Auth: Provide User Metadata Payload alongside JWE to Simplify Frontend Logic

[omatheusmesmo]

Description

Currently, the frontend is expected to decrypt the JWE to extract the User ID for authorization and UI logic, which is complex and prone to errors. To simplify this, the backend should provide a basic user metadata payload alongside the token during authentication.

Proposed Changes

• Backend: Update authentication responses (Login/Signup) to return a JSON object containing both the JWE and a user metadata object.

  {
    "token": "ey...",
    "user": {
      "id": 123,
      "fullName": "John Doe",
      "email": "john@example.com"
    }
  }

• Frontend: Update AuthService to store and expose this metadata via a Signal or Observable (currentUser), removing any token decryption logic from the client.

🛡️ Security Model

• Client-Side: The user object is used strictly for UI and local logic (e.g., displaying the name, filtering views).
• Server-Side: The backend must ignore any User ID sent by the client in request bodies for sensitive operations. The JWE remains the only source of truth for authentication and authorization. The server must always extract the userId from the validated token before processing any request.

Acceptance Criteria

• Auth endpoints return a combined Token + User Metadata payload.
• AuthService provides easy access to the current User ID without token decoding.
• Backend security is verified: resource ownership (e.g., editing a list) is checked against the token, not client-provided IDs.

Priority

This is critical to unblock permission-based features and list ownership logic.

[omatheusmesmo]

🤖 Auto-Assignment Bot (Retroactive Notification)

To be assigned to this issue, comment with one of the following phrases:

• "Assign me"
• "I would like to work on this"
• "Eu quero trabalhar nisso" (ou "me atribua")

If you want to unassign yourself, comment with "unassign me" or "no".
If the issue is already assigned, the current assignee will be asked if they are still active.

[rifernun]

Assign me

[github-actions]

🤖 @rifernun, you have been assigned to this issue! Happy coding! ☕

[omatheusmesmo]

Hello @rifernun , I updated the description of this issue,

[omatheusmesmo]

Hi @rifernun , any update on this issue?