Misinterpretation of fractional NumericDates

[ChrisPenner]

Hi 👋🏼 , thanks for the library!

I'm using this library on the server: https://hackage.haskell.org/package/jose-0.10/docs/Crypto-JWT.html

It returns JWTs with fractional datetimes, which is maybe a bit unconventional, but is explicitly supported as part of the JWT RFC here (see NumericDate)

non-integer values can be represented.

Here's a test jwt with fractional numeric dates, the dates are parsed properly by https://jwt.io for example.

eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJKVEktNDJjYjg2N2UtYmE5Ny00YjkyLWJlY2MtZTZmOTU2YjNmZjJjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1NDI0IiwiaWF0IjoxLjY4NDUxMDIzODEyMzA2NWU5LCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjU0MjQiLCJzdWIiOiJVLTE0MWM0ZGRmLTI0MjMtNGYxMC1hNGRlLTQ2NTkzOTk1MTM1NCIsImV4cCI6MS42ODcxMDIyMzgxMjMwNjVlOSwic2NvcGUiOiJvcGVuaWQgY2xvdWQgc3luYyJ9.jpIfalpvWx7dP7vw4dIGosOP7eWeSrEQJFovLZpXTfM

{
  "jti": "JTI-42cb867e-ba97-4b92-becc-e6f956b3ff2c",
  "iss": "http://localhost:5424",
  "iat": 1684510238.123065,
  "aud": "http://localhost:5424",
  "sub": "U-141c4ddf-2423-4f10-a4de-465939951354",
  "exp": 1687102238.123065,
  "scope": "openid cloud sync"
}

However, when decoding like this:

main = do
    Just jwt <- JWT.decode accessToken
    now <- getPOSIXTime
    Just expDate <- JWT.exp (JWT.claims jwt)
    print (JWT.secondsSinceEpoch expDate)

The resulting time is several thousand years in the future, as though the decoder is treating the float as an int or something like that. Would be great if this could be fixed, otherwise apps will mis-interpret expired tokens as being valid.