Pin Clerk issuer to prevent JWKS endpoint spoofing

[Copilot]

JWT verification was deriving the JWKS URL from the unverified token's iss claim, allowing an attacker to forge a token with a custom iss pointing to an attacker-controlled JWKS and have it validate successfully.

Changes

• config.py: Added clerk_issuer: str field (CLERK_ISSUER env var); warns at startup if unset
• auth.py:
  • JWKS URL derived from settings.clerk_issuer exclusively — never from token claims
  • Token iss validated against settings.clerk_issuer before any JWKS fetch; mismatch → 401
  • issuer=expected_issuer passed to jwt.decode() for library-level enforcement
  • Missing CLERK_ISSUER → 500 (fail-closed, not fail-open)
• .env.example: Documents CLERK_ISSUER

# Before — JWKS fetched from attacker-controlled iss
issuer = unverified_claims.get("iss", "")
jwks = await _get_jwks(http_client, issuer)

# After — JWKS fetched from pinned config; token iss must match
expected_issuer = settings.clerk_issuer  # e.g. https://<subdomain>.clerk.accounts.dev
if token_issuer != expected_issuer:
    raise HTTPException(status_code=401, detail="Invalid token issuer")
jwks = await _get_jwks(http_client, f"{expected_issuer}/.well-known/jwks.json")

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.