Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feat] Missing jsonwebtoken options in type definitions #199

Open
2 tasks done
olivermack opened this issue Sep 29, 2023 · 0 comments
Open
2 tasks done

[feat] Missing jsonwebtoken options in type definitions #199

olivermack opened this issue Sep 29, 2023 · 0 comments

Comments

@olivermack
Copy link

I was checking the implementation to see if we can utilize the clockTolerance option of the jsonwebtoken lib. First I was a bit disappointed and thought it was not possible but then I realized that the options passed to the middleware are fully passed on to the verify call. Thus, it is indeed possible to set those options provided by the jsonwebtoken lib, it's just neither documented not part of the type definitions (I did not verify if those options were added at a later point to the jsonwebtoken lib though!)

However, it'd be great if you could add those details.

https://www.npmjs.com/package/jsonwebtoken

Background: in my case the JWT is created by a remote server which provides the nbf claim as a unix timestamp with decimals. The jsonwebtoken lib uses its internal clockTimestamp (rounded down to full seconds) and compares it to the given nbf:

https://github.com/auth0/node-jsonwebtoken/blob/bc28861f1fa981ed9c009e29c044a19760a0b128/verify.js#L180C2-L182

What now happens: the remote system creates something like 1695972313.93304, verify boils it down to 1695972313 and - assuming it IS 1695972313 - it complains due to the payload.nbf > clockTimestamp.

Checklist

  • I have searched through GitHub issues for similar issues.
  • I have completely read through the README and documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant