[feat] Missing jsonwebtoken options in type definitions

[olivermack]

I was checking the implementation to see if we can utilize the clockTolerance option of the jsonwebtoken lib. First I was a bit disappointed and thought it was not possible but then I realized that the options passed to the middleware are fully passed on to the verify call. Thus, it is indeed possible to set those options provided by the jsonwebtoken lib, it's just neither documented not part of the type definitions (I did not verify if those options were added at a later point to the jsonwebtoken lib though!)

However, it'd be great if you could add those details.

https://www.npmjs.com/package/jsonwebtoken

Background: in my case the JWT is created by a remote server which provides the nbf claim as a unix timestamp with decimals. The jsonwebtoken lib uses its internal clockTimestamp (rounded down to full seconds) and compares it to the given nbf:

https://github.com/auth0/node-jsonwebtoken/blob/bc28861f1fa981ed9c009e29c044a19760a0b128/verify.js#L180C2-L182

What now happens: the remote system creates something like 1695972313.93304, verify boils it down to 1695972313 and - assuming it IS 1695972313 - it complains due to the payload.nbf > clockTimestamp.

Checklist

• I have searched through GitHub issues for similar issues.
• I have completely read through the README and documentation.