fix: review findings -- null metadata coalescing, case-insensitive Bearer, yield fixture

1. metadata: payload.get('user_metadata', {}) returns None when key
   exists with null value. Changed to 'or {}' pattern so downstream
   code can safely index result['metadata'].

2. Bearer prefix: was case-sensitive ('Bearer '), now handles
   'bearer ', 'BEARER ' etc. Defensive -- most callers never hit
   this but WebSocket handlers pass raw query params.

3. Test fixture: changed from return to yield so patches stay active
   for the full test lifetime (correct pytest pattern).

4. Added 2 tests: null metadata coalescing, case-insensitive Bearer.

281 tests pass (270 existing + 11 new).

Author: DevanshuNEU

backend/services/auth.py

@@ -35,7 +35,7 @@ def verify_jwt(self, token: str) -> Dict[str, Any]:
         No network call required -- instant verification using HS256.
         Falls back to Supabase API call if JWT_SECRET is not configured.
         """
-        if token.startswith("Bearer "):
+        if token.lower().startswith("bearer "):
             token = token[7:]
 
         # local decode when secret is available (fast path, no network)
@@ -65,7 +65,7 @@ def _verify_local(self, token: str) -> Dict[str, Any]:
             return {
                 "user_id": user_id,
                 "email": payload.get("email"),
-                "metadata": payload.get("user_metadata", {}),
+                "metadata": payload.get("user_metadata") or {},
             }
 
         except jwt.ExpiredSignatureError:

backend/tests/test_jwt_local_decode.py

@@ -30,7 +30,7 @@ def auth_service():
             "SUPABASE_JWT_SECRET": JWT_SECRET,
         }):
             from services.auth import SupabaseAuthService
-            return SupabaseAuthService()
+            yield SupabaseAuthService()
 
 
 class TestLocalJWTDecode:
@@ -100,6 +100,19 @@ def test_metadata_defaults_to_empty_dict(self, auth_service):
 
         assert result["metadata"] == {}
 
+    def test_metadata_null_coalesced_to_empty_dict(self, auth_service):
+        """user_metadata can be explicitly null in Supabase JWTs."""
+        token = _make_token({"sub": "user-null-meta", "user_metadata": None})
+        result = auth_service.verify_jwt(token)
+
+        assert result["metadata"] == {}
+
+    def test_bearer_prefix_case_insensitive(self, auth_service):
+        token = _make_token({"sub": "user-case"})
+        for prefix in ["Bearer ", "bearer ", "BEARER "]:
+            result = auth_service.verify_jwt(f"{prefix}{token}")
+            assert result["user_id"] == "user-case"
+
 
 class TestAPIFallback:
     """When JWT secret is not configured, fall back to Supabase API."""