Add decode-token command

[duanemay]

decode JWTs, display claims, verify signatures, and show human-readable timestamps

[Copilot]

Pull request overview

Adds a new uaa decode-token command to decode JWTs, optionally verify their signature using a provided PEM key, and optionally print human-readable timestamps for common time claims.

Changes:

• Introduces decode-token Cobra command implementation with --key (signature verification) and --decode-times (timestamp decoding).
• Adds Ginkgo/Gomega integration tests covering context token fallback, positional token arg, signature verification, and timestamp output.
• Adds documentation for the new command and links it from the command reference.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
docs/commands/decode-token.md	New user-facing documentation for decode-token, including usage, flags, examples, and troubleshooting.
docs/commands.md	Adds decode-token to the command reference (also adds a targets entry).
cmd/decode_token_test.go	New integration tests for decoding, signature verification, and timestamp decoding.
cmd/decode_token.go	New decode-token command implementation, JWT decoding, signature verification helpers, and timestamp formatting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The example output hard-codes relative times like “(7 years ago)”, which will become inaccurate as time passes. Consider removing the relative portion from the docs example or replacing it with a placeholder so the documentation doesn’t go stale.

Suggested change

	iat (Issued At): 2017-09-10 18:03:43 UTC (7 years ago)
	exp (Expires At): 2017-10-11 06:03:43 UTC (7 years ago)
	iat (Issued At): 2017-09-10 18:03:43 UTC (relative time varies)
	exp (Expires At): 2017-10-11 06:03:43 UTC (relative time varies)

[Copilot]

In the signature verification example, uaa get-token-key is shown but there’s no step that writes the PEM value into signing-key.pem before cat signing-key.pem. Please add an explicit command to extract/save the key (e.g., redirect or jq extraction), or adjust the example to pass the key directly.

[Copilot]

This test case is named as if it validates the “invalid token signature” path, but it only asserts exit code and doesn’t assert the error text. Adding an assertion for the expected stderr message (e.g., containing "invalid token signature") will ensure the command is actually failing for signature mismatch (and not due to PEM/key parsing errors).

Suggested change

	Eventually(session).Should(Exit(1))
	Eventually(session).Should(Exit(1))
	Expect(string(session.Err.Contents())).To(ContainSubstring("invalid token signature"))

[Copilot]

_ = sigBytes is redundant here because sigBytes is already used in the return values. Removing this avoids dead code and keeps the helper minimal.

Suggested change

_ = sigBytes

[Copilot]

If the JWT header is missing alg or it’s not a string, alg becomes "" and the user gets unsupported algorithm: (empty) which is hard to diagnose. Validate alg presence/type and return a clearer error like “JWT header missing/invalid alg”.

[Copilot]

--key is documented as accepting a PEM-encoded public key, but parseRSAPublicKey only supports PEM block types PUBLIC KEY and CERTIFICATE. Common RSA public keys are also provided as RSA PUBLIC KEY (PKCS#1). Consider supporting that block type (via x509.ParsePKCS1PublicKey) to avoid rejecting valid user-provided keys.

[Copilot]

The command reference adds a targets entry linking to commands/targets.md, but this repo doesn’t include that doc page (and there’s no corresponding targets command). This is a broken link in the command reference; either add the missing command/docs or remove this row.

Suggested change

| [`targets`](commands/targets.md) | List all registered targets |