feat: make leeway configurable on the initalization side.

Author: seanwangsmartcontract

pkg/nodeauth/jwt/node_jwt_authenticator.go

@@ -14,25 +14,35 @@ import (
 	"github.com/smartcontractkit/chainlink-common/pkg/nodeauth/utils"
 )
 
-const (
-	// JWTLeeway defines the time leeway for JWT validation to address clock skew between systems
-	JWTLeeway = 5 * time.Second
-)
-
 // NodeJWTAuthenticator is designed to be used by the server-side service to authenticate the JWT token generated by the Node.
 type NodeJWTAuthenticator struct {
 	nodeAuthProvider NodeAuthProvider // Source of truth to validate public key in the JWT claim.
 	parser           *jwt.Parser      // JWT parser to parse the JWT token.
 	logger           *slog.Logger
 }
 
-func NewNodeJWTAuthenticator(nodeAuthProvider NodeAuthProvider, logger *slog.Logger) *NodeJWTAuthenticator {
-	// Configure parser with validation options
-	parser := jwt.NewParser(
+// NodeJWTAuthenticatorOption is a functional option for configuring NodeJWTAuthenticator
+type NodeJWTAuthenticatorOption func(*[]jwt.ParserOption)
+
+// WithLeeway sets a custom leeway duration for JWT validation to address clock skew between systems
+func WithLeeway(leeway time.Duration) NodeJWTAuthenticatorOption {
+	return func(parserOpts *[]jwt.ParserOption) {
+		*parserOpts = append(*parserOpts, jwt.WithLeeway(leeway))
+	}
+}
+
+func NewNodeJWTAuthenticator(nodeAuthProvider NodeAuthProvider, logger *slog.Logger, opts ...NodeJWTAuthenticatorOption) *NodeJWTAuthenticator {
+	parserOpts := []jwt.ParserOption{
 		jwt.WithIssuedAt(),
 		jwt.WithExpirationRequired(),
-		jwt.WithLeeway(JWTLeeway),
-	)
+	}
+
+	// Apply optional configurations (e.g. leeway)
+	for _, opt := range opts {
+		opt(&parserOpts)
+	}
+
+	parser := jwt.NewParser(parserOpts...)
 
 	return &NodeJWTAuthenticator{
 		nodeAuthProvider: nodeAuthProvider,

pkg/nodeauth/jwt/node_jwt_authenticator_test.go

@@ -151,7 +151,7 @@ func TestNodeJWTAuthenticator_AuthenticateJWT_LeewayHandlesClockSkew(t *testing.
 		privateKey, csaPubKey := createValidatorTestKeys()
 		mockProvider := &mocks.NodeAuthProvider{}
 		mockProvider.On("IsNodePubKeyTrusted", mock.Anything, csaPubKey).Return(true, nil)
-		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger())
+		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger(), WithLeeway(5*time.Second))
 
 		testRequest := testRequest{Field: "test-request"}
 		digest := utils.CalculateRequestDigest(testRequest)
@@ -186,7 +186,7 @@ func TestNodeJWTAuthenticator_AuthenticateJWT_LeewayHandlesClockSkew(t *testing.
 		// Given
 		privateKey, csaPubKey := createValidatorTestKeys()
 		mockProvider := &mocks.NodeAuthProvider{}
-		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger())
+		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger(), WithLeeway(5*time.Second))
 
 		testRequest := testRequest{Field: "test-request"}
 		digest := utils.CalculateRequestDigest(testRequest)
@@ -222,7 +222,7 @@ func TestNodeJWTAuthenticator_AuthenticateJWT_LeewayHandlesClockSkew(t *testing.
 		privateKey, csaPubKey := createValidatorTestKeys()
 		mockProvider := &mocks.NodeAuthProvider{}
 		mockProvider.On("IsNodePubKeyTrusted", mock.Anything, csaPubKey).Return(true, nil)
-		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger())
+		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger(), WithLeeway(5*time.Second))
 
 		testRequest := testRequest{Field: "test-request"}
 		digest := utils.CalculateRequestDigest(testRequest)
@@ -257,7 +257,7 @@ func TestNodeJWTAuthenticator_AuthenticateJWT_LeewayHandlesClockSkew(t *testing.
 		// Given
 		privateKey, csaPubKey := createValidatorTestKeys()
 		mockProvider := &mocks.NodeAuthProvider{}
-		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger())
+		authenticator := NewNodeJWTAuthenticator(mockProvider, createTestLogger(), WithLeeway(5*time.Second))
 
 		testRequest := testRequest{Field: "test-request"}
 		digest := utils.CalculateRequestDigest(testRequest)