Signing a payload with a iat results in an invalid nbf value

[MitMaro]

Related Issue: #142

---

Problem Description

The calculation of payload.nbf does not use payload.iat when notBefore is passed an offset, and instead the current time is always used.

Expected

In this case I would expect that the payload.nbf value to be an offset based on the passed payload.iat. This would be consistent with payload.exp.

Reduced Test Case

const {sign, decode} = require('jsonwebtoken');
const token = sign({foo: 'bar', iat: 100}, 'secret', {notBefore: '-1s'});
const decoded = decode(token);
console.log(`Expecting nbf value ${decoded.nbf} to equal 99`);
> Expecting nbf value 1513884708 to equal 99

Investigation

It seems that the timestamp is not passed to timespan function on Line 148 of sign.js similar to how it is passed to the call on Line 155 of sign.js.

[MitMaro]

I would be willing to put up a PR fixing the issue with tests if this is not by design.

[ziluvatar]

@MitMaro I think this simply wasn't fixed when the timestamp was introduced for exp. #217. Be free to send a PR.