Token expiration check in middleware might pass an expired token through

[localden]

This is the logic I am referring to:

// Check if the token is expired
if (!!authInfo.expiresAt && authInfo.expiresAt < Date.now() / 1000) {
  throw new InvalidTokenError("Token has expired");
}

If, for whatever reason, the token expiration is set to 0 (e.g., a dummy value to signal need for refresh), then !!authInfo.expiresAt will evaluate to false, meaning that there will be no error caught and the token might be conisdered verified.

And for what it's worth, 0 should not be treated as "token doesn't expire" - that is signaled by the lack of exp claims (as it is optional).

I rewrote it like this in my custom middleware handler:

if (!authInfo.expiresAt) {
  throw new InvalidTokenError("Token has no expiration time");
} else if (authInfo.expiresAt < Date.now() / 1000) {
  throw new InvalidTokenError("Token has expired");
}

[christian-bromann]

@localden I raised a PR for this in #446 and would love your feedback, thanks!