WIP

API/ROLAC.API/Controllers/AuthController.cs

@@ -78,6 +78,32 @@ public class AuthController : ControllerBase
         }
     }
 
+    // -------------------------------------------------------------------------
+    // GET /api/auth/me  (dev-only diagnostic — remove before production)
+    // -------------------------------------------------------------------------
+
+    /// <summary>
+    /// Returns the claims ASP.NET Core parsed from the Bearer token.
+    /// Use this to debug 401 vs 403: if you get 200 here, the JWT validates
+    /// fine; if you then get 403 on /api/users the role claim isn't matching.
+    /// </summary>
+    [HttpGet("me")]
+    [Authorize]   // no role restriction — just needs a valid JWT
+    public IActionResult GetMe()
+    {
+        var claims = User.Claims
+            .Select(c => new { c.Type, c.Value })
+            .ToList();
+
+        return Ok(new
+        {
+            isAuthenticated    = User.Identity?.IsAuthenticated,
+            authenticationType = User.Identity?.AuthenticationType,
+            name               = User.Identity?.Name,
+            claims,
+        });
+    }
+
     // -------------------------------------------------------------------------
     // POST /api/auth/logout
     // -------------------------------------------------------------------------