Migrate from deprecated libjwt 2.x to libjwt 3.x API

[Copilot]

ZoneMinder was using deprecated libjwt 2.x. This migrates to libjwt 3.x, which consolidates token decoding into a single API call.

Changes

Core API migration (src/zm_crypt.cpp)

• Replace 3-step token decode (allocate → set algorithm → decode) with single jwt_decode() call that takes algorithm as parameter
• Net -10 lines of code

Before (libjwt 2.x):

jwt_new(&jwt);
jwt_set_alg(jwt, JWT_ALG_HS256, key, key_len);
jwt_decode(&jwt, token, key, key_len);

After (libjwt 3.x):

jwt_decode(&jwt, token, JWT_ALG_HS256, key, key_len);

Build configuration (cmake/Modules/FindLibJWT.cmake)

• Add version check requiring libjwt >= 3.0.0
• Fail build with clear message if older version detected

Packaging (distros/ubuntu2004/control)

• Update dependencies to require libjwt >= 3.0
• Add libjwt4 package variants

Breaking Change

Not backward compatible with libjwt 2.x. Systems must upgrade to libjwt >= 3.0.0 before building.

Original prompt

The current implementation of ZoneMinder is using libjwt 2.x, which is deprecated, as tracked in Issue #4334. We need to upgrade the usage to libjwt 3.x or later. This includes the following tasks:

1. Update the CMake configuration to check for libjwt version 3.x or later.
2. Modify the verifyToken function in src/zm_crypt.cpp to utilize the libjwt 3.x API for decoding and validating tokens.
3. Update any conditional checks or macros (e.g., HAVE_LIBJWT) to align with the updated library features.
4. Test all functionality that relies on libjwt to ensure compatibility with the newer version.
5. Update any documentation or build instructions to reflect the libjwt 3.x dependency.

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[connortechnology]

Issue here is... things like what distros do we continue to support. My thought was ubuntu jammy and up. So debian bookworm and up. Etc. jammy has libjwt-gnutls0 | 1.10.2-1build1. So we could remove it from dependencies and just use our dep/jwt-cpp.

[SteveGilvarry]

Yeah I figured that would come up when I didnt get it to fail back to old one. What is the history of both? Cause lib-jwt sounds better option from quick read. We need to get on top of distro builds and CI workflows for recent stuff. Somewhere I added builds for Sid etc.

[connortechnology]

I'm runnig sid here, and it has libjwt2 and libjwt14....
In general I like to run whatever is included as a package, but the availability here has been poor. It's all kinda young I guess.
For that reason, I lean towards jwt-cpp. We get to pick one version and support that.

[SteveGilvarry]

Ok so let's dump this PR and I will do a rip out libjwt option today in favour of jwt-cpp.