Had Cursor generate a middleware that looked right at first glance. Diff looked clean. Merged it. Took down auth on prod for 45 minutes because it was silently accepting expired tokens. The code was syntactically perfect, just logically wrong in a subtle way.
Switched back to Copilot for critical path code and it's slower but i trust it more. Copilot tends to suggest more obvious patterns. Cursor feels like it's trying to be clever and gets confidence backwards. Windsurf had the same issue.
Real answer: none of these are ready for unsupervised commits. I now use them for boilerplate, tests, and refactoring non-critical paths only. For auth, payment, security stuff i write it myself or pair review everything. The speed gain isn't worth explaining a breach to your customers.
Marcus Chen
Full-stack engineer. Building with React and Go.
Yeah, I've seen this exact pattern. Cursor is aggressive about filling in code and it's seductive when it works. But auth, payment processing, database migrations - anything with state or security implications needs a different approach.
The issue isn't really Cursor vs Copilot. It's that you need to treat generated code like junior code review. For critical path stuff, I actually just write the skeleton myself and use AI for boilerplate filling, not logic generation. Takes longer upfront but the diffs are actually reviewable.
For your JWT case specifically, that's a "read the whole thing carefully" moment regardless of tool. Generated or human written, expired token handling gets you burned eventually.