Why

The parseJWT function in pkg/web/auth.go accepts JWT tokens without validating critical claims. This allows authentication bypass via:

• Expired tokens (no expiration check)
• Tokens not yet valid (no not-before check)
• Tokens from wrong issuer (no issuer validation)
• Tokens for wrong audience (no audience validation)

What

Add validateJWTClaims function that validates:

• Expiration time (ExpiresAt not in the past)
• Not-before time (NotBefore not in the future)
• Issuer matches cfg.HTTP.PublicURL
• Audience starts with cfg.HTTP.PublicURL (if audience is set)

Call this validation in parseJWT after parsing claims but before returning them.

Where

• pkg/web/auth.go - add validateJWTClaims function after parseJWT
• pkg/web/auth.go - import "time" package
• pkg/web/auth.go - call validateJWTClaims in parseJWT
• pkg/web/git.go - fix error variable casing (errInvalidToken -> ErrInvalidToken, errInvalidPassword -> ErrInvalidPassword)

Plan

1. Add "time" to imports in pkg/web/auth.go
2. Implement validateJWTClaims function with expiration, not-before, issuer, and audience checks
3. Call validateJWTClaims in parseJWT before returning claims
4. Fix error variable casing in pkg/web/git.go

Test Plan

• go build ./pkg/web/... should succeed
• go test ./pkg/web/... should pass
• JWT with expired ExpiresAt should be rejected
• JWT with future NotBefore should be rejected
• JWT with wrong Issuer should be rejected
• JWT with wrong Audience should be rejected