feat: set nbf to iat in generated jwt (#6)

Author: peterpeterparker

src/decorators/jwt.ts

@@ -39,13 +39,16 @@ export class JwtDecorator {
 		issuer: string;
 		audience: string;
 	}): Promise<string> => {
+		const timestamp = new Date();
+
 		return new SignJWT(payload)
 			.setProtectedHeader({ alg: 'RS256', kid: JWT_KEY_ID })
 			.setSubject(subject)
 			.setIssuer(issuer)
 			.setAudience(audience)
 			.setExpirationTime('1h')
-			.setIssuedAt()
+			.setNotBefore(timestamp)
+			.setIssuedAt(timestamp)
 			.sign(privateKey);
 	};
 

test/decorators/jwt.test.ts

@@ -56,6 +56,24 @@ describe('decorators > jwt', () => {
 			expect(diff).toBeGreaterThan(3500); // ~58 minutes
 			expect(diff).toBeLessThan(3700); // ~61 minutes
 		});
+
+		it('should set nbf equal to iat', async () => {
+			const token = await jwt.signOpenIdJwt({
+				payload: {},
+				subject: 'user-123',
+				issuer: 'test',
+				audience: 'test'
+			});
+
+			const result = await jwt.verify(token);
+
+			if (!result.valid) {
+				expect(true).toBeFalsy();
+				return;
+			}
+
+			expect(result.payload.nbf).toBe(result.payload.iat);
+		});
 	});
 
 	describe('signOAuthJwt', () => {