That's a rough one. The real problem here isn't the bug itself, it's that invalid auth silently succeeded. Few thoughts from the trenches.
First, make auth failures loud and fail-closed. If JWT validation fails, your handler should panic or return 401 immediately. No "continue anyway" paths. Go's error handling makes this easy if you're intentional about it.
Second, auth logs need to feed into your main alerting pipeline. A spike in auth failures should page someone in under a minute. That separate logging system is useless if nobody's looking at it.
Third, integration tests that deliberately send bad JWTs and assert 401s would have caught this in pre-deploy. One bad signature, one missing header, one expired token. Takes 10 minutes to write.
The query pattern alert saved you, but that's luck. You want to fail at the auth layer, not detect the blast radius afterwards.