README and Comments Corrections After JWT Lib Change

[carwyn]

This is misleading, the current code won't check if the token has expired unless the user explicitly sets dates:

https://github.com/go-chi/jwtauth/blob/9448513887112ff1d7f7ebed4f5fdf39569bcc8c/README.md#L13-L14

The default no longer looks for the token in the query string:

https://github.com/go-chi/jwtauth/blob/9448513887112ff1d7f7ebed4f5fdf39569bcc8c/jwtauth.go#L50

No longer using this library:

https://github.com/go-chi/jwtauth/blob/9448513887112ff1d7f7ebed4f5fdf39569bcc8c/jwtauth.go#L55

[carwyn]

You can see via this example that the default dates in the encoded token are zero, meaning that expiry won't be checked due to how jwt.Validate() is written.

package main

import (
    "fmt"
    "github.com/go-chi/jwtauth/v5"
    //"github.com/lestrrat-go/jwx/jwt"
)

func main() {

    tokenAuth := jwtauth.New("HS256", []byte("secret"), nil)

    ptoken, _, _ := tokenAuth.Encode(map[string]interface{}{})

    fmt.Printf("Parsed Token = %+v\n", ptoken)

    fmt.Printf("iat = %v\n", ptoken.IssuedAt())
    fmt.Printf("exp = %v\n", ptoken.Expiration())
}

Prints:

Parsed Token = &{mu:0xc0000ca0c0 audience:[] expiration:<nil> issuedAt:<nil> issuer:<nil> jwtID:<nil> notBefore:<nil> subject:<nil> privateClaims:map[]}
iat = 0001-01-01 00:00:00 +0000 UTC
exp = 0001-01-01 00:00:00 +0000 UTC

Meanwhile over in github.com/lestrrat-go/jwx/jwt/validate.go if the times are time.IsZero() they will not be checked:

https://github.com/lestrrat-go/jwx/blob/d73df179e45758f1d18d0a7964b6c84f5dff83c9/jwt/validate.go#L85-L111