fix: enable es256 jwt signing algorithm support for gotrue (#4489)

7ttp · sweatybridge · web-flow · commit ca241cff1e1a · 2025-11-24T16:12:49.000+08:00
* fix: enable es256 jwt signing algorithm support for gotrue * Apply suggestion from @sweatybridge * Refactor JWT valid methods assignment * Add comment on signing key validation process Added comment about signing key validation and reading key file. --------- Co-authored-by: Han Qiao <sweatybridge@gmail.com>
diff --git a/internal/start/start.go b/internal/start/start.go
@@ -534,6 +534,8 @@ EOF
 		// Since signing key is validated by ResolveJWKS, simply read the key file.
 		if keys, err := afero.ReadFile(fsys, utils.Config.Auth.SigningKeysPath); err == nil && len(keys) > 0 {
 			env = append(env, "GOTRUE_JWT_KEYS="+string(keys))
+			// TODO: deprecate HS256 when it's no longer supported
+			env = append(env, "GOTRUE_JWT_VALID_METHODS=HS256,RS256,ES256")
 		}
 
 		if utils.Config.Auth.Email.Smtp != nil && utils.Config.Auth.Email.Smtp.Enabled {

Original file line number	Diff line number	Diff line change
`@@ -534,6 +534,8 @@ EOF`
`534`	`534`	`// Since signing key is validated by ResolveJWKS, simply read the key file.`
`535`	`535`	`if keys, err := afero.ReadFile(fsys, utils.Config.Auth.SigningKeysPath); err == nil && len(keys) > 0 {`
`536`	`536`	`env = append(env, "GOTRUE_JWT_KEYS="+string(keys))`
	`537`	`+ // TODO: deprecate HS256 when it's no longer supported`
	`538`	`+ env = append(env, "GOTRUE_JWT_VALID_METHODS=HS256,RS256,ES256")`
`537`	`539`	`}`
`538`	`540`
`539`	`541`	`if utils.Config.Auth.Email.Smtp != nil && utils.Config.Auth.Email.Smtp.Enabled {`