Disable IAT verification by default

https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117468 in GitLab 15.11 updated the ruby-jwt gem to v2.5.0. In v2.2.0, ruby-jwt removed the `iat_leeway` parameter (https://github.com/jwt/ruby-jwt/pull/274). As a result, if a gitlab-shell host creates a JWT token with an issued-at (IAT) claim that is slightly behind the host handling API the request, users will receive a 401 error. Disable this IAT verification by default since it's not serving a useful purpose, since expiration times are already validated. We already made a similar change in Geo. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/417543 Changelog: fixed

Disable IAT verification by default
f326916f · Stan Hu · df4abd18 · f326916f · f326916f · f326916f
--- a/lib/json_web_token/hmac_token.rb
+++ b/lib/json_web_token/hmac_token.rb
@@ -4,7 +4,7 @@

 module JSONWebToken
  class HMACToken < Token
-    IAT_LEEWAY = 60
+    LEEWAY = 60
    JWT_ALGORITHM = 'HS256'

    def initialize(secret)
@@ -13,7 +13,7 @@ def initialize(secret)
      @secret = secret
    end

-    def self.decode(token, secret, leeway: IAT_LEEWAY, verify_iat: true)
+    def self.decode(token, secret, leeway: LEEWAY, verify_iat: false)
      JWT.decode(token, secret, true, leeway: leeway, verify_iat: verify_iat, algorithm: JWT_ALGORITHM)
    end


--- a/spec/lib/json_web_token/hmac_token_spec.rb
+++ b/spec/lib/json_web_token/hmac_token_spec.rb
@@ -25,7 +25,7 @@
  end

  describe '.decode' do
-    let(:leeway) { described_class::IAT_LEEWAY }
+    let(:leeway) { described_class::LEEWAY }
    let(:decoded_token) { described_class.decode(encoded_token, secret, leeway: leeway) }

    context 'with an invalid token' do

--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -50,6 +50,17 @@ def perform_request(headers: gitlab_shell_internal_api_request_header)
        expect(response).to have_gitlab_http_status(:ok)
      end

+      it 'authenticates using a jwt token with an IAT from 10 seconds in the future' do
+        headers =
+          travel_to(Time.now + 10.seconds) do
+            gitlab_shell_internal_api_request_header
+          end
+
+        perform_request(headers: headers)
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
      it 'returns 401 when jwt token is expired' do
        headers = gitlab_shell_internal_api_request_header