# JWT Decode Used for User Identity (Authentication Bypass)

- ID: javascript-jwt-unverified-user-identity
- Severity: CRITICAL
- CWE: Improper Authentication (CWE-287)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, koa, hapi, nodejs

## Description

Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures.

## Detection Message

Authentication bypass via unverified JWT at {sink}.
jwt.decode() does NOT verify the token signature - anyone can forge tokens.
The decoded payload from {source} is assigned to user identity without verification.

## Remediation

Use jwt.verify() instead of jwt.decode() for authentication.

```javascript
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256']
});
req.user = decoded;
```

Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity

## Documentation

[object Object]

## Related Rules

- **Authentication Bypass Vulnerability** [CRITICAL]: