go-pkgz · freddierice · Jan 15, 2024 · Jan 17, 2024 · Jan 17, 2024 · Jan 17, 2024
@@ -10,7 +10,7 @@ require (
 	github.com/go-pkgz/auth v1.22.0
 	github.com/go-pkgz/lgr v0.11.1
 	github.com/go-pkgz/rest v1.18.2
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt v3.2.1+incompatible
 	golang.org/x/oauth2 v0.15.0
 )
 
@@ -19,6 +19,7 @@ require (
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/dghubble/oauth1 v0.7.2 // indirect
 	github.com/go-pkgz/repeater v1.1.3 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.5.0 // indirect

@@ -30,9 +30,10 @@ github.com/go-pkgz/repeater v1.1.3/go.mod h1:hVTavuO5x3Gxnu8zW7d6sQBfAneKV8X2FjU
 github.com/go-pkgz/rest v1.18.2 h1:eJYj1qlLJvTx86R4o+XmlKHOAGAX42WeG9PZrJud/e0=
 github.com/go-pkgz/rest v1.18.2/go.mod h1:Po+W6zQzpMPP6XDGLdAN2aW7UKk1IyrLSb48Lp1N3oQ=
 github.com/go-session/session v3.1.2+incompatible/go.mod h1:8B3iivBQjrz/JtC68Np2T1yBBLxTan3mn/3OM0CyRt0=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=

@@ -22,7 +22,7 @@ import (
 	log "github.com/go-pkgz/lgr"
 	"github.com/go-pkgz/rest"
 	"github.com/go-pkgz/rest/logger"
-	"github.com/golang-jwt/jwt"
+	oldjwt "github.com/golang-jwt/jwt"
 	"golang.org/x/oauth2"
 
 	"github.com/go-pkgz/auth"
@@ -295,7 +295,7 @@ func initGoauth2Srv() *goauth2.Server {
 	manager.MustTokenStorage(store.NewMemoryTokenStore())
 
 	// generate jwt access token
-	manager.MapAccessGenerate(generates.NewJWTAccessGenerate("custom", []byte("00000000"), jwt.SigningMethodHS512))
+	manager.MapAccessGenerate(generates.NewJWTAccessGenerate("custom", []byte("00000000"), oldjwt.SigningMethodHS512))
 
 	// client memory store
 	clientStore := store.NewClientStore()

@@ -8,7 +8,8 @@ require (
 	github.com/go-pkgz/email v0.5.0
 	github.com/go-pkgz/repeater v1.1.3
 	github.com/go-pkgz/rest v1.18.2
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt v3.2.1+incompatible
+	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/rrivera/identicon v0.0.0-20240116195454-d5ba35832c0d
 	github.com/stretchr/testify v1.8.4
 	go.etcd.io/bbolt v1.3.8

@@ -28,9 +28,10 @@ github.com/go-pkgz/repeater v1.1.3/go.mod h1:hVTavuO5x3Gxnu8zW7d6sQBfAneKV8X2FjU
 github.com/go-pkgz/rest v1.18.2 h1:eJYj1qlLJvTx86R4o+XmlKHOAGAX42WeG9PZrJud/e0=
 github.com/go-pkgz/rest v1.18.2/go.mod h1:Po+W6zQzpMPP6XDGLdAN2aW7UKk1IyrLSb48Lp1N3oQ=
 github.com/go-session/session v3.1.2+incompatible/go.mod h1:8B3iivBQjrz/JtC68Np2T1yBBLxTan3mn/3OM0CyRt0=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=

@@ -177,7 +177,7 @@ func (a *Authenticator) refreshExpiredToken(w http.ResponseWriter, claims token.
 		}
 	}
 
-	claims.ExpiresAt = 0                  // this will cause now+duration for refreshed token
+	claims.ExpiresAt = nil                // this will cause now+duration for refreshed token
 	c, err := a.JWTService.Set(w, claims) // Set changes token
 	if err != nil {
 		return token.Claims{}, err

@@ -166,9 +166,8 @@ func TestAuthJWTRefresh(t *testing.T) {
 
 	claims, err := a.JWTService.Parse(resp.Cookies()[0].Value)
 	assert.NoError(t, err)
-	ts := time.Unix(claims.ExpiresAt, 0)
-	assert.True(t, ts.After(time.Now()), "expiration in the future")
-	log.Print(time.Unix(claims.ExpiresAt, 0))
+	assert.True(t, claims.ExpiresAt.After(time.Now()), "expiration in the future")
+	log.Print(claims.ExpiresAt)
 }
 
 func TestAuthJWTRefreshConcurrentWithCache(t *testing.T) {

@@ -24,7 +24,7 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/go-pkgz/rest"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/go-pkgz/auth/logger"
 	"github.com/go-pkgz/auth/token"
@@ -261,11 +261,11 @@ func (ah *AppleHandler) LoginHandler(w http.ResponseWriter, r *http.Request) {
 			From:  r.URL.Query().Get("from"),
 		},
 		SessionOnly: r.URL.Query().Get("session") != "" && r.URL.Query().Get("session") != "0",
-		StandardClaims: jwt.StandardClaims{
-			Id:        cid,
-			Audience:  r.URL.Query().Get("site"),
-			ExpiresAt: time.Now().Add(30 * time.Minute).Unix(),
-			NotBefore: time.Now().Add(-1 * time.Minute).Unix(),
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:        cid,
+			Audience:  jwt.ClaimStrings{r.URL.Query().Get("site")},
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)),
+			NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
 		},
 	}
 
