fix(auth): avoid redundant JWKS fetch on every CLI command

[srnbckr]

Description

This PR fixes a performance bug in which every CLI command called validate_token before executing, which fetched Auth0's JWKS endpoint over the network to cryptographically verify the ID token signature. This happened even when the token was already validated at login/refresh time and hadn't expired yet, adding a full HTTP round-trip to every single command invocation.

It introduces decode_user_from_token, which extracts user info from the JWT locally without signature verification. The non-expired path in acquire_access_token now uses this instead of the network-based validate_token.

Notes for Reviewers

[Copilot]

Pull request overview

This PR optimizes CLI performance by eliminating redundant network requests to Auth0's JWKS endpoint on every command invocation. Previously, every CLI command validated JWT signatures by fetching the JWKS, even for tokens that were already validated at login/refresh time and hadn't expired. The fix introduces a local JWT decoding method that extracts user information without signature verification for non-expired tokens, reducing command latency by removing unnecessary HTTP round-trips.

Changes:

• Introduced decode_user_from_token method that extracts user info from JWTs locally without cryptographic signature verification
• Updated acquire_access_token to use local decoding for non-expired tokens instead of network-based validation
• Maintained signature verification for newly obtained tokens (during login and refresh flows)

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
exls/auth/core/ports/operations.py	Added decode_user_from_token abstract method to the AuthOperations interface
exls/auth/adapters/auth0/commands.py	Implemented DecodeUserFromTokenCommand that decodes JWT locally without signature verification
exls/auth/adapters/auth0/auth0.py	Added decode_user_from_token method implementation and imported new command
exls/auth/core/service.py	Updated acquire_access_token to use decode_user_from_token for non-expired tokens
tests/unit/auth/test_auth_service.py	Updated tests to reflect the new behavior, renamed test from "validation_failure" to "decode_failure"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alek-thunder]

Good catch!
I’ve moved the JWT decoding logic to the shared domain and consolidated it with the expiry date decoding into a single, generic metadata decoding command. Deserialization is now configurable by passing a BaseClass type to the command which is passed down to the PydanticDeserializer. I updated the Auth0 adapter to use this new command for extracting User or ExpiryDate from tokens.

It's only +15 loc :)