feat: use a common constant to store JWT leeway

Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>

src/common/const.go

@@ -14,6 +14,8 @@
 
 package common
 
+import "time"
+
 type contextKey string
 
 // const variables
@@ -241,4 +243,7 @@ const (
 	BeegoMaxUploadSizeBytes = "beego_max_upload_size_bytes"
 	// DefaultBeegoMaxUploadSizeBytes sets default max upload size to 128GB
 	DefaultBeegoMaxUploadSizeBytes = 1 << 37
+
+	// Global Leeway used for token validation
+	JwtLeeway = 60 * time.Second
 )

src/pkg/token/claims/robot/robot.go

@@ -16,10 +16,10 @@ package robot
 
 import (
 	"errors"
-	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 
+	"github.com/goharbor/harbor/src/common"
 	"github.com/goharbor/harbor/src/pkg/permission/types"
 )
 
@@ -46,7 +46,7 @@ func (rc Claim) Valid() error {
 	if rc.Access == nil {
 		return errors.New("the access info cannot be nil")
 	}
-	var v = jwt.NewValidator(jwt.WithLeeway(60 * time.Second))
+	var v = jwt.NewValidator(jwt.WithLeeway(common.JwtLeeway))
 
 	if stdErr := v.Validate(rc.RegisteredClaims); stdErr != nil {
 		return stdErr

src/pkg/token/claims/v2/claims.go

@@ -15,7 +15,7 @@
 package v2
 
 import (
-	"time"
+	"github.com/goharbor/harbor/src/common"
 
 	"github.com/docker/distribution/registry/auth/token"
 	"github.com/golang-jwt/jwt/v5"
@@ -38,7 +38,7 @@ type Claims struct {
 
 // Valid checks if the issuer is harbor
 func (c *Claims) Valid() error {
-	var v = jwt.NewValidator(jwt.WithLeeway(60*time.Second), jwt.WithIssuer(Issuer))
+	var v = jwt.NewValidator(jwt.WithLeeway(common.JwtLeeway), jwt.WithIssuer(Issuer))
 
 	if err := v.Validate(c.RegisteredClaims); err != nil {
 		return err

src/pkg/token/token.go

@@ -19,10 +19,10 @@ import (
 	"crypto/rsa"
 	"errors"
 	"fmt"
-	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 
+	"github.com/goharbor/harbor/src/common"
 	"github.com/goharbor/harbor/src/lib/log"
 )
 
@@ -35,7 +35,7 @@ type Token struct {
 
 // New ...
 func New(opt *Options, claims jwt.Claims) (*Token, error) {
-	var v = jwt.NewValidator(jwt.WithLeeway(60 * time.Second))
+	var v = jwt.NewValidator(jwt.WithLeeway(common.JwtLeeway))
 	if err := v.Validate(claims); err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func Parse(opt *Options, rawToken string, claims jwt.Claims) (*Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	var parser = jwt.NewParser(jwt.WithLeeway(time.Duration(60)*time.Second), jwt.WithValidMethods([]string{opt.SignMethod.Alg()}))
+	var parser = jwt.NewParser(jwt.WithLeeway(common.JwtLeeway), jwt.WithValidMethods([]string{opt.SignMethod.Alg()}))
 	token, err := parser.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) {
 		switch k := key.(type) {
 		case *rsa.PrivateKey:

src/pkg/token/token_test.go

@@ -92,7 +92,7 @@ func TestRaw(t *testing.T) {
 	assert.NotNil(t, rawTk)
 }
 
-func TestRawWithClockSkew(t *testing.T) {
+func TestNewWithClockSkew(t *testing.T) {
 	rbacPolicy := &types.Policy{
 		Resource: "/project/library/repository",
 		Action:   "pull",

src/server/middleware/security/v2_token.go

@@ -17,12 +17,12 @@ package security
 import (
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 
 	registry_token "github.com/docker/distribution/registry/auth/token"
 
+	"github.com/goharbor/harbor/src/common"
 	"github.com/goharbor/harbor/src/common/security"
 	"github.com/goharbor/harbor/src/common/security/v2token"
 	svc_token "github.com/goharbor/harbor/src/core/service/token"
@@ -59,7 +59,7 @@ func (vt *v2Token) Generate(req *http.Request) security.Context {
 		logger.Warningf("failed to decode bearer token: %v", err)
 		return nil
 	}
-	var v = jwt.NewValidator(jwt.WithLeeway(60*time.Second), jwt.WithAudience(svc_token.Registry))
+	var v = jwt.NewValidator(jwt.WithLeeway(common.JwtLeeway), jwt.WithAudience(svc_token.Registry))
 	if err := v.Validate(t.Claims); err != nil {
 		logger.Warningf("failed to decode bearer token: %v", err)
 		return nil