fix: 增强云端 Supabase 认证可靠性，修复验证码失败可观测性

- JWT 验证器新增 apikey 参数，支持云端 JWKS 认证头 - Auth 网关新增上游超时/错误映射为 503 状态码 - Auth 网关新增重定向 URL 校验，阻断开放重定向风险 - 用户依赖传递 anon_key 给 JWT 验证器 - 新增相关单元测试覆盖 JWKS 头、503 映射、重定向校验 - 新增实现计划文档
2026-03-10 09:11:27 +08:00
parent 6fe2e7b6c3
commit c9a2c75c35
10 changed files with 384 additions and 75 deletions
@@ -17,6 +17,40 @@ from core.auth.jwt_verifier import (
 )


+def test_jwks_client_uses_supabase_auth_headers(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    captured: dict[str, Any] = {}
+
+    class _FakePyJWKClient:
+        def __init__(
+            self,
+            uri: str,
+            *,
+            headers: dict[str, Any] | None = None,
+            **_: Any,
+        ) -> None:
+            captured["uri"] = uri
+            captured["headers"] = headers
+
+    monkeypatch.setattr("core.auth.jwt_verifier.jwt.PyJWKClient", _FakePyJWKClient)
+
+    JwtVerifier(
+        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
+        issuer="https://example.supabase.co/auth/v1",
+        audience="authenticated",
+        apikey="anon-key-value",
+    )
+
+    assert (
+        captured["uri"] == "https://example.supabase.co/auth/v1/.well-known/jwks.json"
+    )
+    assert captured["headers"] == {
+        "apikey": "anon-key-value",
+        "Authorization": "Bearer anon-key-value",
+    }
+
+
 def _set_jwks_client(verifier: JwtVerifier, client: Any) -> None:
    cast(Any, verifier)._jwks_client = client

@@ -90,6 +124,7 @@ def test_verify_token_with_jwks_success() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )
    _set_jwks_client(
        verifier,
@@ -118,6 +153,7 @@ def test_verify_token_rejects_invalid_issuer() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )
    _set_jwks_client(
        verifier,
@@ -145,6 +181,7 @@ def test_verify_token_rejects_hs256_token() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )
    _set_jwks_client(
        verifier,
@@ -172,6 +209,7 @@ def test_verify_token_rejects_expired_token() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )
    _set_jwks_client(
        verifier,
@@ -199,6 +237,7 @@ def test_verify_token_rejects_invalid_audience() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )
    _set_jwks_client(
        verifier,
@@ -227,6 +266,7 @@ def test_verify_token_rejects_invalid_signature() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )
    _set_jwks_client(
        verifier,
@@ -254,6 +294,7 @@ def test_verify_token_maps_jwks_connection_error() -> None:
        jwks_url="https://example.supabase.co/auth/v1/.well-known/jwks.json",
        issuer=issuer,
        audience=audience,
+        apikey="anon-key",
    )

    def _raise_connection_error(_: str) -> SimpleNamespace: