Add validation claims to the upload JWT tokens
Current situation
In the current implementation, uploads will generate two JWT tokens (one is set in the headers, the other is set in the request parameter)
- https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/internal/filestore/file_handler.go#L91
- https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/internal/upload/saved_file_tracker.go#L44
Improvements
Rails will only verify the signature. It could be worthwhile to limit the validity of these tokens using these claims
This way, Rails can implement an additional layer of validations: