fix: 增强云端 Supabase 认证可靠性，修复验证码失败可观测性

- JWT 验证器新增 apikey 参数，支持云端 JWKS 认证头
- Auth 网关新增上游超时/错误映射为 503 状态码
- Auth 网关新增重定向 URL 校验，阻断开放重定向风险
- 用户依赖传递 anon_key 给 JWT 验证器
- 新增相关单元测试覆盖 JWKS 头、503 映射、重定向校验
- 新增实现计划文档

backend/tests/unit/test_settings_supabase_env.py

@@ -13,11 +13,6 @@ def test_social_prefixed_supabase_env_populates_settings(
     monkeypatch.setenv("SOCIAL_SUPABASE__PUBLIC_URL", "https://public.example:8443")
     monkeypatch.setenv("SOCIAL_SUPABASE__ANON_KEY", "anon-key")
     monkeypatch.setenv("SOCIAL_SUPABASE__SERVICE_ROLE_KEY", "service-key")
-    monkeypatch.setenv("SOCIAL_SUPABASE__SITE_URL", "https://app.example.com")
-    monkeypatch.setenv(
-        "SOCIAL_SUPABASE__ADDITIONAL_REDIRECT_URLS",
-        '["https://a.example.com", "https://b.example.com/path"]',
-    )
     monkeypatch.setenv("SOCIAL_DATABASE__HOST", "db")
     monkeypatch.setenv("SOCIAL_DATABASE__PORT", "5432")
     monkeypatch.setenv("SOCIAL_DATABASE__NAME", "app")
@@ -29,17 +24,11 @@ def test_social_prefixed_supabase_env_populates_settings(
     assert str(settings.supabase.public_url) == "https://public.example:8443/"
     assert settings.supabase.anon_key == "anon-key"
     assert settings.supabase.service_role_key == "service-key"
-    assert settings.supabase.site_url == "https://app.example.com"
-    assert settings.supabase.additional_redirect_urls == [
-        "https://a.example.com",
-        "https://b.example.com/path",
-    ]
 
     supabase_settings = settings.model_dump()["supabase"]
     assert str(supabase_settings["public_url"]) == "https://public.example:8443/"
     assert supabase_settings["anon_key"] == "anon-key"
     assert supabase_settings["service_role_key"] == "service-key"
-    assert supabase_settings["site_url"] == "https://app.example.com"
     assert "jwt_secret" not in supabase_settings
     assert "public_scheme" not in supabase_settings
     assert "public_host" not in supabase_settings