Related Issue: #142
Problem Description
The calculation of payload.nbf does not use payload.iat when notBefore is passed an offset, and instead the current time is always used.
Expected
In this case I would expect that the payload.nbf value to be an offset based on the passed payload.iat. This would be consistent with payload.exp.
Reduced Test Case
const {sign, decode} = require('jsonwebtoken');
const token = sign({foo: 'bar', iat: 100}, 'secret', {notBefore: '-1s'});
const decoded = decode(token);
console.log(`Expecting nbf value ${decoded.nbf} to equal 99`);
> Expecting nbf value 1513884708 to equal 99
Investigation
It seems that the timestamp is not passed to timespan function on Line 148 of sign.js similar to how it is passed to the call on Line 155 of sign.js.
Related Issue: #142
Problem Description
The calculation of
payload.nbfdoes not usepayload.iatwhennotBeforeis passed an offset, and instead the current time is always used.Expected
In this case I would expect that the
payload.nbfvalue to be an offset based on the passedpayload.iat. This would be consistent withpayload.exp.Reduced Test Case
Investigation
It seems that the
timestampis not passed totimespanfunction on Line 148 of sign.js similar to how it is passed to the call on Line 155 of sign.js.