Parent bounty: #743
Bug
apps/api/src/services/authService.js generates a timestamp-based user id twice during registration: once for the returned id field and once for the JWT sub claim.
Current behavior can return one user id while signing the token for a different sub if the two Date.now() calls cross a millisecond boundary.
Expected
- Generate the user id once.
- Return that same id in the registration response.
- Sign the access token with that same id as the
sub claim.
- Add focused service coverage proving the decoded token subject matches
result.id.
Related reissue: #2674
Parent bounty: #743
Bug
apps/api/src/services/authService.jsgenerates a timestamp-based user id twice during registration: once for the returnedidfield and once for the JWTsubclaim.Current behavior can return one user id while signing the token for a different
subif the twoDate.now()calls cross a millisecond boundary.Expected
subclaim.result.id.Related reissue: #2674