Check payload before trying to get nbf

[Gp2mv3]

In verify.js, I think there is an issue with the payload decoding. Or at least with robustness.
I receive some errors (TypeError: Cannot read property 'nbf' of null) with the following lines (Around line 110 of verify.js):

  var payload;

  try {
    payload = decode(jwtString);
  } catch(err) {
    return done(err);
  }

  if (typeof payload.nbf !== 'undefined' && !options.ignoreNotBefore) {
//...

The function decode sometimes (if the jwtString is malformed ?) returns null, isn't a good idea to check the payload before trying to use the nbf ?
It's a simple if in the try-catch, I can do a PR if needed.

Regards,

Gp2mv3

[joovel]

Good find! I was able to reproduce this myself with node 8.9.1, the latest jsonwebtoken, and the following code:

const jwt = require('jsonwebtoken');
const key = 'shhhhh';

jwt.sign(JSON.stringify(null), key, function(signErr, token) {
  if(signErr) { console.log('sign error', signErr); return; }

  return jwt.verify(token, key, function(verifyErr, decoded) {
    if(verifyErr) { console.log('verify error', verifyErr); return; }
  });
});

This is definitely a problem because verify attempts to be nice and run it through JSON.parse. I think the right fix is to check obj && typeof obj === 'object' at https://github.com/auth0/node-jsonwebtoken/blob/master/decode.js#L13 .

I don't think adding an if where you suggest is the right solution. I think the correct behavior in this case is to return a payload of the string literal "null" because that was what was passed in.

[Gp2mv3]

I created the PR as @joovel suggested.

[ziluvatar]

After reading, I'm still not sure if the bug that @joovel found is the same as @Gp2mv3 wanted to post. @Gp2mv3 what was your input when you received those failures? Is it the use case that @joovel mentioned?

Agree on the fix for that bug, I want to check if there is any other.

[joovel]

@ziluvatar : I looked at the code, and having a payload of "null" was the only way I could trigger the specific if/else conditions that gave the same error that @Gp2mv3 cited.