fix: allow any JSON numeric value for timestamp values

> NumericDate > A JSON numeric value representing the number of seconds from > 1970-01-01T00:00:00Z UTC until the specified UTC date/time, > ignoring leap seconds. This is equivalent to the IEEE Std 1003.1, > 2013 Edition [POSIX.1] definition "Seconds Since the Epoch", in > which each day is accounted for by exactly 86400 seconds, other > than that non-integer values can be represented. See RFC 3339 > [RFC3339] for details regarding date/times in general and UTC in > particular.
panva · Jun 1, 2020 · 7ba4922 · 7ba4922
1 parent b50d695
commit 7ba4922
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/jwt/verify.js b/lib/jwt/verify.js
@@ -20,8 +20,8 @@ const isTimestamp = (value, label, required = false) => {
     throw new JWTClaimInvalid(`"${label}" claim is missing`, label, 'missing')
   }
 
-  if (value !== undefined && (typeof value !== 'number' || !Number.isSafeInteger(value))) {
-    throw new JWTClaimInvalid(`"${label}" claim must be a unix timestamp`, label, 'invalid')
+  if (value !== undefined && (typeof value !== 'number')) {
+    throw new JWTClaimInvalid(`"${label}" claim must be a JSON numeric value`, label, 'invalid')
   }
 }
 

diff --git a/test/jwt/verify.test.js b/test/jwt/verify.test.js
@@ -108,7 +108,7 @@ test('options.ignoreIat & options.maxTokenAge may not be used together', t => {
       const err = t.throws(() => {
         const invalid = JWS.sign({ [claim]: val }, key)
         JWT.verify(invalid, key)
-      }, { instanceOf: errors.JWTClaimInvalid, message: `"${claim}" claim must be a unix timestamp` })
+      }, { instanceOf: errors.JWTClaimInvalid, message: `"${claim}" claim must be a JSON numeric value` })
 
       t.is(err.claim, claim)
       t.is(err.reason, 'invalid')