ignoreExpiration - differences between auth-jwt2 and node-jsonwebtoken

[cjnqt]

A possibly important bug in the documentation:

The option ignoreExpiration is described here as ignoreExpiration - ignore expired tokens.

But this is implemented by node-jsonwebtoken which describes that options as ignoreExpiration - if true do not validate the expiration of the token.

Doesn't these descriptions mean different things?

[nelsonic]

@cjnqt great question! (thanks for opening the issue to help us clarify this...!)

we need to check this in our tests... https://github.com/dwyl/hapi-auth-jwt2/tree/c2fe39237e1f1c6dc2ae2d6aae38e00dc343ded7/test

[cjnqt]

This is related: https://github.com/auth0/node-jsonwebtoken/blob/cc0f4d67b649110a035db3df9265f05db269a15a/test/jwt.hs.tests.js#L71

it('should NOT return an error when the token is expired with "ignoreExpiration"', function(done) {
      var token = jwt.sign({ exp: 1, foo: 'bar' }, secret, { algorithm: 'HS256' });
      jwt.verify(token, secret, { algorithm: 'HS256', ignoreExpiration: true }, function(err, decoded) {
        assert.ok(decoded.foo);
        assert.equal('bar', decoded.foo);
        assert.isNull(err);
        done();
      });
    });