Remove redundant id field from JWT payloads

Drop the duplicated `id` alias from JWT payloads and related token generation across auth providers and endpoints. The TokenPayload interface no longer includes `id`; middleware now derives `user.id` from `sub` when attaching the authenticated user to requests. Update tests accordingly. This reduces redundancy and ensures the canonical user identifier is `sub`.

src/lib/middleware/auth.ts

@@ -13,7 +13,7 @@ import { API_TOKEN_PREFIX, isEndpointAllowed } from '../constants/api-tokens';
 const logger = RMABLogger.create('Auth');
 
 export interface AuthenticatedRequest extends NextRequest {
-  user?: TokenPayload;
+  user?: TokenPayload & { id: string };
 }
 
 /**
@@ -89,7 +89,6 @@ async function authenticateApiToken(token: string): Promise<TokenPayload | null>
   // Use the token's target user (userId), not the creator (createdById)
   return {
     sub: user.id,
-    id: user.id,
     plexId: user.plexId,
     username: user.plexUsername,
     role: apiToken.role,
@@ -149,7 +148,7 @@ export async function requireAuth(
     }
 
     const authenticatedRequest = request as AuthenticatedRequest;
-    authenticatedRequest.user = apiUser;
+    authenticatedRequest.user = { ...apiUser, id: apiUser.sub };
     return handler(authenticatedRequest);
   }
 
@@ -191,7 +190,7 @@ export async function requireAuth(
   const authenticatedRequest = request as AuthenticatedRequest;
   authenticatedRequest.user = {
     ...payload,
-    id: user.id,
+    id: payload.sub,
   };
 
   return handler(authenticatedRequest);

src/lib/services/auth/LocalAuthProvider.ts

@@ -250,7 +250,6 @@ export class LocalAuthProvider implements IAuthProvider {
   private async generateTokens(userInfo: UserInfo & { plexId: string }): Promise<AuthTokens> {
     const tokenPayload = {
       sub: userInfo.id,
-      id: userInfo.id,
       plexId: userInfo.plexId,
       username: userInfo.username,
       role: userInfo.role || 'user',

src/lib/services/auth/OIDCAuthProvider.ts

@@ -516,7 +516,6 @@ export class OIDCAuthProvider implements IAuthProvider {
   private async generateTokens(userInfo: UserInfo): Promise<AuthTokens> {
     const accessToken = generateAccessToken({
       sub: userInfo.id,
-      id: userInfo.id,
       plexId: userInfo.id, // For backwards compatibility
       username: userInfo.username,
       role: userInfo.role || 'user',

src/lib/services/auth/PlexAuthProvider.ts

@@ -250,7 +250,6 @@ export class PlexAuthProvider implements IAuthProvider {
   private async generateTokens(userInfo: UserInfo): Promise<AuthTokens> {
     const accessToken = generateAccessToken({
       sub: userInfo.id,
-      id: userInfo.id,
       plexId: userInfo.id, // For backwards compatibility
       username: userInfo.username,
       role: userInfo.role || 'user',

src/lib/utils/jwt.ts

@@ -17,7 +17,6 @@ const REFRESH_TOKEN_EXPIRY = '7d'; // 7 days
 
 export interface TokenPayload {
   sub: string; // User ID
-  id: string; // User ID (alias for sub, used by req.user.id throughout the codebase)
   plexId: string;
   username: string;
   role: string;