Merge pull request #257 from ab320012/master

Removed leeway from verify_iat
jwt · Mar 22, 2018 · dba5c9b · dba5c9b
2 parents c6643e3 + 22b24f0
commit dba5c9b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 7 deletions.
diff --git a/lib/jwt/verify.rb b/lib/jwt/verify.rb
@@ -45,7 +45,7 @@ def verify_iat
       return unless @payload.include?('iat')
 
       iat = @payload['iat']
-      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > (Time.now.to_f + iat_leeway)
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
     end
 
     def verify_iss

diff --git a/spec/jwt/verify_spec.rb b/spec/jwt/verify_spec.rb
@@ -87,12 +87,9 @@ module JWT
         Verify.verify_iat(payload, options)
       end
 
-      it 'must allow configured leeway' do
-        Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(leeway: 70))
-      end
-
-      it 'must allow configured iat_leeway' do
-        Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(iat_leeway: 70))
+      it 'must ignore configured leeway' do
+        expect{Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(leeway: 70)) }
+          .to raise_error(JWT::InvalidIatError)
       end
 
       it 'must properly handle integer times' do