Hi, thanks for the great library — it’s been a pleasure to use.
I noticed a mismatch between the documentation and the implementation:
Docs: expiresIn and notBefore override any existing exp / nbf claims.
|
- `expiresIn`: Time span (in milliseconds or text describing time) after which the token expires, added as the `exp` claim in the payload as defined by the [section 4.1.4 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4). This will override any existing value in the claim. |
|
> Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). |
|
For more info look into [@lukeed/ms](https://www.npmjs.com/package/@lukeed/ms). |
Code: if exp / nbf is already present in the payload, it is left untouched.
|
exp: payload.exp ? payload.exp : expiresIn ? Math.floor((iat + expiresIn) / 1000) : undefined, |
|
nbf: payload.nbf ? payload.nbf : notBefore ? Math.floor((iat + notBefore) / 1000) : undefined |
This means that expiresIn (and similarly notBefore) do not actually override claims, contrary to what’s documented.
👉 I’d personally prefer the documented behavior (override) if this is an open decision, as it’s the least surprising.
Hi, thanks for the great library — it’s been a pleasure to use.
I noticed a mismatch between the documentation and the implementation:
Docs:
expiresInandnotBeforeoverride any existingexp/nbfclaims.fast-jwt/README.md
Lines 30 to 32 in ad60c83
Code: if
exp/nbfis already present in the payload, it is left untouched.fast-jwt/src/signer.js
Lines 97 to 98 in ad60c83
This means that expiresIn (and similarly notBefore) do not actually override claims, contrary to what’s documented.
👉 I’d personally prefer the documented behavior (override) if this is an open decision, as it’s the least surprising.