refactor: 迁移本地 Supabase 到云端，使用 JWKS 进行 JWT 验证

- 新增 JwtVerifier 支持 RS256 + JWKS 验证
- 简化 docker-compose，删除本地 Supabase 服务(kong/auth/storage等)
- 删除冗余的 Supabase 配置文件(volumes目录)
- 适配测试用例以支持新配置方式
- 更新运行时文档和迁移计划

backend/tests/unit/core/auth/test_jwt_verifier.py

@@ -0,0 +1,268 @@
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+from types import SimpleNamespace
+from typing import Any, cast
+from uuid import uuid4
+
+import jwt
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from core.auth.jwt_verifier import (
+    JwtVerifier,
+    TokenValidationError,
+    TokenVerifierUnavailableError,
+)
+
+
+def _set_jwks_client(verifier: JwtVerifier, client: Any) -> None:
+    cast(Any, verifier)._jwks_client = client
+
+
+def _build_rsa_key_pair() -> tuple[str, str]:
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode("utf-8")
+    public_pem = (
+        private_key.public_key()
+        .public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+        .decode("utf-8")
+    )
+    return private_pem, public_pem
+
+
+def _build_token(*, private_key: str, sub: str, audience: str, issuer: str) -> str:
+    now = datetime.now(UTC)
+    payload = {
+        "sub": sub,
+        "aud": audience,
+        "iss": issuer,
+        "exp": now + timedelta(minutes=5),
+    }
+    return jwt.encode(payload, private_key, algorithm="RS256", headers={"kid": "kid-1"})
+
+
+def _build_expired_token(
+    *, private_key: str, sub: str, audience: str, issuer: str
+) -> str:
+    now = datetime.now(UTC)
+    payload = {
+        "sub": sub,
+        "aud": audience,
+        "iss": issuer,
+        "exp": now - timedelta(minutes=1),
+    }
+    return jwt.encode(payload, private_key, algorithm="RS256", headers={"kid": "kid-1"})
+
+
+def _build_hs256_token(*, secret: str, sub: str, audience: str, issuer: str) -> str:
+    now = datetime.now(UTC)
+    payload = {
+        "sub": sub,
+        "aud": audience,
+        "iss": issuer,
+        "exp": now + timedelta(minutes=5),
+    }
+    return jwt.encode(payload, secret, algorithm="HS256", headers={"kid": "kid-1"})
+
+
+def test_verify_token_with_jwks_success() -> None:
+    user_id = uuid4()
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    private_key, public_key = _build_rsa_key_pair()
+    token = _build_token(
+        private_key=private_key,
+        sub=str(user_id),
+        audience=audience,
+        issuer=issuer,
+    )
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(
+            get_signing_key_from_jwt=lambda _: SimpleNamespace(key=public_key)
+        ),
+    )
+
+    claims = verifier.verify(token)
+
+    assert claims["sub"] == str(user_id)
+
+
+def test_verify_token_rejects_invalid_issuer() -> None:
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    private_key, public_key = _build_rsa_key_pair()
+    token_with_wrong_iss = _build_token(
+        private_key=private_key,
+        sub=str(uuid4()),
+        audience=audience,
+        issuer="https://wrong-issuer.example.com/auth/v1",
+    )
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(
+            get_signing_key_from_jwt=lambda _: SimpleNamespace(key=public_key)
+        ),
+    )
+
+    with pytest.raises(TokenValidationError):
+        verifier.verify(token_with_wrong_iss)
+
+
+def test_verify_token_rejects_hs256_token() -> None:
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    _, public_key = _build_rsa_key_pair()
+    hs_token = _build_hs256_token(
+        secret="test-secret",
+        sub=str(uuid4()),
+        audience=audience,
+        issuer=issuer,
+    )
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(
+            get_signing_key_from_jwt=lambda _: SimpleNamespace(key=public_key)
+        ),
+    )
+
+    with pytest.raises(TokenValidationError):
+        verifier.verify(hs_token)
+
+
+def test_verify_token_rejects_expired_token() -> None:
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    private_key, public_key = _build_rsa_key_pair()
+    expired_token = _build_expired_token(
+        private_key=private_key,
+        sub=str(uuid4()),
+        audience=audience,
+        issuer=issuer,
+    )
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(
+            get_signing_key_from_jwt=lambda _: SimpleNamespace(key=public_key)
+        ),
+    )
+
+    with pytest.raises(TokenValidationError):
+        verifier.verify(expired_token)
+
+
+def test_verify_token_rejects_invalid_audience() -> None:
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    private_key, public_key = _build_rsa_key_pair()
+    wrong_aud_token = _build_token(
+        private_key=private_key,
+        sub=str(uuid4()),
+        audience="anon",
+        issuer=issuer,
+    )
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(
+            get_signing_key_from_jwt=lambda _: SimpleNamespace(key=public_key)
+        ),
+    )
+
+    with pytest.raises(TokenValidationError):
+        verifier.verify(wrong_aud_token)
+
+
+def test_verify_token_rejects_invalid_signature() -> None:
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    private_key, public_key = _build_rsa_key_pair()
+    valid_token = _build_token(
+        private_key=private_key,
+        sub=str(uuid4()),
+        audience=audience,
+        issuer=issuer,
+    )
+    tampered_token = f"{valid_token}x"
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(
+            get_signing_key_from_jwt=lambda _: SimpleNamespace(key=public_key)
+        ),
+    )
+
+    with pytest.raises(TokenValidationError):
+        verifier.verify(tampered_token)
+
+
+def test_verify_token_maps_jwks_connection_error() -> None:
+    audience = "authenticated"
+    issuer = "https://example.supabase.co/auth/v1"
+    private_key, _ = _build_rsa_key_pair()
+    token = _build_token(
+        private_key=private_key,
+        sub=str(uuid4()),
+        audience=audience,
+        issuer=issuer,
+    )
+
+    verifier = JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer=issuer,
+        audience=audience,
+    )
+
+    def _raise_connection_error(_: str) -> SimpleNamespace:
+        raise jwt.PyJWKClientConnectionError("network down")
+
+    _set_jwks_client(
+        verifier,
+        SimpleNamespace(get_signing_key_from_jwt=_raise_connection_error),
+    )
+
+    with pytest.raises(TokenVerifierUnavailableError):
+        verifier.verify(token)