`options.jsonWebTokenOptions.ignoreExpiration` value is ignored
JasonCHT opened this issue · 2 comments
In the strategy, there's this code block when setting up the verify options:
var jsonWebTokenOptions = options.jsonWebTokenOptions || {};
//for backwards compatibility, still allowing you to pass
//audience / issuer / algorithms / ignoreExpiration
//on the options.
this._verifOpts = assign({}, jsonWebTokenOptions, {
audience: options.audience,
issuer: options.issuer,
algorithms: options.algorithms,
ignoreExpiration: !!options.ignoreExpiration
});
Because the value of options.ignoreExpiration
is cast to an explicit boolean value, if it is not provided, the default value of ignoreExpiration
will be set to false
.
This value will then override any value provided in jsonWebTokenOptions
due to the order of the objects listed in the assign
function. (Later sources override earlier ones, per MDN docs)
I also just ran into this issue. As described in MDN docs that @JasonCHT also mentioned the last object, in this case:
{
audience: options.audience,
issuer: options.issuer,
algorithms: options.algorithms,
ignoreExpiration: !!options.ignoreExpiration
}
overwrites anything set in jsonWebTokenOptions
. I do believe the correct solution would be to set the jsonWebTokenOptions
last in the assign
function call. This would allow properties in jsonWebTokenOptions
to have precedence over the once directly in the options object which feels like the more logical flow. It would also hinder the assign
function to overwrite any existing params in jsonWebTokenOptions
with undefined
.
can confirm, fixed in rewrite.