Compute exp according to iat

[c100k]

Hello,

In my tests, I'm "freezing" the time so I test everything that is date-dependent always at the same time.
For instance, I'm asserting via a snapshot that my sign in function always returns the same JWT.

But there is an issue with jose. The snapshots always differ because even if I set issuedAt at a specific time, expirationTime is computed from the actual current time.

Here is a small snippet to illustrate :

import { decodeJwt, SignJWT } from 'jose';

const secret = 'mysupersecret';
const payload = { email: 'toto@gmail.com' };
const now = new Date();

const builder = new SignJWT(payload)
    .setExpirationTime('2h')
    .setIssuedAt(now)
    .setProtectedHeader({
        alg: 'HS256',
    });

async function sign() {
    let jwt = await builder.sign(new TextEncoder().encode(secret));
    let decoded = decodeJwt(jwt);
    console.log({
        jwt,
        decoded,
        expISO: new Date(decoded.exp! * 1000).toISOString(),
        iatISO: new Date(decoded.iat! * 1000).toISOString(),
    });
}

await sign();
builder.setIssuedAt(new Date('2024-03-10T14:30:00Z'));
await sign();

bun jose.ts

{
  jwt: "eyJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InRvdG9AZ21haWwuY29tIiwiZXhwIjoxNzY2OTI0OTc1LCJpYXQiOjE3NjY5MTc3NzV9.Cw_8AQLrXyjcVDRhF5dVecJs4-yfPBpfHISqTE2nrdU",
  decoded: {
    email: "toto@gmail.com",
    exp: 1766924975,
    iat: 1766917775,
  },
  expISO: "2025-12-28T12:29:35.000Z", // ✅ in 2 hours
  iatISO: "2025-12-28T10:29:35.000Z", // ✅ took the current time
}
{
  jwt: "eyJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InRvdG9AZ21haWwuY29tIiwiZXhwIjoxNzY2OTI0OTc1LCJpYXQiOjE3MTAwODEwMDB9.b1v9Dp_MnZhqLQMuy6AYwvJrLqjizQcOq0oqU-T8q3o",
  decoded: {
    email: "toto@gmail.com",
    exp: 1766924975,
    iat: 1710081000,
  },
  expISO: "2025-12-28T12:29:35.000Z", // ❌ computed from the current time vs the issuedAt time
  iatISO: "2024-03-10T14:30:00.000Z", // ✅ took the time passed to issuedAt
}

In the output above, I'd expect the last expISO to be 2024-03-10T16:30:00.000Z (i.e. 2 hours after the issue time).

Do you think it's doable/desirable to have expirationTime computed from issuedAt when the provided value is a string duration (e.g. 2h, 4 days) ? Maybe it could be interesting to have a dedicated setExpirationIn or similar ?

I'm naturally aware that this could be a breaking change, hence the opening of this discussion.
I'm also aware that we could compute the expirationTime ourselves but that would make us reimplement the 2h, 4 days parsing logic, which would be unfortunate since jose does it really well.

Best,

[panva]

If you want to freeze time you have to make it so that date is also frozen, e.g. with https://www.npmjs.com/package/timekeeper

the timespan syntax works off of current date, not the token's iat