From e90cb2631d9a93d0895b72fe0193edf5f3ed638c Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 8 Feb 2026 16:26:53 +0100 Subject: [PATCH] fix(auth): remove unnecessary fields from JWT token payloads Remove email, name, emailRemindersEnabled, and isLocalUser from user JWT claims, and isLocalUser from link share JWT claims. These fields are never used from the token - the backend always fetches the full user from the database by ID, and the frontend fetches user data from the /user API endpoint immediately after login. Also simplify GetUserFromClaims to only extract id and username, and remove the now-unnecessary email override in the frontend's refreshUserInfo. --- frontend/src/stores/auth.ts | 1 - pkg/modules/auth/auth.go | 5 ----- pkg/user/user.go | 10 ---------- 3 files changed, 16 deletions(-) diff --git a/frontend/src/stores/auth.ts b/frontend/src/stores/auth.ts index 0e02c38b0..21c3b9f63 100644 --- a/frontend/src/stores/auth.ts +++ b/frontend/src/stores/auth.ts @@ -325,7 +325,6 @@ export const useAuthStore = defineStore('auth', () => { const newUser = new UserModel({ ...response.data, ...(info.value?.type && {type: info.value?.type}), - ...(info.value?.email && {email: info.value?.email}), ...(info.value?.exp && {exp: info.value?.exp}), }) diff --git a/pkg/modules/auth/auth.go b/pkg/modules/auth/auth.go index 5f6f32b94..95ccfdeaa 100644 --- a/pkg/modules/auth/auth.go +++ b/pkg/modules/auth/auth.go @@ -70,11 +70,7 @@ func NewUserJWTAuthtoken(u *user.User, long bool) (token string, err error) { claims["type"] = AuthTypeUser claims["id"] = u.ID claims["username"] = u.Username - claims["email"] = u.Email claims["exp"] = exp - claims["name"] = u.Name - claims["emailRemindersEnabled"] = u.EmailRemindersEnabled - claims["isLocalUser"] = u.Issuer == user.IssuerLocal claims["long"] = long // Generate encoded token and send it as response. @@ -97,7 +93,6 @@ func NewLinkShareJWTAuthtoken(share *models.LinkSharing) (token string, err erro claims["permission"] = share.Permission claims["sharedByID"] = share.SharedByID claims["exp"] = exp - claims["isLocalUser"] = true // Link shares are always local // Generate encoded token and send it as response. return t.SignedString([]byte(config.ServiceJWTSecret.GetString())) diff --git a/pkg/user/user.go b/pkg/user/user.go index bf79b5aba..a8abdc633 100644 --- a/pkg/user/user.go +++ b/pkg/user/user.go @@ -461,24 +461,14 @@ func GetUserFromClaims(claims jwt.MapClaims) (user *User, err error) { if err != nil { return nil, err } - email, err := getClaimAsString(claims, "email") - if err != nil { - return nil, err - } username, err := getClaimAsString(claims, "username") if err != nil { return nil, err } - name, err := getClaimAsString(claims, "name") - if err != nil { - return nil, err - } return &User{ ID: userID, - Email: email, Username: username, - Name: name, }, nil }