From bdb8c96ff399777726ad2c47fa32c4c0f9c66d2e Mon Sep 17 00:00:00 2001
From: David Dal Busco <david.dalbusco@outlook.com>
Date: Tue, 17 Mar 2026 09:15:45 +0100
Subject: [PATCH] feat: set nbf to iat in generated jwt

---
 src/decorators/jwt.ts       |  5 ++++-
 test/decorators/jwt.test.ts | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/decorators/jwt.ts b/src/decorators/jwt.ts
index 75fcf5b..c1149b2 100644
--- a/src/decorators/jwt.ts
+++ b/src/decorators/jwt.ts
@@ -39,13 +39,16 @@ export class JwtDecorator {
 		issuer: string;
 		audience: string;
 	}): Promise<string> => {
+		const timestamp = new Date();
+
 		return new SignJWT(payload)
 			.setProtectedHeader({ alg: 'RS256', kid: JWT_KEY_ID })
 			.setSubject(subject)
 			.setIssuer(issuer)
 			.setAudience(audience)
 			.setExpirationTime('1h')
-			.setIssuedAt()
+			.setNotBefore(timestamp)
+			.setIssuedAt(timestamp)
 			.sign(privateKey);
 	};
 
diff --git a/test/decorators/jwt.test.ts b/test/decorators/jwt.test.ts
index 3135a1b..c0e6455 100644
--- a/test/decorators/jwt.test.ts
+++ b/test/decorators/jwt.test.ts
@@ -56,6 +56,24 @@ describe('decorators > jwt', () => {
 			expect(diff).toBeGreaterThan(3500); // ~58 minutes
 			expect(diff).toBeLessThan(3700); // ~61 minutes
 		});
+
+		it('should set nbf equal to iat', async () => {
+			const token = await jwt.signOpenIdJwt({
+				payload: {},
+				subject: 'user-123',
+				issuer: 'test',
+				audience: 'test'
+			});
+
+			const result = await jwt.verify(token);
+
+			if (!result.valid) {
+				expect(true).toBeFalsy();
+				return;
+			}
+
+			expect(result.payload.nbf).toBe(result.payload.iat);
+		});
 	});
 
 	describe('signOAuthJwt', () => {