feat(authn): use correct time resolution for setting channel expire in JWT authn

apps/emqx_auth/src/emqx_authn/emqx_authn_chains.erl

@@ -142,6 +142,7 @@ end).
 -type state() :: #{atom() => term()}.
 -type extra() :: #{
     is_superuser := boolean(),
+    %% millisecond timestamp
     expire_at => pos_integer(),
     atom() => term()
 }.

apps/emqx_auth_jwt/src/emqx_authn_jwt.erl

@@ -257,9 +257,12 @@ extra_to_auth_data(Extra, JWT, AclClaimName, DisconnectAfterExpire) ->
             {error, bad_username_or_password}
     end.
 
-expire_at(false, _Extra) -> #{};
+expire_at(false, _Extra) ->
-expire_at(true, #{<<"exp">> := ExpireTime}) -> #{expire_at => ExpireTime};
+    #{};
-expire_at(true, #{}) -> #{}.
+expire_at(true, #{<<"exp">> := ExpireTime}) ->
+    #{expire_at => erlang:convert_time_unit(ExpireTime, second, millisecond)};
+expire_at(true, #{}) ->
+    #{}.
 
 acl(Claims, AclClaimName) ->
     case Claims of

apps/emqx_auth_jwt/test/emqx_authn_jwt_expire_SUITE.erl

@@ -61,9 +61,11 @@ t_jwt_expire(_Config) ->
 
     {ok, [#{provider := emqx_authn_jwt}]} = emqx_authn_chains:list_authenticators(?GLOBAL),
 
+    Expire = erlang:system_time(second) + 3,
+
     Payload = #{
         <<"username">> => <<"myuser">>,
-        <<"exp">> => erlang:system_time(second) + 2
+        <<"exp">> => Expire
     },
     JWS = emqx_authn_jwt_SUITE:generate_jws('hmac-based', Payload, <<"secret">>),
 
@@ -71,7 +73,8 @@ t_jwt_expire(_Config) ->
     {ok, _} = emqtt:connect(C),
 
     receive
-        {disconnected, ?RC_NOT_AUTHORIZED, #{}} -> ok
+        {disconnected, ?RC_NOT_AUTHORIZED, #{}} ->
+            ?assert(erlang:system_time(second) >= Expire)
     after 5000 ->
         ct:fail("Client should be disconnected by timeout")
     end.