fix: correctly decode base64 supabase secret and specify HS256 algorithm with precise multi-key kid header

adriannoes · adriannoes · commit a8ae658723c4 · 2026-03-21T22:10:11.000-03:00
diff --git a/src/auth.ts b/src/auth.ts
@@ -25,8 +25,10 @@ const config: NextAuthConfig = {
         }
       }
 
-      const secret = process.env.SUPABASE_JWT_SECRET
-      if (secret && token.id) {
+      const secretString = process.env.SUPABASE_JWT_SECRET
+      if (secretString && token.id) {
+        // Must strictly decode base64 into raw bytes for Supabase HS256!
+        const secretBuffer = Buffer.from(secretString, "base64")
         token.supabaseAccessToken = jwt.sign(
           {
             aud: "authenticated",
@@ -35,7 +37,13 @@ const config: NextAuthConfig = {
             email: token.email,
             role: "authenticated",
           },
-          secret,
+          secretBuffer,
+          {
+            header: {
+              alg: "HS256",
+              kid: "7F438B89-1B14-4807-95B5-AAB76A6A0051",
+            },
+          },
         )
       }
       return token

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,10 @@ const config: NextAuthConfig = {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
`28`		`- const secret = process.env.SUPABASE_JWT_SECRET`
`29`		`- if (secret && token.id) {`
	`28`	`+ const secretString = process.env.SUPABASE_JWT_SECRET`
	`29`	`+ if (secretString && token.id) {`
	`30`	`+ // Must strictly decode base64 into raw bytes for Supabase HS256!`
	`31`	`+ const secretBuffer = Buffer.from(secretString, "base64")`
`30`	`32`	`token.supabaseAccessToken = jwt.sign(`
`31`	`33`	`{`
`32`	`34`	`aud: "authenticated",`
`@@ -35,7 +37,13 @@ const config: NextAuthConfig = {`
`35`	`37`	`email: token.email,`
`36`	`38`	`role: "authenticated",`
`37`	`39`	`},`
`38`		`- secret,`
	`40`	`+ secretBuffer,`
	`41`	`+ {`
	`42`	`+ header: {`
	`43`	`+ alg: "HS256",`
	`44`	`+ kid: "7F438B89-1B14-4807-95B5-AAB76A6A0051",`
	`45`	`+ },`
	`46`	`+ },`
`39`	`47`	`)`
`40`	`48`	`}`
`41`	`49`	`return token`