JWT verify options are not respected when verifying tokens

[micahbeech]

Your Environment

• verdaccio version: 5.21.2
• node version: 18.12.0
• package manager: npm@9.3.1
• os: linux
• platform: docker

Describe the bug

The JWT verify options specified in the config file do not appear to be respected. Sign options are respected.

For example, in the following config, tokens signed more than one day ago will be rejected due to being expired despite ignoreExpiration being set to true.

security:
  api:
    legacy: false
    jwt:
      sign:
        expiresIn: 1d
      verify:
        ignoreExpiration: true
  web:
    sign:
      expiresIn: 1d
    verify:
      ignoreExpiration: true

Based on my testing, this appears to be the case for all verify options, not just ignoreExpiration.

To Reproduce

1. Create a Verdaccio configuration using JWTs for security, with
   a. expiresIn set (i.e. 1m) under sign options
   b. ignoreExpiration set to true under verify options
2. Start the server and authenticate a user to retrieve their token
3. Before expiresIn, use the token from step 2 to access the registry and verify that it is valid
4. After expiresIn, attempt to use the token from step 2 to access the registry and observe that it is rejected despite ignoreExpiration being set

Expected behavior

Relating to the above example, the token should not be rejected despite being expired.

More specifically, all verify options should be respected as defined in the config file.

Configuration File (cat ~/.config/verdaccio/config.yaml)

# This is the config file used for the docker images.
# It allows all users to do anything, so don't use it on production systems.
#
# Do not configure host and port under `listen` in this file
# as it will be ignored when using docker.
# see https://github.com/verdaccio/verdaccio/blob/master/docs/docker.md#docker-and-custom-port-configuration
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#
# path to a directory with all packages
storage: /verdaccio/storage/data
max_body_size: 200mb
web:
  # WebUI is enabled as default, if you want disable it, just uncomment this line
  #enable: false
  title: Verdaccio

middlewares:
  github-oauth-ui:
    enabled: true
  audit:
    enabled: true

auth:
  github-oauth-ui:
    org: my-org
    client-id: ${githubClientId}
    client-secret: ${githubClientSecret}
    token: ${githubToken}

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.yarnpkg.com/
    cache: true
    maxage: 2h
    agent_options:
      keepAlive: true
      maxSockets: 40
      maxFreeSockets: 10

packages:
  '**':
    access: $authenticated
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

# This block enables download of Tarball from the UI
# Refer: https://github.com/verdaccio/verdaccio/issues/1508#issuecomment-622867971
security:
  api:
    legacy: false
    jwt:
      sign:
        expiresIn: 365d
      verify:
        ignoreExpiration: true
  web:
    sign:
      expiresIn: 365d
    verify:
      ignoreExpiration: true

# Required since verdaccio 5.4.0 as default is 0 and incompatible with verdaccio-github-oauth-ui plugin
# Refer: https://githubplus.com/n4bb12/verdaccio-github-oauth-ui/issues
user_agent: true

# log settings
logs: {type: stdout, format: json, level: http}
# logs: {type: file, path: verdaccio.log, level: info}

Environment information

Running in a docker container in a kubernetes cluster.

Environment Info:
  System:
    OS: Linux 5.4 Alpine Linux
    CPU: (8) x64 AMD EPYC 7R13 Processor
  Binaries:
    npm: 9.3.1 - /usr/local/bin/npm
  npmGlobalPackages:
    verdaccio: 5.21.2