hard-code +/- 15 minute leeway

cmd/telebit/telebit.go

@@ -98,6 +98,7 @@ func main() {
 	apiHostname := flag.String("api-hostname", "", "the hostname used to manage clients")
 	secret := flag.String("secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
 	token := flag.String("token", "", "an auth token for the server (instead of generating --secret); use --token=false to ignore any $TOKEN in env")
+	_ = flag.String("leeway", "", "(reserved for future use) allow for time drift / skew (hard-coded to 15 minutes)")
 	bindAddrsStr := flag.String("listen", "", "list of bind addresses on which to listen, such as localhost:80, or :443")
 	tlsLocals := flag.String("tls-locals", "", "like --locals, but TLS will be used to connect to the local port")
 	locals := flag.String("locals", "", "a list of <from-domain>:<to-port>")

mgmt/authstore/authstore.go

@@ -67,12 +67,13 @@ func HMACToken(secret string, maybeExp ...int) (token string, err error) {
 
 	b := make([]byte, 16)
 	_, _ = rand.Read(b)
+	leeway := 15 * time.Minute
 	claims := &jwt.StandardClaims{
 		Id:        base64.RawURLEncoding.EncodeToString(b),
 		Subject:   "", // TODO
 		Issuer:    "", // TODO
-		IssuedAt:  time.Now().Unix(),
-		ExpiresAt: exp,
+		IssuedAt:  time.Now().Add(-leeway).Unix(),
+		ExpiresAt: exp + int64(leeway.Seconds()),
 	}
 
 	jwtToken := &jwt.Token{