๐ฏ ๐๐ฟ๐ผ๐ธ๐ฒ๐ป ๐๐๐๐ต ๐ฃ๐ฎ๐๐๐ฒ๐ฟ๐ป๐ ๐๐๐ฟ๐๐ผ๐ฟ ๐ช๐ฟ๐ถ๐๐ฒ๐ ๐๐ป๐๐ผ ๐ฌ๐ผ๐๐ฟ ๐๐ฃ๐
AI tools write bad code. I saw a project using jwt.decode instead of jwt.verify. The developer used Cursor. This is a common pattern.
jwt.decode does not check the signature. It does not check expiration. Your API accepts any token. An attacker changes their user ID to admin. Your app lets them in.
AI tools make other mistakes too:
- They accept alg:none.
- They ignore token expiration.
This happens when you ask the AI to stop errors. The AI removes security to make the code run.
Fix your auth:
- Use jwt.verify.
- Set an explicit algorithm list like HS256.
- Wrap the code in a try/catch block.
- Store secrets in environment variables.
Catch these errors early. Use tools like SafeWeave, semgrep, or gitleaks.