Remove iat value check and add presence test

auth0 · Feb 3, 2020 · 9c54f5b · 9c54f5b
1 parent cce15aa
commit 9c54f5b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/lib/jwt.js b/lib/jwt.js
@@ -46,7 +46,7 @@ var verify = (token, options) => {
   }
 
   var payload = decodedToken.payload;
-  
+
   // Issuer
   if (!payload.iss || typeof payload.iss !== 'string') {
     throw new Error('Issuer (iss) claim must be a string present in the ID token');
@@ -59,7 +59,7 @@ var verify = (token, options) => {
   if (!payload.sub || typeof payload.sub !== 'string') {
     throw new Error('Subject (sub) claim must be a string present in the ID token');
   }
-  
+
   // Audience
   if (!payload.aud || !(typeof payload.aud === 'string' || Array.isArray(payload.aud))) {
     throw new Error('Audience (aud) claim must be a string or array of strings present in the ID token');
@@ -74,7 +74,7 @@ var verify = (token, options) => {
   // --Time validation (epoch)--
   var now = Math.floor(Date.now() / 1000);
   var leeway = options.leeway || DEFAULT_LEEWAY;
-  
+
   // Expires at
   if (!payload.exp || typeof payload.exp !== 'number') {
     throw new Error('Expiration Time (exp) claim must be a number present in the ID token');
@@ -89,10 +89,6 @@ var verify = (token, options) => {
   if (!payload.iat || typeof payload.iat !== 'number') {
     throw new Error('Issued At (iat) claim must be a number present in the ID token');
   }
-  var iatTime = payload.iat - leeway;
-  if (now < iatTime) {
-    throw new Error(`Issued At (iat) claim error in the ID token; current time (${now}) is before issued at time (${iatTime})`);
-  }
 
   // Nonce
   if (options.nonce) {

diff --git a/test/jwt.test.js b/test/jwt.test.js
@@ -101,7 +101,7 @@ describe('jwt.decode', function() {
       assert.throws(jwt.decode('test'), IDTOKEN_ERROR_MESSAGE);
       assert.throws(jwt.decode('test.'), IDTOKEN_ERROR_MESSAGE);
       assert.throws(jwt.decode('test.test'), IDTOKEN_ERROR_MESSAGE);
-      assert.throws(jwt.decode('test.test.test.test'), 
+      assert.throws(jwt.decode('test.test.test.test'),
         IDTOKEN_ERROR_MESSAGE
       );
     });
@@ -293,4 +293,15 @@ describe('jwt.verify', function() {
       done();
     }
   });
+  it('should throw when Issued At is missing', function(done) {
+    var EXPECTED_ERROR_MESSAGE = 'Issued At (iat) claim must be a number present in the ID token';
+    try {
+      var token = generateJWT({ iat: undefined });
+      jwt.verify(token, expectedOptions)
+      done(new Error('Should have thrown error: ' + EXPECTED_ERROR_MESSAGE));
+    } catch (error) {
+      assert.equal(error.message, EXPECTED_ERROR_MESSAGE);
+      done();
+    }
+  });
 });