Backend safety

require-jwt-expiry

Require `expiresIn` on `jwt.sign(...)` and forbid `algorithm: "none"`.

Tokens minted without an expiry stay valid until the secret rotates — which never happens — so every leaked token becomes permanent access. Also catches `algorithm: "none"`, which accepts unsigned tokens, and the (less safe) shape where `exp` is set on the payload directly.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

jwt.sign({ sub: id }, secret);

Good:

jwt.sign({ sub: id }, secret, { expiresIn: "15m" });

Related rules

• secure-cookiesRequire httpOnly / secure / sameSite on `res.cookie` / `reply.setCookie` / `cookies().set`.
• no-weak-cryptoFlag `createHash("md5"|"sha1")`, deprecated ciphers, and `Math.random()` for security values.
• no-hardcoded-secretsFlag hardcoded API keys, tokens, and private keys (AWS, GitHub, Stripe, Google, Slack, OpenAI, Anthropic, JWT, PEM).

Use it

Enable require-jwt-expiry in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/require-jwt-expiry': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules