TUN-7373: Streaming logs override for same actor

To help accommodate web browser interactions with websockets, when a
streaming logs session is requested for the same actor while already
serving a session for that user in a separate request, the original
request will be closed and the new request start streaming logs
instead. This should help with rogue sessions holding on for too long
with no client on the other side (before idle timeout or connection
close).

management/token.go

@@ -0,0 +1,55 @@
+package management
+
+import (
+	"fmt"
+
+	"github.com/go-jose/go-jose/v3/jwt"
+)
+
+type managementTokenClaims struct {
+	Tunnel tunnel `json:"tun"`
+	Actor  actor  `json:"actor"`
+}
+
+// VerifyTunnel compares the tun claim isn't empty
+func (c *managementTokenClaims) verify() bool {
+	return c.Tunnel.verify() && c.Actor.verify()
+}
+
+type tunnel struct {
+	ID         string `json:"id"`
+	AccountTag string `json:"account_tag"`
+}
+
+// verify compares the tun claim isn't empty
+func (t *tunnel) verify() bool {
+	return t.AccountTag != "" && t.ID != ""
+}
+
+type actor struct {
+	ID      string `json:"id"`
+	Support bool   `json:"support"`
+}
+
+// verify checks the ID claim isn't empty
+func (t *actor) verify() bool {
+	return t.ID != ""
+}
+
+func parseToken(token string) (*managementTokenClaims, error) {
+	jwt, err := jwt.ParseSigned(token)
+	if err != nil {
+		return nil, fmt.Errorf("malformed jwt: %v", err)
+	}
+
+	var claims managementTokenClaims
+	// This is actually safe because we verify the token in the edge before it reaches cloudflared
+	err = jwt.UnsafeClaimsWithoutVerification(&claims)
+	if err != nil {
+		return nil, fmt.Errorf("malformed jwt: %v", err)
+	}
+	if !claims.verify() {
+		return nil, fmt.Errorf("invalid management token format provided")
+	}
+	return &claims, nil
+}