feat(jwt): add leeway support for token expiration verification

[Krishnachaitanyakc]

Summary

Adds support for the leeway parameter in JWT token decoding, as requested in #4584.

• Added a leeway field (type float | timedelta, default 0) to BaseJWTAuth, JWTAuth, JWTCookieAuth, and OAuth2PasswordBearerAuth
• Threaded leeway through JWTAuthenticationMiddleware and JWTCookieAuthenticationMiddleware to Token.decode and Token.decode_payload
• Token.decode_payload passes leeway directly to PyJWT's jwt.decode(), which natively supports it
• Maintained backward compatibility: if a subclass overrides decode_payload without the leeway parameter, the call falls back to the old signature via a TypeError catch
• When leeway is set, Token.decode bypasses __post_init__ validation (which rejects expired exp values) since PyJWT already validated expiry with leeway applied

Closes #4584

Test plan

• Added test_decode_with_leeway_allows_recently_expired_token -- verifies a token expired by 5 seconds is accepted with 10 seconds of leeway (parametrized over int, float, and timedelta)
• Added test_decode_with_leeway_does_not_allow_long_expired_token -- verifies a token expired by 1 hour is still rejected with 10 seconds of leeway
• All 164 existing JWT tests pass (including test_custom_decode_payload for backward compatibility)

---

📚 Documentation preview 📚: https://litestar-org.github.io/litestar-docs-preview/4643

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.36%. Comparing base (20ce756) to head (841ccf4).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4643      +/-   ##
==========================================
+ Coverage   67.32%   67.36%   +0.03%     
==========================================
  Files         292      292              
  Lines       14925    14941      +16     
  Branches     1673     1673              
==========================================
+ Hits        10049    10065      +16     
  Misses       4739     4739              
  Partials      137      137              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sobolevn]

I don't think that this implementation is correct, please take a look at https://github.com/wemake-services/django-modern-rest/blob/8033c9ed0d871ff413875350a4dc664bd6f174ba/dmr/security/jwt/token.py#L75

[Krishnachaitanyakc]

@sobolevn Thanks for the pointer to the InitVar approach! I've reworked the implementation following your suggestion:

What changed:

• leeway is now an InitVar[float] on Token, so it participates in __post_init__ validation but is not stored as an instance attribute
• __post_init__ applies the leeway tolerance when checking exp, allowing recently-expired tokens within the leeway window to pass validation
• decode() converts timedelta leeway to float seconds and passes it directly to cls(**payload, leeway=leeway_seconds)
• Removed msgspec.convert() — the Token is now constructed via its own __init__, which naturally triggers __post_init__ with the leeway
• Removed _construct_without_validation() — no longer needed since __post_init__ itself handles leeway
• Removed the TypeError catch around decode_payload — that backward-compat path is no longer necessary
• Dropped the msgspec import from this module entirely

[JacobCoffee]

need to get CI all passing as well :)