fix(query): add JWT verification time tolerance

[chagelo]

I hereby agree to the terms of the CLA available at: https://docs.databend.com/dev/policies/cla/

Summary

Add explicit 5-second JWT verification time tolerance for both key-pair auth and JWKS auth.

• fixes: Add time_tolerance to JWT verification for key-pair and JWKS auth #19795
• Apply the same verification options across RSA/ECDSA/Ed25519 key-pair verification and JWKS verification.
• Pin Databend to a small, explicit 5-second clock-skew window instead of inheriting jwt-simple's much wider default tolerance.
• Add regression coverage for tolerated small iat clock skew and rejected larger future iat values.

Tests

• Unit Test
• Logic Test
• Benchmark Test
• No Test - Explain why

cargo test -p databend-common-users --test it jwt_time_tolerance
cargo test -p databend-common-users --test it jwt
cargo clippy -p databend-common-users --test it -- -D warnings

Type of change

• Bug Fix (non-breaking change which fixes an issue)
• New Feature (non-breaking change which adds functionality)
• Breaking Change (fix or feature that could cause existing functionality not to work as expected)
• Documentation Update
• Refactoring
• Performance Improvement
• Other (please describe):

---

This change is