I found a strange behavior about JWT and auth.user using the default auth middleware.
I start my server with a fresh database and two users seeded, A and B.
I then login with B user and get a JWT token that I use to access a protected route.
The auth.user is the correct one: B.
I then reset my migrations and reseed the DB, but this time I removed B from the seeds.
I then try to access the protected route using the SAME token that was generated in the first server / migration / seed run.
To my surprise, it pass the auth check and return A as the authenticated user !!!
I am not a security guru but I feel there is something wrong with this behaviour.
Of course I tested also to simply remove the second user while server is still running, but then the behaviour is correct: E_INVALID_JWT_TOKEN.
My guess is that auth is only based on the serial id of the user in the DB to match users and no other things like email and so.
Anybody with more Insights ?