Entering a string value for `clockTolerance` causes expired tokens to be accepted

[mathiasose]

See this example: https://runkit.com/mathiasose/5d011f8474348c001fe376a5

I got things a bit mixed up and entered a string value for clockTolerance, and found it causes verify() to accept expired tokens.

I did eventually realize that the docs say to put "number of seconds" for clockTolerance, i.e. an integer value, but only after being confused for a while. Seems easy to get it wrong when maxAge does accept strings.

To prevent anyone from getting confused like me in the future, someone should probably make a change to either accept strings like maxAge does, or raising an error if inputting non-integer values for clockTolerance.

[panva]

@mathiasose thanks for bring this to our attention, i've submitted a PR to fix this.