## Current situation In the current implementation, uploads will generate two JWT tokens (one is set in the headers, the other is set in the request parameter) * https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/internal/filestore/file_handler.go#L91 * https://gitlab.com/gitlab-org/gitlab-workhorse/-/blob/master/internal/upload/saved_file_tracker.go#L44 ## Improvements Rails will only verify the signature. It could be worthwhile to limit the validity of these tokens using these claims * [`exp`](https://tools.ietf.org/html/rfc7519#section-4.1.4) * [`nbf`](https://tools.ietf.org/html/rfc7519#section-4.1.5) * [`iat`](https://tools.ietf.org/html/rfc7519#section-4.1.6) This way, Rails can implement an additional layer of validations: * [`Checking exp`](https://github.com/jwt/ruby-jwt#expiration-time-claim) * [`Checking nbf`](https://github.com/jwt/ruby-jwt#not-before-time-claim) * [`Checking iat`](https://github.com/jwt/ruby-jwt#issued-at-claim)