Fix jwt-token

server/routes/device.js

@@ -478,8 +478,19 @@ router.delete('/:id', authenticateToken, async (req, res) => {
       });
     }
 
-    // Soft delete by setting is_active to false
-    await device.update({ is_active: false });
+    // Check if device belongs to user's tenant
+    const tenantId = await multiAuth.determineTenant(req);
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    
+    if (device.tenant_id !== tenant.id) {
+      return res.status(404).json({
+        success: false,
+        message: 'Device not found'
+      });
+    }
+
+    // Actually delete the device
+    await device.destroy();
 
     res.json({
       success: true,