Critical JWT Authentication Bypass Exposed: Signature Verification Missing in API Middleware

A critical security vulnerability has been exposed in a JWT authentication middleware, allowing attackers to bypass authentication entirely. The flaw resides in the `decodeToken` function within `packages/api/src/middleware/auth.middleware.ts`, which decodes and validates a JWT's payload but crucially fails to verify the token's cryptographic signature. The function accepts a `_secret` parameter but ignores it, returning the decoded payload after only checking the token's format and expiration. This omission means the system trusts any token with a valid structure, regardless of whether it was legitimately signed by the issuing authority.

The vulnerability is straightforward to exploit. An attacker can forge a JWT by simply base64-encoding a custom payload containing any desired user role—such as 'admin', 'user', 'plugin', or 'readonly'—and presenting it to the API. Since the signature is never checked, the middleware will accept this forged token as valid, granting the attacker unauthorized access and privileges. The code snippet shows the function parses the token, splits it, and decodes the payload, but there is no call to a verification library or any logic to validate the signature against the secret.

This flaw represents a fundamental breakdown in authentication security, potentially exposing all protected endpoints and data. Any application or service relying on this middleware is at immediate risk of unauthorized access, data manipulation, and privilege escalation. The issue is classified as critical and requires urgent patching to implement proper signature verification using the intended secret key before the decoded payload is trusted for authorization decisions.