More work on the Jitsi JWT

app/routers/api.py

@@ -233,6 +233,7 @@ class JitsiTokenRequest(BaseModel):
     is_moderator: bool = Field(..., description="Whether the user should be a moderator.")
 
     # Clearly separated override categories
+    user: Optional[Dict[str, Union[str, bool]]] = Field(None, description="User-specific overrides like name, email, moderator.")
     features: Optional[Dict[str, bool]] = Field(None, description="Feature flags like recording, livestreaming.")
     settings: Optional[Dict[str, bool]] = Field(None, description="User profile settings like startMuted, reactionsMuted.")
     config: Optional[Dict] = Field(None, description="Overrides for config.js properties.")
@@ -263,6 +264,7 @@ async def create_jitsi_jwt(
         # Build the payload with the correct structure accepted by Jitsi
         # Define the JWT payload with all the required claims for Jitsi.
         # This is where we securely set the moderator and user info.
+        # Even though 'user' is included we are currently ignoring it to prevent client overrides. It is rebuilt below from the main fields.
         payload = {
             "aud": "jitsi",
             "iss": JWT_APP_ID,