From b52d75591b8ff800098e48354e150b960ff3977c Mon Sep 17 00:00:00 2001
From: WorkClub Automation <automation@workclub.local>
Date: Fri, 20 Mar 2026 09:34:29 +0100
Subject: [PATCH] Add debug endpoint to inspect JWT claims

---
 backend/WorkClub.Api/Program.cs | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/backend/WorkClub.Api/Program.cs b/backend/WorkClub.Api/Program.cs
index 4a686e9..3986432 100644
--- a/backend/WorkClub.Api/Program.cs
+++ b/backend/WorkClub.Api/Program.cs
@@ -143,8 +143,25 @@ app.MapGet("/weatherforecast", () =>
 })
 .WithName("GetWeatherForecast");
 
-app.MapGet("/api/test", () => Results.Ok(new { message = "Test endpoint" }))
-    .RequireAuthorization();
+app.MapGet("/api/debug/claims", (HttpContext context) =>
+{
+    var claims = context.User.Claims.Select(c => new { c.Type, c.Value }).ToList();
+    var realmAccess = context.User.FindFirst("realm_access")?.Value;
+    
+    // Check if the authorization header is present
+    var authHeader = context.Request.Headers["Authorization"].FirstOrDefault();
+    
+    return Results.Ok(new 
+    { 
+        isAuthenticated = context.User.Identity?.IsAuthenticated ?? false,
+        authenticationType = context.User.Identity?.AuthenticationType,
+        claimCount = claims.Count,
+        claims = claims,
+        realmAccess = realmAccess,
+        hasAuthHeader = !string.IsNullOrEmpty(authHeader),
+        authHeaderPrefix = authHeader?.Substring(0, Math.Min(20, authHeader?.Length ?? 0))
+    });
+}).RequireAuthorization();
 
 app.MapTaskEndpoints();
 app.MapShiftEndpoints();