Use the provided `iat` parameter to calculate the `exp` value

[paulxtiseo]

So, seems like if payload has an iat property, that gets used instead of an internal timestamp value in sign().

var timestamp = Math.floor(Date.now() / 1000);
if (!options.noTimestamp) {
    payload.iat = payload.iat || timestamp;
  }

However, later on, expiresIn is added to timestamp and not to payload.iat to determine exp. Seems to me that that is wrong, although will not matter in the majority of cases?

[cvillerm]

+1
Agreeing with the comment.
This would apply to:
payload.exp = timestamp + expiresInSeconds;
that should be updated to
payload.exp = (payload.iat || timestamp) + expiresInSeconds;
even if this is part of deprecated code.

What concerns me more is that there seems to be a confusion with the non-deprecated option expiresIn and the corresponding JWT field exp (actual expiration time). expiresIn is described to be a timespan (i.e. to be added to the current or issued time) but it is used as an absolute time, what exp is supposed to be, so this looks wrong to me:
payload.exp = timespan(options.expiresIn);
Shouldn't it rather be:
payload.exp = (payload.iat || timestamp) + options.expiresIn;

[free-Runner]

Should add that the same issue exists for nbf value.

In index.js:
payload.nbf = timespan(options.notBefore);

In timespan.js:
var timestamp = Math.floor(Date.now() / 1000);
return Math.floor(timestamp + milliseconds / 1000);

[jfromaniello]

fixed in v6.