From e313542878b4816642654b563f5637548938e74a Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Tue, 17 Mar 2026 20:49:45 -0700
Subject: [PATCH] Validate JWT nbf (Not Before) claim matching Go's jwt-go/v5

Go's jwt.ParseWithClaims validates the nbf claim when present,
rejecting tokens whose nbf is in the future. The Rust jsonwebtoken
crate defaults validate_nbf to false, so tokens with future nbf
were incorrectly accepted.
---
 seaweed-volume/src/security.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/seaweed-volume/src/security.rs b/seaweed-volume/src/security.rs
index 0aef6ccb6..e33350926 100644
--- a/seaweed-volume/src/security.rs
+++ b/seaweed-volume/src/security.rs
@@ -93,6 +93,8 @@ pub fn decode_jwt(signing_key: &SigningKey, token: &str) -> Result<FileIdClaims,
     // But if exp IS present, it must be valid (not expired).
     validation.required_spec_claims.clear();
     validation.validate_exp = true;
+    // Go's jwt-go/v5 validates nbf when present
+    validation.validate_nbf = true;
     validation.leeway = 0;
 
     let data = decode::<FileIdClaims>(