fix: read sub claim from PDS service auth JWT

src/main.rs

@@ -287,7 +287,7 @@ fn extract_did(headers: &HeaderMap) -> Option<String> {
         return Some(token.to_string());
     }
 
-    // Decode JWT payload to extract iss (issuer = caller DID)
+    // Decode JWT payload: prefer "sub" (service auth from PDS proxy), fallback to "iss"
     let parts: Vec<&str> = token.split('.').collect();
     if parts.len() == 3 {
         if let Ok(decoded) = base64::Engine::decode(
@@ -295,6 +295,10 @@ fn extract_did(headers: &HeaderMap) -> Option<String> {
             parts[1],
         ) {
             if let Ok(payload) = serde_json::from_slice::<serde_json::Value>(&decoded) {
+                // PDS service auth: iss=PDS DID, sub=user DID
+                if let Some(sub) = payload.get("sub").and_then(|v| v.as_str()) {
+                    return Some(sub.to_string());
+                }
                 if let Some(iss) = payload.get("iss").and_then(|v| v.as_str()) {
                     return Some(iss.to_string());
                 }