Because of the random ordering of HashMap, if you have
overlapping token permissions, it is possible to randomly pick
one that leads to some operation working intermittently (see
https://github.com/zhaofengli/attic/issues/133 for an example of this).
By using an IndexMap instead, we make "iteration order of the key-value
pairs [...] independent of the hash values of the keys" (from the
indexmap crate docs [1]), which leads to more predictable behavior.
[1]: https://docs.rs/indexmap/latest/indexmap/
This effectively reverts commit 3e0b65a4c3.
Because jwt_simple doesn't have a unified type / trait that allows
signature and verification, I had to add a SignatureType enum to
approximate that.
The JWT spec [1] basically says that JWTs must validate the `aud` claim
if its specified:
> If the principal
> processing the claim does not identify itself with a value in the
> "aud" claim when this claim is present, then the JWT MUST be
> rejected.
[1]: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
