ast/jwt-decode-without-verify
JWT decoded without signature verification
What it detects
jwt.decode(token) (or jsonwebtoken.decode) parses the JWT payload without checking the signature. An attacker can craft a token with arbitrary claims (`{ "sub": "admin" }`) and your code will trust it. If you're authenticating the user from the decoded payload, switch to jwt.verify(token, secret, options) — that throws on a bad signature. Reserve .decode strictly for non-trust use cases like reading metadata before deciding which secret to verify with.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.