fix: Do not copy iat claim from refresh token (#888)

vgrozdanic · web-flow · commit acacec825f16 · 2025-03-10T22:32:42.000+01:00
* fix: Do not copy `iat` claim from refresh token

* fix test by freezing time
diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py
@@ -386,6 +386,7 @@ class RefreshToken(BlacklistMixin["RefreshToken"], Token):
         # we wouldn't want to copy either one.
         api_settings.JTI_CLAIM,
         "jti",
+        "iat",
     )
     access_token_class = AccessToken
 
diff --git a/tests/test_tokens.py b/tests/test_tokens.py
@@ -4,6 +4,7 @@
 
 from django.contrib.auth import get_user_model
 from django.test import TestCase
+from freezegun import freeze_time
 from jose import jwt
 
 from rest_framework_simplejwt.exceptions import (
@@ -434,10 +435,13 @@ def test_init(self):
 
     def test_access_token(self):
         # Should create an access token from a refresh token
-        refresh = RefreshToken()
-        refresh["test_claim"] = "arst"
+        with freeze_time("2025-01-01"):
+            refresh = RefreshToken()
+            refresh["test_claim"] = "arst"
 
-        access = refresh.access_token
+        with freeze_time("2025-01-02"):
+            # Ensure iat is different
+            access = refresh.access_token
 
         self.assertIsInstance(access, AccessToken)
         self.assertEqual(access[api_settings.TOKEN_TYPE_CLAIM], "access")

Original file line number	Diff line number	Diff line change
`@@ -386,6 +386,7 @@ class RefreshToken(BlacklistMixin["RefreshToken"], Token):`
`386`	`386`	`# we wouldn't want to copy either one.`
`387`	`387`	`api_settings.JTI_CLAIM,`
`388`	`388`	`"jti",`
	`389`	`+ "iat",`
`389`	`390`	`)`
`390`	`391`	`access_token_class = AccessToken`
`391`	`392`