api/auth.py

"""Resolve comment author from Supabase JWT (app account) or request body (HF OAuth)."""
import os
from typing import Optional

import jwt
from fastapi import Header, HTTPException

# JWT secret from Supabase Project Settings → API → JWT Secret (optional; needed for app-account comments)
SUPABASE_JWT_SECRET = os.environ.get("SUPABASE_JWT_SECRET")


def get_author_from_bearer(authorization: Optional[str] = Header(None)) -> Optional[str]:
    """If Authorization: Bearer <supabase_jwt> is present, verify and return author name/email."""
    if not SUPABASE_JWT_SECRET or not authorization or not authorization.startswith("Bearer "):
        return None
    token = authorization[7:].strip()
    if not token:
        return None
    try:
        payload = jwt.decode(
            token,
            SUPABASE_JWT_SECRET,
            audience="authenticated",
            algorithms=["HS256"],
        )
        meta = payload.get("user_metadata") or {}
        name = meta.get("name") or meta.get("full_name")
        if name:
            return str(name).strip()
        email = payload.get("email")
        if email:
            return str(email).strip()
        return payload.get("sub", "")
    except jwt.PyJWTError:
        return None