From be9c09af83b09c9e72da8b2c6166fa51d92aeab6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= <jfromaniello@gmail.com>
Date: Mon, 4 Jan 2016 09:05:57 -0300
Subject: [PATCH] fix signing method with sealed objects, do not modify the
 params object. closes #147

---
 index.js              |  3 ++-
 package.json          |  3 ++-
 test/bug_147.tests.js | 12 ++++++++++++
 test/jwt.rs.tests.js  |  4 ++--
 4 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 test/bug_147.tests.js

diff --git a/index.js b/index.js
index 2a7e73c..87045e5 100644
--- a/index.js
+++ b/index.js
@@ -1,6 +1,7 @@
 var jws = require('jws');
 var ms = require('ms');
 var timespan = require('./lib/timespan');
+var xtend = require('xtend');
 
 var JWT = module.exports;
 
@@ -39,7 +40,7 @@ JWT.decode = function (jwt, options) {
 
 JWT.sign = function(payload, secretOrPrivateKey, options, callback) {
   options = options || {};
-
+  payload = typeof payload === 'object' ? xtend(payload) : payload;
   var header = {};
 
   if (typeof payload === 'object') {
diff --git a/package.json b/package.json
index 932a299..556a562 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,8 @@
   },
   "dependencies": {
     "jws": "^3.0.0",
-    "ms": "^0.7.1"
+    "ms": "^0.7.1",
+    "xtend": "^4.0.1"
   },
   "devDependencies": {
     "atob": "^1.1.2",
diff --git a/test/bug_147.tests.js b/test/bug_147.tests.js
new file mode 100644
index 0000000..3b59cc7
--- /dev/null
+++ b/test/bug_147.tests.js
@@ -0,0 +1,12 @@
+var jwt = require('../index');
+var expect = require('chai').expect;
+
+describe('signing with a sealed payload', function() {
+
+  it('should put the expiration claim', function () {
+    var token = jwt.sign(Object.seal({foo: 123}), '123', { expiresIn: 10 });
+    var result = jwt.verify(token, '123');
+    expect(result.exp).to.be.closeTo(Math.floor(Date.now() / 1000) + 10, 0.2);
+  });
+
+});
\ No newline at end of file
diff --git a/test/jwt.rs.tests.js b/test/jwt.rs.tests.js
index 59d7dbe..0368608 100644
--- a/test/jwt.rs.tests.js
+++ b/test/jwt.rs.tests.js
@@ -391,14 +391,14 @@ describe('RS256', function() {
       var obj     = { foo: 'bar' };
       var token   = jwt.sign(obj, priv, { algorithm: 'RS256' });
       var payload = jwt.decode(token);
-      assert.deepEqual(payload, obj);
+      assert.equal(payload.foo, obj.foo);
       done();
     });
     it('should return the header and payload and signature if complete option is set', function(done) {
       var obj     = { foo: 'bar' };
       var token   = jwt.sign(obj, priv, { algorithm: 'RS256' });
       var decoded = jwt.decode(token, { complete: true });
-      assert.deepEqual(decoded.payload, obj);
+      assert.equal(decoded.payload.foo, obj.foo);
       assert.deepEqual(decoded.header, { typ: 'JWT', alg: 'RS256' });
       assert.ok(typeof decoded.signature == 'string');
       done();