From 398ccd25ea12fa84b9e4f1085d5ff448c21ec797 Mon Sep 17 00:00:00 2001 From: croensch Date: Tue, 23 May 2023 15:57:20 +0200 Subject: [PATCH] fix: only check iat if nbf is not used (#493) --- src/JWT.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/JWT.php b/src/JWT.php index c83ff099..7e190a3e 100644 --- a/src/JWT.php +++ b/src/JWT.php @@ -156,7 +156,7 @@ public static function decode( // Check that this token has been created before 'now'. This prevents // using tokens that have been created for later use (and haven't // correctly used the nbf claim). - if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) { + if (!isset($payload->nbf) && isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) { throw new BeforeValidException( 'Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat) );