Simplify JWT: remove capability claims and enforce server-side authorization

[tommaso-ascani]

Description

JWT tokens currently include capability claims, which increases token size.
The purpose of this request is to simplify token payloads and make authorization logic fully centralized on the server, so permission updates are applied consistently without relying on token-embedded capabilities.

Proposed solution

• Remove capability claims (and non-essential profile metadata claims) from JWT payload generation in middleware.
• Keep only minimal authentication claims required for identity and session/2FA handling.
• Enforce permission checks server-side only (using in-memory profiles/users data and reload mechanisms already in place).

[edospadoni]

Testing release:

• https://github.com/nethesis/ns8-nethvoice/releases/tag/1.6.4-testing.18

Test Cases

TC1 – JWT does not contain capability claims

Steps

1. Login with a valid user.
2. Decode the returned JWT.

Expected result

• The JWT payload does not contain capability/permission claims.
• Only minimal authentication/session claims are present.

---

TC2 – Permission revocation takes effect without new login

Steps

1. Login as a user with permission to access a resource.
2. Verify access works.
3. Revoke the permission on the server.
4. Repeat the request without logging in again.

Expected result

• Access is denied after the permission change.

---

TC3 – Permission grant takes effect without new login

Steps

1. Login as a user without permission to access a resource.
2. Verify access is denied.
3. Grant the permission on the server.
4. Repeat the request without logging in again.

Expected result

• Access is allowed after the permission change.