From c5a56c84793ceaa06841b9e316fe7c94fd1c8f66 Mon Sep 17 00:00:00 2001
From: ae <git@golfed.xyz>
Date: Tue, 1 Apr 2025 12:19:25 +0300
Subject: [PATCH] fix: compare claims subject (user ID) instead of token's ID

---
 server/pkg/service/middleware.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/pkg/service/middleware.go b/server/pkg/service/middleware.go
index 35fd2ee..b730a8b 100644
--- a/server/pkg/service/middleware.go
+++ b/server/pkg/service/middleware.go
@@ -78,7 +78,7 @@ func ownerOnlyMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		user, ok := r.Context().Value(userCtxKey{}).(*userClaims)
 		requestedID := chi.URLParam(r, "id")
-		if !ok || user.ID != requestedID {
+		if !ok || user.Subject != requestedID {
 			respondError(w, http.StatusForbidden, "Forbidden")
 			return
 		}