JWT/Auth Integration Drift

Bearer-token auth breaks after password change because JWT issuance, cookie-based transport, middleware validation, and client authorization header wiring are implemented inconsistently, leading to tokens that can’t be validated and may even be usable across apps. Claims/principal construction and credential-return flow drift causes auth failures or insecure cross-app token replay.