feat: add jwt decoder

[GurtejSohi]

Description

Adds JWT decoder

[codecov]

Codecov Report

Merging #15 (c0f7f8a) into main (d47c113) will increase coverage by 0.86%.
The diff coverage is 72.41%.

@@             Coverage Diff              @@
##               main      #15      +/-   ##
============================================
+ Coverage     66.47%   67.33%   +0.86%     
- Complexity       58       64       +6     
============================================
  Files            14       15       +1     
  Lines           170      199      +29     
  Branches          9        9              
============================================
+ Hits            113      134      +21     
- Misses           49       57       +8     
  Partials          8        8              

Flag	Coverage Δ	Complexity Δ
unit	67.33% <72.41%> (+0.86%)	64.00 <6.00> (+6.00)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ	Complexity Δ
...ertrace/core/grpcutils/context/RequestContext.java	52.00% <16.66%> (-11.16%)	8.00 <0.00> (ø)
...g/hypertrace/core/grpcutils/context/JwtParser.java	86.95% <86.95%> (ø)	6.00 <6.00> (?)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d47c113...c0f7f8a. Read the comment docs.

[surajpuvvada]

why use a cache ?

[surajpuvvada]

if we need to access it multiple times we could store in the context object instead ?

[aaron-steinfeld]

So my understanding is that we actually don't need or want to force verification here, instead relying on the proxy to do it. Either way though, everything around JWTs should be package protected, we only want to expose the abstracted information via the context.

If we do need to enforce it, then every service using this will need to take in env-specific values like the jwks url and audience, which is not ideal.

[avinashkolluru]

Yes. I think thats what we decided the other day. Verification is the responsibility of the proxy.
Should we just add both the APIs then? Depending on the use case, the callers can decide.

[aaron-steinfeld]

What do you mean by both the apis? the verified and unverified one?

[GurtejSohi]

Removed jwt verification and now, exposing the abstracted information via the context.

[avinashkolluru]

Yes. I meant decodeAndVerify and just decode

[GurtejSohi]

I think we can add the verification part later on if required(we may not even need that if we're relying on proxy for verification). Also, the verification part requires passing in some extra values which makes it messy (which we may be able to avoid).

[jcchavezs]

Do not forget to include tests on this one.

[jcchavezs]

I am curious about this class being final and private. Do we expect others to implement their own VerifiedJwt? if so, will that be based on this default one?

[aaron-steinfeld]

lgtm

[surajpuvvada]

is the cache being still used ?

[GurtejSohi]

Yes, using the cache to help avoid decoding the same token again.

[github-actions]

Unit Test Results

10 files  +1  10 suites  +1   11s ⏱️ +4s
46 tests +4  46 ✔️ +4  0 💤 ±0  0 ❌ ±0 

Results for commit 614ba57. ± Comparison against base commit d47c113.