From ea009c46c661ffab7da7d9d6dde5fbcf30d59cff Mon Sep 17 00:00:00 2001 From: Natalia Portillo Date: Sat, 4 Jul 2026 14:47:05 +0100 Subject: [PATCH] Fix JWT sub claim to carry the actual user ID The sub claim was hardcoded to the literal string "TokenForTheApiWithAuth" for every token, making it useless for identifying the principal. It now holds user.Id, matching the JWT spec and enabling standard token inspection and future revocation workflows. --- Marechai.Server/Services/TokenService.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Marechai.Server/Services/TokenService.cs b/Marechai.Server/Services/TokenService.cs index a326d321..c8cb8e16 100644 --- a/Marechai.Server/Services/TokenService.cs +++ b/Marechai.Server/Services/TokenService.cs @@ -64,7 +64,7 @@ public sealed class TokenService(IConfiguration configuration) { List claims = [ - new(JwtRegisteredClaimNames.Sub, "TokenForTheApiWithAuth"), + new(JwtRegisteredClaimNames.Sub, user.Id), new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), new(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString(CultureInfo.InvariantCulture)),