify_signature": False,
+                "verify_aud": False,
+                "verify_exp": False,
+                "verify_nbf": False,
+                "verify_iat": False
+            }
+        )
        role = decoded.get("role")

        if role == "anon":
@@ -134,7 +145,12 @@ def load_environment_config() -> EnvironmentConfig:
            )
        elif key_message.startswith("UNKNOWN_KEY_TYPE:"):
            role = key_message.split(":", 1)[1]
-            print(f"WARNING: Unknown Supabase key role '{role}'. Proceeding but may cause issues.")
+            raise ConfigurationError(
+                f"CRITICAL: Unknown Supabase key role '{role}'.\n\n"
+                f"Expected 'service_role' but found '{role}'.\n"
+                f"This key type is not supported and will likely cause failures.\n\n"
+                f"Please use a valid service_role key from your Supabase dashboard."
+            )
        # For UNABLE_TO_VALIDATE, we continue silently

    # Optional environment variables with defaults