Exp calculated based on iat. fix #217

Author: lusarz

lib/timespan.js

@@ -1,15 +1,15 @@
 var ms = require('ms');
 
-module.exports = function (time) {
-  var timestamp = Math.floor(Date.now() / 1000);
+module.exports = function (time, iat) {
+  var timestamp = iat || Math.floor(Date.now() / 1000);
 
   if (typeof time === 'string') {
     var milliseconds = ms(time);
     if (typeof milliseconds === 'undefined') {
       return;
     }
     return Math.floor(timestamp + milliseconds / 1000);
-  } else if (typeof time === 'number' ) {
+  } else if (typeof time === 'number') {
     return timestamp + time;
   } else {
     return;

sign.js

@@ -6,13 +6,13 @@ var jws = require('jws');
 var sign_options_schema = Joi.object().keys({
   expiresIn: [Joi.number().integer(), Joi.string()],
   notBefore: [Joi.number().integer(), Joi.string()],
-  audience:  [Joi.string(), Joi.array()],
-  algorithm: Joi.string().valid('RS256','RS384','RS512','ES256','ES384','ES512','HS256','HS384','HS512','none'),
-  header:    Joi.object(),
-  encoding:  Joi.string(),
-  issuer:    Joi.string(),
-  subject:   Joi.string(),
-  jwtid:     Joi.string(),
+  audience: [Joi.string(), Joi.array()],
+  algorithm: Joi.string().valid('RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none'),
+  header: Joi.object(),
+  encoding: Joi.string(),
+  issuer: Joi.string(),
+  subject: Joi.string(),
+  jwtid: Joi.string(),
   noTimestamp: Joi.boolean()
 });
 
@@ -25,9 +25,9 @@ var registered_claims_schema = Joi.object().keys({
 
 var options_to_payload = {
   'audience': 'aud',
-  'issuer':   'iss',
-  'subject':  'sub',
-  'jwtid':    'jti'
+  'issuer': 'iss',
+  'subject': 'sub',
+  'jwtid': 'jti'
 };
 
 var options_for_objects = [
@@ -40,15 +40,15 @@ var options_for_objects = [
   'jwtid',
 ];
 
-module.exports = function(payload, secretOrPrivateKey, options, callback) {
+module.exports = function (payload, secretOrPrivateKey, options, callback) {
   options = options || {};
 
   var header = xtend({
     alg: options.algorithm || 'HS256',
     typ: typeof payload === 'object' ? 'JWT' : undefined
   }, options.header);
 
-  function failure (err) {
+  function failure(err) {
     if (callback) {
       return callback(err);
     }
@@ -71,7 +71,7 @@ module.exports = function(payload, secretOrPrivateKey, options, callback) {
     });
 
     if (invalid_options.length > 0) {
-      return failure(new Error('invalid ' + invalid_options.join(',') + ' option for ' + (typeof payload ) + ' payload' ));
+      return failure(new Error('invalid ' + invalid_options.join(',') + ' option for ' + (typeof payload ) + ' payload'));
     }
   }
 
@@ -86,7 +86,7 @@ module.exports = function(payload, secretOrPrivateKey, options, callback) {
   var validation_result = sign_options_schema.validate(options);
 
   if (validation_result.error) {
-   return failure(validation_result.error);
+    return failure(validation_result.error);
   }
 
   var timestamp = payload.iat || Math.floor(Date.now() / 1000);
@@ -105,7 +105,7 @@ module.exports = function(payload, secretOrPrivateKey, options, callback) {
   }
 
   if (typeof options.expiresIn !== 'undefined' && typeof payload === 'object') {
-    payload.exp = timespan(options.expiresIn);
+    payload.exp = timespan(options.expiresIn, timestamp);
     if (typeof payload.exp === 'undefined') {
       return failure(new Error('"expiresIn" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60'));
     }
@@ -123,17 +123,17 @@ module.exports = function(payload, secretOrPrivateKey, options, callback) {
 
   var encoding = options.encoding || 'utf8';
 
-  if(typeof callback === 'function') {
+  if (typeof callback === 'function') {
     jws.createSign({
       header: header,
       privateKey: secretOrPrivateKey,
       payload: JSON.stringify(payload),
       encoding: encoding
     })
-    .once('error', callback)
-    .once('done', function(signature) {
-      callback(null, signature);
-    });
+      .once('error', callback)
+      .once('done', function (signature) {
+        callback(null, signature);
+      });
   } else {
     return jws.sign({header: header, payload: payload, secret: secretOrPrivateKey, encoding: encoding});
   }

test/iat.tests.js

@@ -1,20 +1,22 @@
 var jwt = require('../index');
 var expect = require('chai').expect;
 
-describe('iat', function() {
+describe('iat', function () {
 
-  it('should work with a numeric iat not changing the expiration date', function () {
-    var token = jwt.sign({foo: 123, iat: Math.floor(Date.now() / 1000) - 30}, '123', { expiresIn: 10 });
+  it('should work with a exp calculated based on numeric iat', function () {
+    var dateNow = Math.floor(Date.now() / 1000);
+    var iat = dateNow - 30;
+    var expiresIn = 50;
+    var token = jwt.sign({foo: 123, iat: iat}, '123', {expiresIn: expiresIn});
     var result = jwt.verify(token, '123');
-    expect(result.exp).to.be.closeTo(Math.floor(Date.now() / 1000) + 10, 0.2);
+    expect(result.exp).to.be.closeTo(iat + expiresIn, 0.2);
   });
 
 
   it('should throw if iat is not a number', function () {
     expect(function () {
-      jwt.sign({foo: 123, iat:'hello'}, '123');
+      jwt.sign({foo: 123, iat: 'hello'}, '123');
     }).to.throw(/"iat" must be a number/);
   });
 
-
-});
+});