chore: use latest golang-jwt v5

update to a newer release
FlatTrackio · Aug 27, 2024 · 28624f4 · 28624f4
1 parent c9eb447
commit 28624f4
Show file tree

Hide file tree

Showing 43 changed files with 1,872 additions and 912 deletions.
diff --git a/go.mod b/go.mod
@@ -27,6 +27,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.5.0 // indirect

diff --git a/go.sum b/go.sum
@@ -38,6 +38,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.17.0 h1:rd40H3QXU0AA4IoLllFcEAEo9dYKRHYND2gB4p7xcaU=
 github.com/golang-migrate/migrate/v4 v4.17.0/go.mod h1:+Cp2mtLP4/aXDTKb9wmXYitdrNx2HGs45rbWAo6OsKM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

diff --git a/internal/users/users.go b/internal/users/users.go
@@ -28,7 +28,7 @@ import (
 
 	"github.com/imdario/mergo"
 
-	jwt "github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 	"gitlab.com/flattrack/flattrack/internal/common"
 	"gitlab.com/flattrack/flattrack/internal/groups"
 	"gitlab.com/flattrack/flattrack/internal/system"
@@ -394,8 +394,8 @@ func (m *Manager) GenerateJWTauthToken(id string, authNonce string, expiresIn ti
 	token := jwt.NewWithClaims(jwtAlg, types.JWTclaim{
 		ID:        id,
 		AuthNonce: authNonce,
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expirationTime.Unix(),
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expirationTime),
 		},
 	})
 
@@ -433,6 +433,12 @@ func (m *Manager) ValidateJWTauthToken(r *http.Request) (valid bool, tokenClaims
 	}
 	claims := &types.JWTclaim{}
 	token, err := jwt.ParseWithClaims(tokenHeaderJWT, claims, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+		}
+		if token.Method.Alg() != jwtAlg.Alg() {
+			return nil, ErrAuthTokenFailed
+		}
 		return []byte(secret), nil
 	})
 	if err != nil {
@@ -442,13 +448,6 @@ func (m *Manager) ValidateJWTauthToken(r *http.Request) (valid bool, tokenClaims
 	if !token.Valid {
 		return false, &types.JWTclaim{}, ErrAuthInvalid
 	}
-	if err := token.Claims.Valid(); err != nil {
-		return false, &types.JWTclaim{}, ErrAuthInvalid
-	}
-	if token.Method.Alg() != jwtAlg.Alg() {
-		return false, &types.JWTclaim{}, ErrAuthTokenFailed
-	}
-
 	reqClaims, ok := token.Claims.(*types.JWTclaim)
 	if !ok {
 		return false, &types.JWTclaim{}, ErrFailedToReadJWTClaims
@@ -489,34 +488,14 @@ func (m *Manager) InvalidateAllAuthTokens(id string) (err error) {
 // return the userID in a JWT from a header in a HTTP request
 // TODO move into internal/httpserver/common.go
 func (m *Manager) GetIDFromJWT(r *http.Request) (id string, err error) {
-	secret, err := m.system.GetJWTsecret()
-	if err != nil {
-		return "", ErrFailedToFindSystemAuthSecret
-	}
-	tokenHeader := r.Header.Get("Authorization")
-	if tokenHeader == "" {
-		return "", ErrAuthorizationHeaderNotFound
-	}
-	authorizationHeader := strings.Split(tokenHeader, " ")
-	if authorizationHeader[0] != "bearer" || len(authorizationHeader) <= 1 {
-		return "", ErrAuthorizationHeaderNotFound
-	}
-	tokenHeaderJWT := authorizationHeader[1]
-	claims := &types.JWTclaim{}
-	token, err := jwt.ParseWithClaims(tokenHeaderJWT, claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(secret), nil
-	})
+	valid, claims, err := m.ValidateJWTauthToken(r)
 	if err != nil {
 		return "", err
 	}
-
-	reqClaims := token.Claims.(*types.JWTclaim)
-	user, err := m.GetByID(reqClaims.ID, true)
-	if err != nil || user.ID == "" {
-		log.Printf("error getting user by ID; %v\n", err)
-		return "", ErrFailedToFindAuthTokenAccountID
+	if !valid {
+		return "", ErrAuthInvalid
 	}
-	return user.ID, nil
+	return claims.ID, nil
 }
 
 // GetProfile ...

diff --git a/pkg/types/types.go b/pkg/types/types.go
@@ -21,7 +21,7 @@ package types
 import (
 	"net/http"
 
-	"github.com/golang-jwt/jwt"
+	jwt "github.com/golang-jwt/jwt/v5"
 )
 
 // Group ...
@@ -315,5 +315,5 @@ type Endpoints []struct {
 type JWTclaim struct {
 	ID        string `json:"id"`
 	AuthNonce string `json:"authNonce"`
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 }
diff --git a/vendor/github.com/golang-jwt/jwt/MIGRATION_GUIDE.md b/vendor/github.com/golang-jwt/jwt/MIGRATION_GUIDE.md
diff --git a/vendor/github.com/golang-jwt/jwt/README.md b/vendor/github.com/golang-jwt/jwt/README.md