Fix jwt not active error by adding a small clock tolerence

CHANGELOG.md

@@ -10,6 +10,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 ### Fixed
 
 - Don't include extra params when calculating local hmac [#196](https://github.com/Shopify/shopify-node-api/pull/196)
+- Add a 5 second `clockTolerance` to fix `jwt not active` error [#227](https://github.com/Shopify/shopify-node-api/pull/227)
 - [Breaking] Change default for OAuth.beginAuth to online sessions [#203](https://github.com/Shopify/shopify-node-api/pull/203)
 - [Breaking] Return and delete session in `validateAuthCallback` [#217](https://github.com/Shopify/shopify-node-api/pull/217)
 - [Breaking] Extract `addHandler` and `getHandler` methods for webhooks out of `register` [#205](https://github.com/Shopify/shopify-node-api/pull/205)

src/utils/decode-session-token.ts

@@ -5,6 +5,8 @@ import * as ShopifyErrors from '../error';
 
 import validateShop from './shop-validator';
 
+const JWT_PERMITTED_CLOCK_TOLERANCE = 5;
+
 interface JwtPayload {
   iss: string;
   dest: string;
@@ -27,6 +29,7 @@ function decodeSessionToken(token: string): JwtPayload {
   try {
     payload = jwt.verify(token, Context.API_SECRET_KEY, {
       algorithms: ['HS256'],
+      clockTolerance: JWT_PERMITTED_CLOCK_TOLERANCE,
     }) as JwtPayload;
   } catch (error) {
     throw new ShopifyErrors.InvalidJwtError(