Summary
JWT tokens contain username-based claims that are not refreshed when users rename their profiles.
Operations relying on those claims continue using outdated usernames.
Affected Files
- auth.ts
- follow.ts
- analytics.ts
Root Cause
Username information is embedded into JWT payloads.
When a username changes, existing sessions continue operating with stale claim values until reauthentication occurs.
Reproduction
- Log in.
- Rename the account username.
- Continue using the existing session.
- Perform follow operations.
- Inspect analytics records.
- Observe outdated usernames being recorded.
Expected Behavior
Operations should use current user identity information.
Actual Behavior
Stale usernames continue propagating through follow and analytics workflows.
Why This Is Difficult To Detect
Most testing uses freshly issued tokens.
The issue appears only after profile updates.
Production Impact
- Corrupted analytics
- Inconsistent records
- Follow tracking inaccuracies
- Identity confusion
Suggested Fix
Use immutable user identifiers for analytics and follow relationships.
Severity
Medium-High
Summary
JWT tokens contain username-based claims that are not refreshed when users rename their profiles.
Operations relying on those claims continue using outdated usernames.
Affected Files
Root Cause
Username information is embedded into JWT payloads.
When a username changes, existing sessions continue operating with stale claim values until reauthentication occurs.
Reproduction
Expected Behavior
Operations should use current user identity information.
Actual Behavior
Stale usernames continue propagating through follow and analytics workflows.
Why This Is Difficult To Detect
Most testing uses freshly issued tokens.
The issue appears only after profile updates.
Production Impact
Suggested Fix
Use immutable user identifiers for analytics and follow relationships.
Severity
Medium-High