do not mutate options in jwt.verify, closes #227

Author: jfromaniello

test/verify.tests.js

@@ -46,6 +46,27 @@ describe('verify', function() {
     });
   });
 
+  it('should not mutate options', function (done) {
+    var header = { alg: 'none' };
+
+    var payload = { iat: Math.floor(Date.now() / 1000 ) };
+
+    var options = {typ: 'JWT'};
+
+    var signed = jws.sign({
+      header: header,
+      payload: payload,
+      secret: priv,
+      encoding: 'utf8'
+    });
+
+    jwt.verify(signed, null, options, function(err) {
+      assert.isNull(err);
+      assert.deepEqual(Object.keys(options).length, 1);
+      done();
+    });
+  });
+
   describe('expiration', function () {
     // { foo: 'bar', iat: 1437018582, exp: 1437018583 }
     var token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0MzcwMTg1ODIsImV4cCI6MTQzNzAxODU4M30.NmMv7sXjM1dW0eALNXud8LoXknZ0mH14GtnFclwJv0s';

verify.js

@@ -4,6 +4,7 @@ var TokenExpiredError = require('./lib/TokenExpiredError');
 var decode            = require('./decode');
 var jws               = require('jws');
 var ms                = require('ms');
+var xtend             = require('xtend');
 
 module.exports = function (jwtString, secretOrPublicKey, options, callback) {
   if ((typeof options === 'function') && !callback) {
@@ -15,6 +16,8 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
     options = {};
   }
 
+  //clone this object since we are going to mutate it.
+  options = xtend(options);
   var done;
 
   if (callback) {