README and Comments Corrections After JWT Lib Change

[carwyn]

This is misleading, the current code won't check if the token has expired unless the user explicitly sets dates:

jwtauth/README.md

Lines 13 to 14 in 9448513

	request, decode it, verify it and then validate that its correctly signed and hasn't
	expired - the `jwtauth.Verifier` middleware handler takes care of all of that. The

The default no longer looks for the token in the query string:

jwtauth/jwtauth.go

Line 50 in 9448513

// 1. 'jwt' URI query parameter

No longer using this library:

jwtauth/jwtauth.go

Line 55 in 9448513

// or cookie header is then decoded by the `jwt-go` library and a *jwt.Token

[carwyn]

You can see via this example that the default dates in the encoded token are zero, meaning that expiry won't be checked due to how jwt.Validate() is written.

package main

import (
	"fmt"
	"github.com/go-chi/jwtauth/v5"
	//"github.com/lestrrat-go/jwx/jwt"
)

func main() {

	tokenAuth := jwtauth.New("HS256", []byte("secret"), nil)

	ptoken, _, _ := tokenAuth.Encode(map[string]interface{}{})

	fmt.Printf("Parsed Token = %+v\n", ptoken)

	fmt.Printf("iat = %v\n", ptoken.IssuedAt())
	fmt.Printf("exp = %v\n", ptoken.Expiration())
}

Prints:

Parsed Token = &{mu:0xc0000ca0c0 audience:[] expiration:<nil> issuedAt:<nil> issuer:<nil> jwtID:<nil> notBefore:<nil> subject:<nil> privateClaims:map[]}
iat = 0001-01-01 00:00:00 +0000 UTC
exp = 0001-01-01 00:00:00 +0000 UTC

Meanwhile over in github.com/lestrrat-go/jwx/jwt/validate.go if the times are time.IsZero() they will not be checked:

https://github.com/lestrrat-go/jwx/blob/d73df179e45758f1d18d0a7964b6c84f5dff83c9/jwt/validate.go#L85-L111