From 903345484a904fe8b96255deec64995e416cc8f0 Mon Sep 17 00:00:00 2001
From: Pranav <mohnapranav@gmail.com>
Date: Mon, 29 Jun 2026 10:35:29 +0530
Subject: [PATCH 1/2] fix(verify): add upper bound validation for
 clockTolerance option

---
 verify.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/verify.js b/verify.js
index cdbfdc45..2bd5a2c3 100644
--- a/verify.js
+++ b/verify.js
@@ -186,6 +186,11 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
       if (typeof payload.exp !== 'number') {
         return done(new JsonWebTokenError('invalid exp value'));
       }
+      if (options.clockTolerance !== undefined && options.clockTolerance > 300) {
+       return done(new JsonWebTokenError(
+     'clockTolerance must not exceed 300 seconds to prevent accidental expiry bypass'
+      ));
+    }
       if (clockTimestamp >= payload.exp + (options.clockTolerance || 0)) {
         return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
       }

From 1084daf4ce0c38c0360fbecc7d5c4679763d59cb Mon Sep 17 00:00:00 2001
From: Pranav <mohnapranav@gmail.com>
Date: Mon, 29 Jun 2026 10:50:37 +0530
Subject: [PATCH 2/2] fix(verify): add upper bound of 300s for clockTolerance
 option

---
 verify.js | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/verify.js b/verify.js
index 2bd5a2c3..3f27a17d 100644
--- a/verify.js
+++ b/verify.js
@@ -28,7 +28,6 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
     options = {};
   }
 
-  //clone this object since we are going to mutate it.
   options = Object.assign({}, options);
 
   let done;
@@ -46,6 +45,12 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
     return done(new JsonWebTokenError('clockTimestamp must be a number'));
   }
 
+  if (options.clockTolerance !== undefined && options.clockTolerance > 300) {
+    return done(new JsonWebTokenError(
+      'clockTolerance must not exceed 300 seconds to prevent accidental expiry bypass'
+    ));
+  }
+
   if (options.nonce !== undefined && (typeof options.nonce !== 'string' || options.nonce.trim() === '')) {
     return done(new JsonWebTokenError('nonce must be a non-empty string'));
   }
@@ -186,11 +191,6 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
       if (typeof payload.exp !== 'number') {
         return done(new JsonWebTokenError('invalid exp value'));
       }
-      if (options.clockTolerance !== undefined && options.clockTolerance > 300) {
-       return done(new JsonWebTokenError(
-     'clockTolerance must not exceed 300 seconds to prevent accidental expiry bypass'
-      ));
-    }
       if (clockTimestamp >= payload.exp + (options.clockTolerance || 0)) {
         return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
       }
@@ -265,4 +265,4 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
 
     return done(null, payload);
   });
-};
+};
\ No newline at end of file