Add minimal token validation

[nanonyme]

It's exceptionally normal error that token expires. Emit local error if it happens with token payload to help request a new token.

[bbhtt]

better to to just print out the expiry date here than the JSON blob

[nanonyme]

The intent here is JSON blob contains information what exactly should be requested. It may have one or multiple prefixes, one or multiple branches etc.

[nanonyme]

It also contains the name of token that was created.

[bbhtt]

yes, but why would need that information in a "token has expired" error message? the error is that it expired.

if you want to log the capabilities of the token it should be somewhere else, not in this error message.

[nanonyme]

Ok.

[bbhtt]

I'd just log them whenever the token is used with verbose: the ref prefix, target repo and capabilities, type and the branch are useful information. But logging the whole payload json blob might be problematic.

[nanonyme]

Sounds like fairly invasive changes. If someone else wants to pick that up, fine. I think touching non-standard fields in blobs in client is actively dangerous since client might not be at all same version as server. JWT is for most intents and purposes supposed to be considered opaque blob by clients. Exp just happens to be a standard field and useful client-side.

[bbhtt]

I went ahead and improved the server's response a bit in case of expiry #144

[nanonyme]

Seems something wider in scope is desired so I'm closing this one. I'm leaving behind the branch though the JWT unpacking is well documented.