I just deleted 1,740 lines of code. The auth still works. Actually, it works better now.
Here's the thing: I was verifying JWT tokens in two places. Frontend middleware doing crypto checks, then the backend doing the exact same thing again.
The frontend can't be trusted anyway....
