Merge branch '3787-expire-geo-jwts' into 'security-10-1-ee'

Include standard JWT claims in Geo JWTs [10.1]

See merge request gitlab/gitlab-ee!554

(cherry picked from commit 676a194bf27facbb431abf6e9fa57ea6ad29af42)

f2e5dee8 Include standard JWT claims in Geo JWTs

lib/gitlab/geo/base_request.rb

@@ -26,10 +26,10 @@ module Gitlab
         geo_node = requesting_node
         raise GeoNodeNotFoundError unless geo_node
 
-        payload = { data: message.to_json, iat: Time.now.to_i }
-        token = JWT.encode(payload, geo_node.secret_access_key, 'HS256')
+        token = JSONWebToken::HMACToken.new(geo_node.secret_access_key)
+        token[:data] = message.to_json
 
-        "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token}"
+        "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token.encoded}"
       end
 
       def requesting_node

lib/json_web_token/hmac_token.rb

+module JSONWebToken
+  class HMACToken < Token
+    def initialize(secret)
+      super()
+
+      @secret = secret
+    end
+
+    def encoded
+      JWT.encode(payload, @secret, 'HS256')
+    end
+  end
+end

spec/lib/gitlab/geo/jwt_request_decoder_spec.rb

@@ -33,7 +33,13 @@ describe Gitlab::Geo::JwtRequestDecoder do
       Timecop.travel(30.seconds.ago) { expect(subject.decode).to eq(data) }
     end
 
-    it 'returns nil when clocks are not in sync' do
+    it 'fails to decode after expiring' do
+      subject
+
+      Timecop.travel(2.minutes) { expect(subject.decode).to be_nil }
+    end
+
+    it 'fails to decode when clocks are not in sync' do
       subject
 
       Timecop.travel(2.minutes.ago) { expect(subject.decode).to be_nil }