# JWT-002: Signature Verification Skipped
#
# Go JWT library with SkipClaimsValidation flag, which bypasses signature
# and claims verification entirely.

[metadata]
id = "jwt-002"
name = "JWT signature verification skipped"
category = "jwt"
language = "go"
difficulty = "medium"
source = "hand-curated"
created = "2025-02-05"
notes = "go-jwt library SkipClaimsValidation flag"

[input]
filename = "middleware.go"
content = """
package auth

import (
    "github.com/golang-jwt/jwt/v5"
)

func ParseToken(tokenString string) (*jwt.Token, error) {
    parser := jwt.NewParser(
        jwt.WithoutClaimsValidation(),  // Skip for development
    )
    return parser.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
        return []byte("secret"), nil
    })
}
"""

[expected]
must_contain = [
    { subject = "jwt/claims_validation", predicate = "enabled", value = false, rationale = "WithoutClaimsValidation() disables validation" },
    { subject = "jwt/verification", predicate = "strict", value = false, rationale = "Claims validation is skipped" }
]

# Valid findings that LLM may extract but are not required
acceptable_variants = [
    { subject = "secrets/token", predicate = "hardcoded", value = true, rationale = "LLM may detect hardcoded 'secret' string literal - valid but secondary finding" }
]

[scoring]
weight = 1.5
min_confidence = 0.8