ast/jwt-sign-no-expires-in

JWT signed without expiresIn — token lives forever

highASTjwtCWE-613 ↗js · ts

What it detects

jwt.sign(payload, secret) was called without an `expiresIn` option (or with no options object at all). A JWT without expiry stays valid until the secret is rotated — a compromised token has no natural decay. Pass `{ expiresIn: '15m' }` (or your chosen window) as the third argument. Refresh-token flows should use short access tokens explicitly.

How it runs

Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.