From 0e6e184dd72c9898f5f873b746d24d132b931629 Mon Sep 17 00:00:00 2001 From: Vasilica Olariu Date: Tue, 14 Jul 2026 09:14:39 +0300 Subject: [PATCH] PM-5625 - remove skipping token validation in non-production environments --- src/shared/modules/global/jwt.service.ts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/shared/modules/global/jwt.service.ts b/src/shared/modules/global/jwt.service.ts index a576d6d..8809b8e 100644 --- a/src/shared/modules/global/jwt.service.ts +++ b/src/shared/modules/global/jwt.service.ts @@ -231,11 +231,6 @@ export class JwtService implements OnModuleInit { const payload = decoded.payload as JwtPayloadRecord; - if (process.env.NODE_ENV !== 'production') { - // TODO (security): CRITICAL - JWT signature verification is skipped entirely in non-production (NODE_ENV !== 'production'). Any token with a valid structure will be accepted. This must never reach a publicly accessible environment. - return payload; - } - const issuer = this.resolveIssuer(payload); const keyId = decoded.header && typeof decoded.header.kid === 'string'