iat/nbf/exp should accept only numeric date

[cboitel]

Describe the bug

When parsing tokens, jwt.Parse will by default accept string formatted dates. When enabling pedantic, string formatted dates are effectively not accepted.

Extract from RFC

NumericDate
      A JSON numeric value representing the number of seconds from
      1970-01-01T00:00:00Z UTC until the specified UTC date/time,
      ignoring leap seconds.  This is equivalent to the IEEE Std 1003.1,
      2013 Edition [[POSIX.1](https://datatracker.ietf.org/doc/html/rfc7519#ref-POSIX.1)] definition "Seconds Since the Epoch", in
      which each day is accounted for by exactly 86400 seconds, other
      than that non-integer values can be represented.  See [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339)
      [[RFC3339](https://datatracker.ietf.org/doc/html/rfc3339)] for details regarding date/times in general and UTC in
      particular.

Please attach the output of go version

To Reproduce / Expected behavior

N/A

Additional context

Since ensuring non-string dates would break v3 compatibility, it should be at least warned in documentation that pedantic should be enabled if user wants strict RFC compliant behaviour

[lestrrat]

It's working as expected

func TestGH1486(t *testing.T) {
	for _, pedantic := range []bool{false, true} {
		t.Run(fmt.Sprintf("pedantic=%t", pedantic), func(t *testing.T) {
			const payload = `{"iat":"1970-01-01T00:00:01Z"}`
			_, err := jwt.Parse([]byte(payload), jwt.WithVerify(false), jwt.WithPedantic(pedantic))
			if !pedantic {
				require.NoError(t, err, `jwt.Parse should succeed`)
				return
			}
			require.Error(t, err, `jwt.Parse should fail`)
		})
	}
}

[lestrrat]

@cboitel Oh hey, I might have written the wrong code -- I think it was WithNumericDatePedantic or something and it might have been a global setting. The above code could be from my latest branch, which probably doesn't help you. Either way, I'm pretty sure the code has an escape hatch for this. Sorry for the hasty comment, I'm on my way out. I'll double check later.

[lestrrat]

Yeah, it was controlled by jwt.Settings(jwt.WithNumericDateParsePedantic(true)), not jwt.Parse(... jwt.WithPedantic(true)). The reason these two exist is probably because these were gradually added over time and probably we just eh, got confused.

[cboitel]

I am more concerned about the fact that one should opt-in to get pedantic behaviour which is should be the expected defaults.

Since reverting on this subject would lead to a breaking change, a documentation warning should at least be added and if possible be the default behaviour in next major release.

In godoc, a documentation warning about time management to invite people to look at pedantic feature would be valuable.

I haven't found pedantic explained in docs/*.md but I would say godoc is preferable anyway.

[lestrrat]

Hmm? I was about to go "Look, here's the godoc", but pkg.go.dev doesn't have the NumericDateParsePedantic... WTF.
When I run go doc -all ./jwt I get

That's odd. There must be something that's preventing pkg.go.dev from parsing this. I'll take a look later in conjunction with the other pedantic stuff I am already working on since you brought that security report.