fix: skip validating iat is in the past when exp is present

validating that iat is in the past is common sense but actually nowhere
defined, in most applications tokens will contain `exp` and for those
it seems requiring a few second leeway just to satisfy `iat` seems
inappropriate

docs/README.md

@@ -849,7 +849,7 @@ Verifies the claims and signature of a JSON Web Token.
   - `ignoreExp`: `<Boolean>` When true will not be validating the "exp" claim value to be in the
     future from now. **Default:** 'false'
   - `ignoreIat`: `<Boolean>` When true will not be validating the "iat" claim value to be in the
-    past from now. **Default:** 'false'
+    past from now if expiration is not present. **Default:** 'false'
   - `ignoreNbf`: `<Boolean>` When true will not be validating the "nbf" claim value to be in the
     past from now. **Default:** 'false'
   - `issuer`: `<string>` Expected issuer value. An exact match must be found in the payload.

lib/jwt/verify.js

@@ -192,7 +192,7 @@ module.exports = (token, key, options = {}) => {
     }
   }
 
-  if (!ignoreIat && 'iat' in decoded.payload && decoded.payload.iat > unix + tolerance) {
+  if (!ignoreIat && !('exp' in decoded.payload) && 'iat' in decoded.payload && decoded.payload.iat > unix + tolerance) {
     throw new JWTClaimInvalid('token issued in the future')
   }
 

test/jwt/verify.test.js

@@ -256,6 +256,12 @@ test('iat check (failed)', t => {
   }, { instanceOf: errors.JWTClaimInvalid, message: 'token issued in the future' })
 })
 
+test('iat check (ignored since exp is also present)', t => {
+  const token = JWT.sign({}, key, { now: new Date((epoch + 1) * 1000), expiresIn: '2h' })
+  JWT.verify(token, key, { now })
+  t.pass()
+})
+
 test('iat check (passed because of ignoreIat)', t => {
   const token = JWT.sign({}, key, { now: new Date((epoch + 1) * 1000) })
   JWT.verify(token, key, { now, ignoreIat: true })