From 9c4a2e1b1a0c21ddb13e0a986121aca594fe723d Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Tue, 16 Dec 2025 13:42:18 -0800
Subject: [PATCH] fix: JWT validation failures during replication (#7788)
 (#7795)

fix: add debug logging for JWT validation failures (#7788)

When JWT file ID validation fails during replication, add a log message
showing both the expected and actual file IDs to help diagnose issues.

Ref #7788
---
 weed/server/volume_server_handlers.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/weed/server/volume_server_handlers.go b/weed/server/volume_server_handlers.go
index cf22adf34..84250b8ba 100644
--- a/weed/server/volume_server_handlers.go
+++ b/weed/server/volume_server_handlers.go
@@ -363,7 +363,12 @@ func (vs *VolumeServer) maybeCheckJwtAuthorization(r *http.Request, vid, fid str
 		if sepIndex := strings.LastIndex(fid, "_"); sepIndex > 0 {
 			fid = fid[:sepIndex]
 		}
-		return sc.Fid == vid+","+fid
+		expectedFid := vid + "," + fid
+		if sc.Fid != expectedFid {
+			glog.V(1).Infof("jwt fid mismatch from %s: token has %q, request has %q", r.RemoteAddr, sc.Fid, expectedFid)
+			return false
+		}
+		return true
 	}
 	glog.V(1).Infof("unexpected jwt from %s: %v", r.RemoteAddr, tokenStr)
 	return false