From 19d63ffe1b193964e32a231e89b293f9b5f7eb4d Mon Sep 17 00:00:00 2001
From: Alexander Borg <borg@servernet.se>
Date: Wed, 17 Sep 2025 05:21:53 +0200
Subject: [PATCH] Fix jwt-token

---
 server/routes/device.js | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/server/routes/device.js b/server/routes/device.js
index 25e8e8b..3e3065d 100644
--- a/server/routes/device.js
+++ b/server/routes/device.js
@@ -478,8 +478,19 @@ router.delete('/:id', authenticateToken, async (req, res) => {
       });
     }
 
-    // Soft delete by setting is_active to false
-    await device.update({ is_active: false });
+    // Check if device belongs to user's tenant
+    const tenantId = await multiAuth.determineTenant(req);
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    
+    if (device.tenant_id !== tenant.id) {
+      return res.status(404).json({
+        success: false,
+        message: 'Device not found'
+      });
+    }
+
+    // Actually delete the device
+    await device.destroy();
 
     res.json({
       success: true,