From ffca92d08a7696ce51bf77e2ad42b641d3792ec2 Mon Sep 17 00:00:00 2001
From: markov <markov@uix.su>
Date: Tue, 24 Feb 2026 09:38:31 +0100
Subject: [PATCH] fix: JWT auth fallback by slug in WS handler

---
 src/tracker/ws/handler.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/tracker/ws/handler.py b/src/tracker/ws/handler.py
index 03339c5..d435ddb 100644
--- a/src/tracker/ws/handler.py
+++ b/src/tracker/ws/handler.py
@@ -106,12 +106,21 @@ async def _authenticate(ws: WebSocket, token: str, on_behalf_of: str | None = No
             try:
                 payload = decode_jwt(token)
                 member_id = payload["sub"]
+                # sub can be UUID (Tracker JWT) or slug (legacy BFF JWT)
                 result = await db.execute(
                     select(Member).where(Member.id == member_id)
                     .options(selectinload(Member.agent_config))
                 )
                 member = result.scalar_one_or_none()
-                logger.info("JWT auth successful for member_id=%s", member_id)
+                if not member and payload.get("slug"):
+                    # Fallback: try by slug
+                    result = await db.execute(
+                        select(Member).where(Member.slug == payload["slug"])
+                        .options(selectinload(Member.agent_config))
+                    )
+                    member = result.scalar_one_or_none()
+                if member:
+                    logger.info("JWT auth successful for %s", member.slug)
             except Exception as e:
                 logger.warning("JWT decode failed: %s", e)