missing sub claim || signing method RS256 is invalid

[echarrod]

Bug report

Describe the bug

When I try to get a user using a token I get a couple of different errors.

To Reproduce

my code:

func ValidateToken(ctx context.Context, token string) (auth.UID, *Data, error) {
    sbClient, err := setupSupabase()
    if err != nil {
        return "", nil, err
    }

    log.Println("token = " + token)
    sbClient.Auth = sbClient.Auth.WithToken(token)

    // See https://supabase.com/docs/guides/auth/users for fields
    userRes, err := sbClient.Auth.GetUser()
    if err != nil {
        return "", nil, errs.Wrap(err, "getting user")
    }

    uid := userRes.ID.String()
    usr := &Data{
        ID:    uid,
        Email: userRes.Email,
    }
    return auth.UID(uid), usr, nil
}

// setupSupabase ensures Supabase Auth is setup.
func setupSupabase() (*supabase.Client, error) {
    var url string
    if encore.Meta().Environment.Type == encore.EnvProduction {
        url = supabaseProdAPIURL
    } else {
        url = supabaseDevAPIURL
    }
    client, err := supabase.NewClient(url, secrets.SupabasePrivateKey, &supabase.ClientOptions{})
    if err != nil {
        fmt.Println("cannot initialise client", err)
        return nil, err
    }

    return client, nil
}

Expected behaviour

• Validly retrieve the user

System information

• OS: macOS
• Browser: chrome
• Version of supabase-go: 0.0.4
• Version of Go: 1.22.2

Additional context

I know I have two keys on my admin dashboard:

• anon public
• service_role secret

As I understand it, my server has service_role configured when setting up the client with supabase.NewClient, and then I can make calls from the browser/FE with the public one

I tried mixing and matching these, to be sure, but get the following error, I believe when using the anon token (which I think makes sense?):

{
    "code": 403,
    "error_code": "bad_jwt",
    "msg": "invalid claim: missing sub claim"
}

But then I also get this one:

{
    "code": 403,
    "error_code": "bad_jwt",
    "msg": "invalid JWT: unable to parse or verify signature, token signature is invalid: signing method RS256 is invalid"
}

I'm not really sure how my jwt would be RS256, I'm copying it from the supabase dashboard.

[echarrod]

I can see missing sub claim is being thrown from here: https://github.com/supabase/auth/blob/9d419b400f0637b10e5c235b8fd5bac0d69352bd/internal/api/auth.go#L106

[echarrod]

I saw these related issues which are getting the signing method RS256 error:

• https://github.com/orgs/supabase/discussions/4059
• https://github.com/orgs/supabase/discussions/7897

And also looks like this one had a similar issue for Swift (https://github.com/supabase-community/gotrue-swift/issues/4), and SigninWithIDToken was added, is that what I need to have a bearer token work? 🤔

[echarrod]

I can successfully do:

curl "https://my.supabase.co/rest/v1/auth/users" -H "apikey: myServiceAPIKey"

without getting a api key error, which makes me think it could be the auth mechanism? 🤔

[echarrod]

Pasting the JWT into https://jwt.io/ I can see it does output:

{
  "alg": "HS256",
  "typ": "JWT"
}

..but it also does say invalid signature at the bottom

[echarrod]

I think I'll close this. It seems neither of the tokens from the supabase dashboard are meant to be used here. I instead used a token from a regular user (not admin token), and it worked