Why is curcial validation such as `exp` bypassed if the claim is not present?

[denizs]

During the review of an internal PR, we learned (to our surpise) that if verify_exp or any other verify_* for that matter is set to True, the validation is silently bypassed if the correlating claim does not exist.

I.e., calling jwt.decode(access_token, ..., options={"verify_exp": True}), where access_token does not include the exp header will succeed instead of raising a validation error.

Ref:

pyjwt/jwt/api_jwt.py

Line 390 in f2d0ebe

if "exp" in payload and options["verify_exp"]:

IMO, if you specify that you would like to validate something and that something is not present in your input, I'd expect the code to raise an error rather than succeeding.