`options.jsonWebTokenOptions.ignoreExpiration` value is ignored

Question

`options.jsonWebTokenOptions.ignoreExpiration` value is ignored

JasonCHT opened this issue 5 years ago · 2 comments

In the strategy, there's this code block when setting up the verify options:

    var jsonWebTokenOptions = options.jsonWebTokenOptions || {};
    //for backwards compatibility, still allowing you to pass
    //audience / issuer / algorithms / ignoreExpiration
    //on the options.
    this._verifOpts = assign({}, jsonWebTokenOptions, {
      audience: options.audience,
      issuer: options.issuer,
      algorithms: options.algorithms,
      ignoreExpiration: !!options.ignoreExpiration
    });

Because the value of options.ignoreExpiration is cast to an explicit boolean value, if it is not provided, the default value of ignoreExpiration will be set to false.

This value will then override any value provided in jsonWebTokenOptions due to the order of the objects listed in the assign function. (Later sources override earlier ones, per MDN docs)

Answer 1 · 2022-04-06T12:53:43.000Z

I also just ran into this issue. As described in MDN docs that @JasonCHT also mentioned the last object, in this case:

{
  audience: options.audience,
  issuer: options.issuer,
  algorithms: options.algorithms,
  ignoreExpiration: !!options.ignoreExpiration
}

overwrites anything set in jsonWebTokenOptions. I do believe the correct solution would be to set the jsonWebTokenOptions last in the assign function call. This would allow properties in jsonWebTokenOptions to have precedence over the once directly in the options object which feels like the more logical flow. It would also hinder the assign function to overwrite any existing params in jsonWebTokenOptions with undefined.

Answer 2 · 2022-09-11T03:16:11.000Z

can confirm, fixed in rewrite.