From 287e5afbac0c52a309dd70ec49fed539500efa80 Mon Sep 17 00:00:00 2001
From: CREDO23 <thierrybakera12@gmail.com>
Date: Thu, 5 Feb 2026 18:11:33 +0200
Subject: [PATCH] Fix JWT audience validation when creating refresh token

---
 surfsense_backend/app/users.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/surfsense_backend/app/users.py b/surfsense_backend/app/users.py
index aef94d558..696cdf25e 100644
--- a/surfsense_backend/app/users.py
+++ b/surfsense_backend/app/users.py
@@ -219,7 +219,7 @@ class CustomBearerTransport(BearerTransport):
 
         # Decode JWT to get user_id for refresh token creation
         try:
-            payload = jwt.decode(token, SECRET, algorithms=["HS256"])
+            payload = jwt.decode(token, SECRET, algorithms=["HS256"], options={"verify_aud": False})
             user_id = uuid.UUID(payload.get("sub"))
             refresh_token = await create_refresh_token(user_id)
         except Exception as e: