PEPPER-977 [DSM] check jwt to make sure expiration claim is present (#…

…2659)

* PEPPER-977 added a check for expiration time to be present, did not change any sonar lint errors because I believe they are all addressed in Dennis's PR

* PEPPER-977 changes to the code because of changes in develop

pepper-apis/dsm-core/src/main/java/org/broadinstitute/dsm/security/Auth0Util.java

@@ -17,6 +17,7 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.exceptions.TokenExpiredException;
+import com.auth0.jwt.impl.PublicClaims;
 import com.auth0.jwt.interfaces.Claim;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.RSAKeyProvider;
@@ -225,7 +226,11 @@ public static DecodedJWT verifyAuth0Token(String jwt, String auth0Domain, String
                 verification.withIssuer(signer);
             }
             JWTVerifier verifier = verification.build();
-            return verifier.verify(jwt);
+            DecodedJWT validToken = verifier.verify(jwt);
+            if (validToken.getClaim(PublicClaims.EXPIRES_AT).isNull()) {
+                throw new InvalidTokenException("Token missing expiration time in the claims.");
+            }
+            return validToken;
         } catch (JWTVerificationException e) {
             throw new InvalidTokenException("Could not verify auth0 token", e);
         }