From 9cb9401cc579f11dbb17181e8713f061f8e40ed4 Mon Sep 17 00:00:00 2001
From: Sriharan Manogaran <sriharan72@gmail.com>
Date: Sat, 15 Oct 2022 13:17:14 +0530
Subject: Handling 'ImmatureSignatureError' for issued_at time (#794)

* Handling 'ImmatureSignatureError' for issued_at time when it is a future time

* adding changelog and test cases
---
 CHANGELOG.rst         | 1 +
 jwt/api_jwt.py        | 5 ++++-
 tests/test_api_jwt.py | 8 ++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2432203..1a00657 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -17,6 +17,7 @@ Fixed
 
 Added
 ~~~~~
+- Adding validation for `issued_at` when `iat > (now + leeway)` as `ImmatureSignatureError` by @sriharan16 in https://github.com/jpadilla/pyjwt/pull/794
 
 `v2.5.0 <https://github.com/jpadilla/pyjwt/compare/2.4.0...2.5.0>`__
 -----------------------------------------------------------------------
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
index a391793..4bb1ee1 100644
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@@ -210,10 +210,13 @@ class PyJWT:
                 raise MissingRequiredClaimError(claim)
 
     def _validate_iat(self, payload, now, leeway):
+        iat = payload["iat"]
         try:
-            int(payload["iat"])
+            int(iat)
         except ValueError:
             raise InvalidIssuedAtError("Issued At claim (iat) must be an integer.")
+        if iat > (now + leeway):
+            raise ImmatureSignatureError("The token is not yet valid (iat)")
 
     def _validate_nbf(self, payload, now, leeway):
         try:
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
index bebe7d2..d74973d 100644
--- a/tests/test_api_jwt.py
+++ b/tests/test_api_jwt.py
@@ -219,6 +219,14 @@ class TestJWT:
         with pytest.raises(InvalidIssuedAtError):
             jwt.decode(example_jwt, "secret", algorithms=["HS256"])
 
+    def test_decode_raises_exception_if_iat_is_greater_than_now(self, jwt, payload):
+        payload["iat"] = utc_timestamp() + 10
+        secret = "secret"
+        jwt_message = jwt.encode(payload, secret)
+
+        with pytest.raises(ImmatureSignatureError):
+            jwt.decode(jwt_message, secret, algorithms=["HS256"])
+
     def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
         # >>> jwt.encode({'nbf': 'not-an-int'}, 'secret')
         example_jwt = (
-- 
cgit v1.2.1