fix(jwt): enforce exp validation in perry-ext-jsonwebtoken verify

[TheHypnoo]

What

Sets validation.validate_exp = true in js_jwt_verify (crates/perry-ext-jsonwebtoken/src/lib.rs), matching the stdlib implementation.

Why

The ext crate's verify path had validate_exp = false, accepting expired JWTs indefinitely — the exact pattern already fixed in crates/perry-stdlib/src/jsonwebtoken.rs for GHSA-5324-c68v-8w62 / CVE-2026-53777. The active dispatch for import 'jsonwebtoken' routes to the (fixed) stdlib, so this was a latent/dead-code regression rather than a live bypass — but leaving a vulnerable copy of an auth primitive in-tree is a footgun. This flips it and keeps the two implementations consistent.

required_spec_claims stays empty, so this preserves Node parity: a token whose exp is in the past is rejected, while a token that omits exp still verifies.

Test

Two new unit tests: verify_rejects_expired_token and verify_accepts_token_without_exp. cargo test -p perry-ext-jsonwebtoken → 5 passed.

Follow-up (out of scope)

Whether perry-ext-jsonwebtoken (and the sibling perry-ext-bcrypt / perry-ext-argon2 crates) are a live pluggable-backend design or dead code to remove is a separate decision, noted in #5066.

Closes #5066

Summary by CodeRabbit

• Bug Fixes
  • JWT token verification now properly validates and enforces expiration dates when present in the token. Tokens with expiration claims set to dates in the past are rejected during verification. Tokens without expiration information continue to validate and authenticate successfully.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 46ab087c-6cb4-4383-8613-c49b7198c2d1

📥 Commits

Reviewing files that changed from the base of the PR and between ab5b7e8 and 44e2c29.

📒 Files selected for processing (1)

• crates/perry-ext-jsonwebtoken/src/lib.rs

---

📝 Walkthrough

Walkthrough

This PR enforces JWT expiry claim validation in the perry JSON Web Token extension. The js_jwt_verify function now rejects expired tokens by setting validate_exp = true in the validation configuration. Two regression tests confirm the fix: one verifies that expired tokens return null, and another ensures tokens without an exp claim still verify successfully.

Changes

JWT Expiry Validation Security Fix

Layer / File(s)	Summary
Enforce JWT expiry claim validation crates/perry-ext-jsonwebtoken/src/lib.rs	js_jwt_verify updates jsonwebtoken::Validation to set validate_exp = true, enforcing expiry claim validation with comments documenting CVE/regression context. Two regression tests validate that expired tokens are rejected (null) and tokens without exp still verify (non-null).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• perry-ext-jsonwebtoken disables JWT expiry validation (re-introduces CVE-2026-53777 pattern) #5066: This PR implements the security fix by changing validate_exp from false to true and adds regression test coverage for expired-token rejection behavior.

Poem

🐰 A token's time was measured true,
No expired claims slip through—
The exp validation now held fast,
Past moments locked within the past!
Security hops with testing cheer! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: enforcing exp validation in the JWT verification function for the ext crate.
Description check	✅ Passed	The description provides clear context on what changed, why it was needed, and includes test results, matching the template structure adequately.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/jwt-ext-validate-exp

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}