Skip to content

Commit

Permalink
Upgrade github.com/golang-jwt/jwt to v5
Browse files Browse the repository at this point in the history
  • Loading branch information
@ioppermann
ioppermann committed Sep 4, 2023
1 parent 722d3a4 commit 17ffa2b
Show file tree
Hide file tree
Showing 35 changed files with 2,692 additions and 51 deletions.
3 changes: 2 additions & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ require (
github.com/fujiwara/shapeio v1.0.0
github.com/go-playground/validator/v10 v10.15.3
github.com/gobwas/glob v0.2.3
github.com/golang-jwt/jwt/v4 v4.5.0
github.com/golang-jwt/jwt/v5 v5.0.0
github.com/google/gops v0.3.28
github.com/google/uuid v1.3.1
github.com/hashicorp/go-hclog v1.5.0
Expand Down Expand Up @@ -69,6 +69,7 @@ require (
github.com/go-playground/locales v0.14.1 // indirect
github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,8 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
Expand Down
19 changes: 4 additions & 15 deletions http/middleware/iam/iam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ import (
iamidentity "github.com/datarhei/core/v16/iam/identity"
"github.com/datarhei/core/v16/log"

jwtgo "github.com/golang-jwt/jwt/v4"
jwtgo "github.com/golang-jwt/jwt/v5"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
Expand Down Expand Up @@ -343,10 +343,7 @@ func (m *iammiddleware) findIdentityFromSession(c echo.Context) (iamidentity.Ver
return nil, fmt.Errorf("invalid claims in token")
}

var subject string
if sub, ok := claims["sub"]; ok {
subject = sub.(string)
}
subject, _ := claims.GetSubject()

identity, err := m.iam.GetVerifier(subject)
if err != nil {
Expand Down Expand Up @@ -410,10 +407,7 @@ func (m *iammiddleware) findIdentityFromJWT(c echo.Context) (iamidentity.Verifie
return nil, fmt.Errorf("invalid token")
}

var subject string
if sub, ok := claims["sub"]; ok {
subject = sub.(string)
}
subject, _ := claims.GetSubject()

var usefor string
if sub, ok := claims["usefor"]; ok {
Expand Down Expand Up @@ -499,12 +493,7 @@ func (m *iammiddleware) findIdentityFromAuth0(c echo.Context) (iamidentity.Verif
return nil, nil
}

var subject string
if claims, ok := token.Claims.(jwtgo.MapClaims); ok {
if sub, ok := claims["sub"]; ok {
subject = sub.(string)
}
}
subject, _ := token.Claims.GetSubject()

identity, err := m.iam.GetVerifierFromAuth0(subject)
if err != nil {
Expand Down
66 changes: 31 additions & 35 deletions iam/identity/identity.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
"github.com/datarhei/core/v16/slices"
"github.com/google/uuid"

jwtgo "github.com/golang-jwt/jwt/v4"
jwtgo "github.com/golang-jwt/jwt/v5"
)

// Auth0
Expand Down Expand Up @@ -167,22 +167,18 @@ func (i *identity) VerifyAPIAuth0(jwt string) (bool, error) {
return false, err
}

var subject string
if claims, ok := token.Claims.(jwtgo.MapClaims); ok {
if sub, ok := claims["sub"]; ok {
subject = sub.(string)
}
subject, err := token.Claims.GetSubject()
if err != nil {
return false, fmt.Errorf("invalid subject: %w", err)
}

if subject != i.user.Auth.API.Auth0.User {
return false, fmt.Errorf("wrong subject")
}

var issuer string
if claims, ok := token.Claims.(jwtgo.MapClaims); ok {
if iss, ok := claims["iss"]; ok {
issuer = iss.(string)
}
issuer, err := token.Claims.GetIssuer()
if err != nil {
return false, fmt.Errorf("invalid issuer: %w", err)
}

if issuer != i.tenant.issuer {
Expand All @@ -203,20 +199,24 @@ func (i *identity) VerifyAPIAuth0(jwt string) (bool, error) {

func (i *identity) auth0KeyFunc(token *jwtgo.Token) (interface{}, error) {
// Verify 'aud' claim
checkAud := token.Claims.(jwtgo.MapClaims).VerifyAudience(i.tenant.audience, false)
if !checkAud {
return nil, fmt.Errorf("invalid audience")
if aud, err := token.Claims.GetAudience(); err != nil {
return nil, fmt.Errorf("invalid audience: %w", err)
} else if len(aud) == 0 {
return nil, fmt.Errorf("audience is not present")
}

// Verify 'iss' claim
checkIss := token.Claims.(jwtgo.MapClaims).VerifyIssuer(i.tenant.issuer, false)
if !checkIss {
return nil, fmt.Errorf("invalid issuer")
if iss, err := token.Claims.GetIssuer(); err != nil {
return nil, fmt.Errorf("invalid issuer: %w", err)
} else if len(iss) == 0 {
return nil, fmt.Errorf("issuer is not present")
}

// Verify 'sub' claim
if _, ok := token.Claims.(jwtgo.MapClaims)["sub"]; !ok {
return nil, fmt.Errorf("sub claim is required")
if sub, err := token.Claims.GetSubject(); err != nil {
return nil, fmt.Errorf("invalid subject: %w", err)
} else if len(sub) == 0 {
return nil, fmt.Errorf("subject is not present")
}

// find the key
Expand Down Expand Up @@ -265,22 +265,18 @@ func (i *identity) VerifyJWT(jwt string) (bool, error) {
return false, err
}

var subject string
if claims, ok := token.Claims.(jwtgo.MapClaims); ok {
if sub, ok := claims["sub"]; ok {
subject = sub.(string)
}
subject, err := token.Claims.GetSubject()
if err != nil {
return false, fmt.Errorf("invalid subject: %w", err)
}

if subject != i.user.Name {
return false, fmt.Errorf("wrong subject")
}

var issuer string
if claims, ok := token.Claims.(jwtgo.MapClaims); ok {
if sub, ok := claims["iss"]; ok {
issuer = sub.(string)
}
issuer, err := token.Claims.GetIssuer()
if err != nil {
return false, fmt.Errorf("invalid issuer: %w", err)
}

if issuer != i.jwtRealm {
Expand Down Expand Up @@ -408,18 +404,18 @@ func (i *identity) VerifyServiceSession(jwt string) (bool, interface{}, error) {
return false, nil, fmt.Errorf("invalid claims")
}

var subject string
if sub, ok := claims["sub"]; ok {
subject = sub.(string)
subject, err := claims.GetSubject()
if err != nil {
return false, nil, fmt.Errorf("invalid subject: %w", err)
}

if subject != i.user.Name && subject != i.user.Alias {
return false, nil, fmt.Errorf("wrong subject")
}

var issuer string
if sub, ok := claims["iss"]; ok {
issuer = sub.(string)
issuer, err := claims.GetIssuer()
if err != nil {
return false, nil, fmt.Errorf("invalid issuer: %w", err)
}

if issuer != i.jwtRealm {
Expand Down
4 changes: 4 additions & 0 deletions vendor/github.com/golang-jwt/jwt/v5/.gitignore
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions vendor/github.com/golang-jwt/jwt/v5/LICENSE
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

185 changes: 185 additions & 0 deletions vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 17ffa2b

Please sign in to comment.