Drop the jsonwebtoken dependency

This removes `time` from the dependency tree because the crate shipped
a security fix behind an MSRV bump.

Fixes #92.

We make a best effort attempt to keep the same behavior as when we
validated JWTs using `jsonwebtoken`. This includes rejecting any JWTs
that have the `aud` field set. We also keep `jsonwebtoken` as a
dev-dependency and add parity tests.

Unlike `jsonwebtoken`, we now fail to decode JWTs that
contain `exp` fields with fractional parts.

Author: tankyleo

rust/Cargo.lock

@@ -5,18 +5,20 @@ edition = "2021"
 rust-version.workspace = true
 
 [features]
-jwt = [ "jsonwebtoken", "serde" ]
+jwt = [ "base64", "serde", "serde_json", "openssl" ]
 sigs = [ "bitcoin_hashes", "hex-conservative", "secp256k1" ]
 
 [dependencies]
-async-trait = "0.1.77"
 api = { path = "../api" }
-jsonwebtoken = { version = "9.3.0", optional = true, default-features = false, features = ["use_pem"] }
-serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] }
-
+async-trait = "0.1.77"
+base64 = { version = "0.22.1", optional = true, default-features = false, features = ["std"] }
 bitcoin_hashes = { version = "0.19", optional = true, default-features = false }
 hex-conservative = { version = "1.0", optional = true, default-features = false }
+openssl = { version = "0.10.75", optional = true, default-features = false }
 secp256k1 = { version = "0.31", optional = true, default-features = false, features = [ "global-context" ] }
+serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] }
+serde_json = { version = "1.0.149", optional = true, default-features = false, features = ["std"] }
 
 [dev-dependencies]
+jsonwebtoken = { version = "9.3.0", default-features = false, features = ["use_pem"] }
 tokio = { version = "1.38.0", default-features = false, features = ["rt-multi-thread", "macros"] }