Iat check uses leeway.

lib/jwt.rb

@@ -167,7 +167,7 @@ def decode(jwt, key=nil, verify=true, options={}, &keyfinder)
       fail JWT::InvalidIssuerError.new("Invalid issuer. Expected #{options['iss']}, received #{payload['iss'] || '<none>'}") unless payload['iss'].to_s == options['iss'].to_s
     end
     if options[:verify_iat] && payload.include?('iat')
-      fail JWT::InvalidIatError.new('Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= Time.now.to_i
+      fail JWT::InvalidIatError.new('Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= (Time.now.to_i + options[:leeway])
     end
     if options[:verify_aud] && options['aud']
       if payload['aud'].is_a?(Array)

spec/jwt_spec.rb

@@ -138,6 +138,22 @@
     expect { JWT.decode(example_jwt, example_secret, true, :verify_iat => true, 'iat' => 1425917209) }.to raise_error(JWT::InvalidIatError)
   end
 
+  it 'raises decode exception when iat is in the future' do
+    invalid_payload = @payload.clone
+    invalid_payload['iat'] = Time.now.to_i + 3
+    secret = 'secret'
+    jwt = JWT.encode(invalid_payload, secret)
+    expect { JWT.decode(jwt, secret, true, :verify_iat => true) }.to raise_error(JWT::InvalidIatError)
+  end
+
+  it 'performs normal decode if iat is within leeway' do
+    invalid_payload = @payload.clone
+    invalid_payload['iat'] = Time.now.to_i + 3
+    secret = 'secret'
+    jwt = JWT.encode(invalid_payload, secret)
+    expect { JWT.decode(jwt, secret, true, :verify_iat => true, :leeway => 3) }.to_not raise_error
+  end
+
   it 'decodes valid JWTs with jti' do
     example_payload = { 'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209') }
     example_secret = 'secret'