From c3da45485451574b5e66744b6b779d9926ce5b19 Mon Sep 17 00:00:00 2001 From: renovate Date: Tue, 3 Aug 2021 21:43:18 +0000 Subject: [PATCH] Update module github.com/golang-jwt/jwt to v4 (#930) Co-authored-by: kolaente Reviewed-on: https://kolaente.dev/vikunja/api/pulls/930 Co-authored-by: renovate Co-committed-by: renovate --- go.mod | 2 +- go.sum | 2 ++ pkg/integrations/integrations.go | 2 +- pkg/models/link_sharing.go | 2 +- pkg/modules/auth/auth.go | 2 +- pkg/routes/api/v1/login.go | 2 +- pkg/routes/api/v1/token_check.go | 2 +- pkg/routes/routes.go | 26 +++++++++++++++++++++++++- pkg/user/user.go | 2 +- 9 files changed, 34 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index d6360132..d339b477 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/go-redis/redis/v8 v8.11.1 github.com/go-sql-driver/mysql v1.6.0 github.com/go-testfixtures/testfixtures/v3 v3.6.1 - github.com/golang-jwt/jwt v3.2.2+incompatible + github.com/golang-jwt/jwt/v4 v4.0.0 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 github.com/golang/snappy v0.0.4 // indirect github.com/iancoleman/strcase v0.2.0 diff --git a/go.sum b/go.sum index 08e84f6f..50a62041 100644 --- a/go.sum +++ b/go.sum @@ -231,6 +231,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= +github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g= diff --git a/pkg/integrations/integrations.go b/pkg/integrations/integrations.go index 1f96cea8..51b759f1 100644 --- a/pkg/integrations/integrations.go +++ b/pkg/integrations/integrations.go @@ -35,7 +35,7 @@ import ( "code.vikunja.io/api/pkg/user" "code.vikunja.io/web" "code.vikunja.io/web/handler" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v4" "github.com/labstack/echo/v4" "github.com/stretchr/testify/assert" ) diff --git a/pkg/models/link_sharing.go b/pkg/models/link_sharing.go index ff85fbd2..249a0a12 100644 --- a/pkg/models/link_sharing.go +++ b/pkg/models/link_sharing.go @@ -26,7 +26,7 @@ import ( "code.vikunja.io/api/pkg/utils" "code.vikunja.io/web" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v4" "golang.org/x/crypto/bcrypt" "xorm.io/builder" "xorm.io/xorm" diff --git a/pkg/modules/auth/auth.go b/pkg/modules/auth/auth.go index 83495e01..3a7e7771 100644 --- a/pkg/modules/auth/auth.go +++ b/pkg/modules/auth/auth.go @@ -24,7 +24,7 @@ import ( "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/user" "code.vikunja.io/web" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v4" "github.com/labstack/echo/v4" ) diff --git a/pkg/routes/api/v1/login.go b/pkg/routes/api/v1/login.go index 2ce22b3d..f606769d 100644 --- a/pkg/routes/api/v1/login.go +++ b/pkg/routes/api/v1/login.go @@ -27,7 +27,7 @@ import ( user2 "code.vikunja.io/api/pkg/user" "code.vikunja.io/web/handler" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v4" "github.com/labstack/echo/v4" ) diff --git a/pkg/routes/api/v1/token_check.go b/pkg/routes/api/v1/token_check.go index af89c8a6..2c2a3f36 100644 --- a/pkg/routes/api/v1/token_check.go +++ b/pkg/routes/api/v1/token_check.go @@ -20,7 +20,7 @@ import ( "fmt" "code.vikunja.io/api/pkg/models" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v4" "github.com/labstack/echo/v4" ) diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go index 7232fe62..7a66c8f1 100644 --- a/pkg/routes/routes.go +++ b/pkg/routes/routes.go @@ -47,6 +47,8 @@ package routes import ( + "errors" + "fmt" "strings" "time" @@ -73,9 +75,11 @@ import ( "code.vikunja.io/api/pkg/version" "code.vikunja.io/web" "code.vikunja.io/web/handler" + "github.com/asaskevich/govalidator" "github.com/getsentry/sentry-go" sentryecho "github.com/getsentry/sentry-go/echo" + "github.com/golang-jwt/jwt/v4" "github.com/labstack/echo/v4" "github.com/labstack/echo/v4/middleware" elog "github.com/labstack/gommon/log" @@ -257,7 +261,27 @@ func registerAPIRoutes(a *echo.Group) { // ===== Routes with Authetication ===== // Authetification - a.Use(middleware.JWT([]byte(config.ServiceJWTSecret.GetString()))) + a.Use(middleware.JWTWithConfig(middleware.JWTConfig{ + // Custom parse function to make the middleware work with the github.com/golang-jwt/jwt/v4 package. + // See https://github.com/labstack/echo/pull/1916#issuecomment-878046299 + ParseTokenFunc: func(auth string, c echo.Context) (interface{}, error) { + keyFunc := func(t *jwt.Token) (interface{}, error) { + if t.Method.Alg() != "HS256" { + return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"]) + } + return []byte(config.ServiceJWTSecret.GetString()), nil + } + + token, err := jwt.Parse(auth, keyFunc) + if err != nil { + return nil, err + } + if !token.Valid { + return nil, errors.New("invalid token") + } + return token, nil + }, + })) // Rate limit setupRateLimit(a, config.RateLimitKind.GetString()) diff --git a/pkg/user/user.go b/pkg/user/user.go index 4f4cdd78..a97bbb58 100644 --- a/pkg/user/user.go +++ b/pkg/user/user.go @@ -30,7 +30,7 @@ import ( "code.vikunja.io/api/pkg/notifications" "code.vikunja.io/web" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v4" "github.com/labstack/echo/v4" "golang.org/x/crypto/bcrypt" "xorm.io/xorm"