Add OAuth JWT auth for dashboard API

[dobrac]

Motivation

Dashboard and API auth were tied to Supabase-specific HMAC JWT configuration (SUPABASE_JWT_SECRETS) and Supabase-specific headers. That made it hard to support other auth providers that issue JWTs signed with JWKS, and it forced provider-specific settings to spread across several environment variables.

This change introduces one generic auth-provider JWT verification path that supports both existing Supabase-style HMAC tokens and JWKS-backed providers. It keeps the old Supabase headers as compatibility aliases, while adding provider-neutral bearer token and team header schemes.

Summary

• Add shared auth-provider JWT verification with HMAC and JWKS verifier strategies.
• Support multiple configured JWT verifier strategies at the same time, useful during migration from legacy HMAC to JWKS.
• Replace API/dashboard service-level SUPABASE_JWT_SECRETS with one structured AUTH_PROVIDER_CONFIG JSON value.
• Default API/dashboard auth-provider config to HMAC using the existing Supabase JWT secret when explicit config is not supplied.
• Use github.com/MicahParks/keyfunc/v3/jwkset for JWKS lookup, caching, and refresh.
• Require JWKS URLs to use HTTPS.
• Require user_id_claim to resolve directly to an internal UUID; no email fallback.
• Wire auth-provider bearer token and X-Team-Id team header in both API and dashboard API, while keeping Supabase headers as compatibility aliases.

Config shape

JWKS:

{
  "jwt": {
    "issuer": "https://issuer.example.com",
    "audience": "dashboard-api",
    "user_id_claim": "sub",
    "jwks": {
      "url": "https://issuer.example.com/.well-known/jwks.json",
      "cache_duration": "5m"
    }
  }
}

HMAC:

{
  "jwt": {
    "user_id_claim": "sub",
    "hmac": {
      "secrets": ["secret-1", "secret-2"]
    }
  }
}

Both can be configured together during migration/rotation:

{
  "jwt": {
    "issuer": "https://issuer.example.com",
    "audience": "dashboard-api",
    "user_id_claim": "sub",
    "hmac": {
      "secrets": ["legacy-secret"]
    },
    "jwks": {
      "url": "https://issuer.example.com/.well-known/jwks.json",
      "cache_duration": "5m"
    }
  }
}

  

[claude]

Test review

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 12e42ef. Configure here.}