PyJWT Backend Authentication Flaw Allows Issuer Validation Bypass Through Prefix Matching

A medium-severity vulnerability in a chat application backend exposes its authentication layer to issuer validation bypass. The PyJWT token verification in `src/chat-app/backend/app/security.py` (lines 81–93) explicitly disables the library's built-in `iss` claim verification by passing `options={"verify_iss": False}` to `jwt.decode()`. A manual issuer check performed afterward uses prefix matching via `startswith()` rather than strict equality, creating a weaker validation pattern that may be circumvented by carefully crafted tokens.

The implementation deviates from PyJWT's hardened verification safeguards, which perform exact issuer matching as a defense against claim manipulation. By substituting this with a `startswith()` comparison, an attacker controlling certain token parameters could append path segments to a legitimate issuer URL—such as appending `/malicious` to `https://auth.example.com`—causing the check to pass despite the issuer being fundamentally different. The code segment shown demonstrates the pattern, where `jwt.decode()` is called with algorithms restricted to RS256 but with issuer verification explicitly disabled.

The vulnerability carries OWASP A07:2021 classification (Identification and Authentication Failures). Organizations using this codebase face elevated risk of authentication bypass if an attacker can generate or modify JWT tokens with manipulated issuer claims. Developers are advised to remove the `verify_iss: False` override and rely on PyJWT's native strict issuer validation, or implement exact string equality checks rather than prefix matching if manual verification is required. Immediate code review of token verification logic across related services is recommended.