What is default behaviour if expiresIn option not set when signing?

auth0 / node-jsonwebtoken

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

MIT License

17.75k stars 1.23k forks source link

What is default behaviour if expiresIn option not set when signing? #795

Open GeekEast opened 3 years ago

GeekEast commented 3 years ago

Description

Currently, client can get a client via jwt signing withouth passing a expiresIn attribute. For example,

import jwt from "jsonwebtoken"

const secret = jwt.sign({ a: "a" }, "secret")

console.log(secret)

So what's the default expiring date of the generated token? like after 24 hours, or it never expires?

Environment

jsonwebtoken: ^8.5.1
Typescript 4.2.4
Node 14.17.0

AlexRex commented 3 years ago

I've been testing this, as I needed to know it as well.

Using the decoder at jwt.io and looks like if we ignore the expiresIn key it is not including the exp key in the token. So, I guess, meaning that the token won't expire.

leandroruel commented 2 years ago

weird for me verify function literally does nothing, i've inserted a token without aud, sub and exp and he is not validating this, this is driving me crazy, WHY!?

AsadShakeel commented 1 year ago

Any update here? What will happen if we did not set the expiresIn?

alex-chuev commented 1 year ago

According to the spec (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4), exp is an optional claim. So, if it's not defined, token is expired never.