From 26d0688b394f5b3575bd31afc61f7411797f8274 Mon Sep 17 00:00:00 2001
From: David Ge Liu <dvdgege5@gmail.com>
Date: Tue, 26 Mar 2024 13:20:42 -0500
Subject: [PATCH] Disable verifying token issued-at timestamp

PyJWT v2.8.0 verifies `iat` (issued-at timestamp) by default. There are several discussions on disabling this check, since it is not within spec. [Cognito's token verification guide](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-manually-inspect) does not suggest verifying `iat`, unlike `exp`.

Other discussions:
https://github.com/jpadilla/pyjwt/issues/814
https://github.com/jpadilla/pyjwt/issues/939
---
 pycognito/__init__.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pycognito/__init__.py b/pycognito/__init__.py
index 2b2d9b2c..f093cfea 100644
--- a/pycognito/__init__.py
+++ b/pycognito/__init__.py
@@ -260,6 +260,7 @@ def verify_token(self, token, id_name, token_use):
                 issuer=self.user_pool_url,
                 options={
                     "require": required_claims,
+                    "verify_iat": False,
                 },
             )
         except jwt.PyJWTError as err: