allow iat override for JWT pack

jschlyter · jschlyter · commit b9a0c0fa57ce · 2023-07-22T21:33:13.000-07:00
diff --git a/src/cryptojwt/jwt.py b/src/cryptojwt/jwt.py
@@ -179,13 +179,13 @@ def put_together_aud(recv, aud=None):
 
         return _aud
 
-    def pack_init(self, recv, aud):
+    def pack_init(self, recv, aud, iat=None):
         """
         Gather initial information for the payload.
 
         :return: A dictionary with claims and values
         """
-        argv = {"iss": self.iss, "iat": utc_time_sans_frac()}
+        argv = {"iss": self.iss, "iat": iat or utc_time_sans_frac()}
         if self.lifetime:
             argv["exp"] = argv["iat"] + self.lifetime
 
@@ -210,7 +210,7 @@ def pack_key(self, issuer_id="", kid=""):
 
         return keys[0]  # Might be more then one if kid == ''
 
-    def pack(self, payload=None, kid="", issuer_id="", recv="", aud=None, **kwargs):
+    def pack(self, payload=None, kid="", issuer_id="", recv="", aud=None, iat=None, **kwargs):
         """
 
         :param payload: Information to be carried as payload in the JWT
@@ -219,13 +219,14 @@ def pack(self, payload=None, kid="", issuer_id="", recv="", aud=None, **kwargs):
         :param recv: The intended immediate receiver
         :param aud: Intended audience for this JWS/JWE, not expected to
             contain the recipient.
+        :param iat: Override issued at (default current timestamp)
         :param kwargs: Extra keyword arguments
         :return: A signed or signed and encrypted Json Web Token
         """
         _args = {}
         if payload is not None:
             _args.update(payload)
-        _args.update(self.pack_init(recv, aud))
+        _args.update(self.pack_init(recv, aud, iat))
 
         try:
             _encrypt = kwargs["encrypt"]
diff --git a/tests/test_09_jwt.py b/tests/test_09_jwt.py
@@ -135,15 +135,29 @@ def test_jwt_pack_and_unpack_max_lifetime_exceeded():
         _ = bob.unpack(_jwt)
 
 
-def test_jwt_pack_and_unpack_unknown_issuer():
-    alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256")
+def test_jwt_pack_and_unpack_max_lifetime_exceeded():
+    lifetime = 3600
+    alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256", lifetime=lifetime)
     payload = {"sub": "sub"}
     _jwt = alice.pack(payload=payload)
 
-    kj = KeyJar()
-    bob = JWT(key_jar=kj, iss=BOB, allowed_sign_algs=["RS256"])
-    with pytest.raises(IssuerNotFound):
-        info = bob.unpack(_jwt)
+    bob = JWT(
+        key_jar=BOB_KEY_JAR, iss=BOB, allowed_sign_algs=["RS256"], allowed_max_lifetime=lifetime - 1
+    )
+    with pytest.raises(VerificationError):
+        _ = bob.unpack(_jwt)
+
+
+def test_jwt_pack_and_unpack_timestamp():
+    lifetime = 3600
+    alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256", lifetime=lifetime)
+    payload = {"sub": "sub"}
+    _jwt = alice.pack(payload=payload, iat=42)
+
+    bob = JWT(key_jar=BOB_KEY_JAR, iss=BOB, allowed_sign_algs=["RS256"])
+    _ = bob.unpack(_jwt, timestamp=42)
+    with pytest.raises(VerificationError):
+        _ = bob.unpack(_jwt)
 
 
 def test_jwt_pack_and_unpack_unknown_key():
