From f3dfdff3bbb344ef3b9f37e6a52005dfb6c6033e Mon Sep 17 00:00:00 2001
From: Toby <mail@tobias-schneider.io>
Date: Fri, 23 Feb 2024 23:42:38 +0100
Subject: [PATCH] fix falsly invalid tokens

---
 src/index.ts        |  4 ++--
 tests/index.spec.ts | 23 ++++++++++++++++-------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index afe5d36..ff0aa82 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -221,10 +221,10 @@ export async function verify(token: string, secret: string | JsonWebKey | Crypto
 
         const now = Math.floor(Date.now() / 1000)
 
-        if (payload.nbf && Math.abs(payload.nbf - now) > (options.clockTolerance ?? 0))
+        if (payload.nbf && payload.nbf > now && Math.abs(payload.nbf - now) > (options.clockTolerance ?? 0))
             throw new Error('NOT_YET_VALID')
 
-        if (payload.exp &&  Math.abs(payload.exp - now) > (options.clockTolerance ?? 0))
+        if (payload.exp && payload.exp <= now && Math.abs(payload.exp - now) > (options.clockTolerance ?? 0))
             throw new Error('EXPIRED')
 
         const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ['verify'])
diff --git a/tests/index.spec.ts b/tests/index.spec.ts
index 0331079..ed5cb8d 100644
--- a/tests/index.spec.ts
+++ b/tests/index.spec.ts
@@ -125,12 +125,21 @@ describe('Verify', async () => {
     const secret = 'super-secret'
 
     const now = Math.floor(Date.now() / 1000)
-    const off = 30 // 30 seconds
-    const nbf = now + off // Not valid before 30 seconds from now
-    const exp = now - off // Expired 30 seconds ago
+    const offset = 30 // 30 seconds
 
-    const notYetValidToken = await jwt.sign({ sub: 'me', nbf }, secret)
-    const expiredToken = await jwt.sign({ sub: 'me', exp }, secret)
+    const validToken = await jwt.sign({ sub: 'me', nbf: now - offset }, secret)
+    const notYetExpired = await jwt.sign({ sub: 'me', exp: now + offset }, secret)
+
+    const notYetValidToken = await jwt.sign({ sub: 'me', nbf: now + offset }, secret)
+    const expiredToken = await jwt.sign({ sub: 'me', exp: now - offset }, secret)
+
+    test('Valid', () => {
+        expect(jwt.verify(validToken, secret, { throwError: true })).resolves.toBe(true)
+    })
+
+    test('Not yet expired', () => {
+        expect(jwt.verify(notYetExpired, secret, { throwError: true })).resolves.toBe(true)
+    })
 
     test('Not yet valid', () => {
         expect(jwt.verify(notYetValidToken, secret, { throwError: true })).rejects.toThrowError('NOT_YET_VALID')
@@ -141,7 +150,7 @@ describe('Verify', async () => {
     })
 
     test('Clock offset', () => {
-        expect(jwt.verify(notYetValidToken, secret, { clockTolerance: off, throwError: true })).resolves.toBe(true)
-        expect(jwt.verify(expiredToken, secret, { clockTolerance: off, throwError: true })).resolves.toBe(true)
+        expect(jwt.verify(notYetValidToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBe(true)
+        expect(jwt.verify(expiredToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBe(true)
     })
 })
\ No newline at end of file