GHSA-q926-c743-49qj: Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning

Centrifugo supports a configuration flag insecure_skip_token_signature_verify that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors.

Note: This vulnerability requires the operator to have explicitly set insecure_skip_token_signature_verify=true. The core issue is the absence of any warning when this flag is active, making accidental production exposure undetectable.