It's hard to consider all posibilities of invalid tokens that could possibly be passed in the access_token. You can open this as a bug if you want the team to look at it. It might be possible to do some type checks before trying to parse the token but then again, we are not expecting an invalid token structure to be passed here and seems like a very unlikely edge case.
SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).
