Typescript Jwt Lack Of Expiration
Description
This detector identifies JWT (JSON Web Token) implementations in TypeScript code that lack proper expiration time configuration. JWTs without expiration times remain valid indefinitely, creating security risks if tokens are compromised, as they cannot be naturally invalidated through timeout.
Detection Strategy
• Analyzes TypeScript source code files for JWT token creation and configuration patterns
• Identifies JWT library function calls that create or sign tokens without specifying expiration parameters
• Triggers when JWT signing methods are called without 'exp' (expiration) claims or timeout configurations
• Reports vulnerabilities when token generation code lacks explicit expiration time settings that would limit token lifetime
Vulnerable code example
import jwt from "jsonwebtoken";
const SECRET = "super-secret-key";
// VULNERABLE: No expiresIn option - token never expires
const token1 = jwt.sign(
{ userId: 1, role: "admin" },
SECRET...✅ Secure code example
import jwt from "jsonwebtoken";
const SECRET = "super-secret-key";
// SECURE: expiresIn option prevents indefinite token validity
const token1 = jwt.sign(
{ userId: 1, role: "admin" },
SECRET,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.