@@ -370,9 +370,9 @@ func (ah AppleHandler) AuthHandler(w http.ResponseWriter, r *http.Request) {
 
 	claims := token.Claims{
 		User: &u,
-		StandardClaims: jwt.StandardClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:   ah.Issuer,
-			Id:       cid,
+			ID:       cid,
 			Audience: oauthClaims.Audience,
 		},
 		SessionOnly: false,
@@ -467,13 +467,13 @@ func (ah *AppleHandler) createClientSecret() (string, error) {
 	}
 	// Create a claims
 	now := time.Now()
-	exp := now.Add(time.Minute * 30).Unix() // default value
+	exp := now.Add(time.Minute * 30) // default value
 
-	claims := &jwt.StandardClaims{
+	claims := &jwt.RegisteredClaims{
 		Issuer:    ah.conf.TeamID,
-		IssuedAt:  now.Unix(),
-		ExpiresAt: exp,
-		Audience:  "https://appleid.apple.com",
+		IssuedAt:  jwt.NewNumericDate(now),
+		ExpiresAt: jwt.NewNumericDate(exp),
+		Audience:  []string{"https://appleid.apple.com"},
 		Subject:   ah.conf.ClientID,
 	}
 

@@ -16,7 +16,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // appleKeysURL is the endpoint URL for fetch Apple’s public key

@@ -9,7 +9,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@@ -19,7 +19,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
@@ -303,7 +303,7 @@ func TestAppleHandler_LoginHandler(t *testing.T) {
 	require.NoError(t, err)
 	t.Log(claims)
 	assert.Equal(t, "go-pkgz/auth", claims.Issuer)
-	assert.Equal(t, "remark", claims.Audience)
+	assert.Equal(t, "remark", claims.Audience[0])
 
 }
 

@@ -18,7 +18,7 @@ import (
 	"github.com/go-oauth2/oauth2/v4/models"
 	goauth2 "github.com/go-oauth2/oauth2/v4/server"
 	"github.com/go-oauth2/oauth2/v4/store"
-	"github.com/golang-jwt/jwt"
+	oldjwt "github.com/golang-jwt/jwt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -192,7 +192,7 @@ func initGoauth2Srv(t *testing.T) *goauth2.Server {
 	manager.MustTokenStorage(store.NewMemoryTokenStore())
 
 	// generate jwt access token
-	manager.MapAccessGenerate(generates.NewJWTAccessGenerate("", []byte("00000000"), jwt.SigningMethodHS512))
+	manager.MapAccessGenerate(generates.NewJWTAccessGenerate("", []byte("00000000"), oldjwt.SigningMethodHS512))
 
 	// client memory store
 	clientStore := store.NewClientStore()

@@ -9,7 +9,7 @@ import (
 	"time"
 
 	"github.com/go-pkgz/rest"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/go-pkgz/auth/logger"
 	"github.com/go-pkgz/auth/token"
@@ -120,10 +120,10 @@ func (p DirectHandler) LoginHandler(w http.ResponseWriter, r *http.Request) {
 
 	claims := token.Claims{
 		User: &u,
-		StandardClaims: jwt.StandardClaims{
-			Id:       cid,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:       cid,
 			Issuer:   p.Issuer,
-			Audience: creds.Audience,
+			Audience: []string{creds.Audience},
 		},
 		SessionOnly: sessOnly,
 	}

@@ -90,9 +90,9 @@ func TestDirect_LoginHandler(t *testing.T) {
 			claims, err := d.TokenService.Parse(c.Value)
 			require.NoError(t, err)
 			t.Logf("%+v", claims)
-			assert.Equal(t, "xyz123", claims.Audience)
+			assert.Equal(t, "xyz123", claims.Audience[0])
 			assert.Equal(t, "iss-test", claims.Issuer)
-			assert.True(t, claims.ExpiresAt > time.Now().Unix())
+			assert.True(t, claims.ExpiresAt.After(time.Now()))
 			assert.Equal(t, "myuser", claims.User.Name)
 		})
 	}

@@ -10,7 +10,7 @@ import (
 
 	"github.com/dghubble/oauth1"
 	"github.com/go-pkgz/rest"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/go-pkgz/auth/logger"
 	"github.com/go-pkgz/auth/token"
@@ -55,11 +55,11 @@ func (h Oauth1Handler) LoginHandler(w http.ResponseWriter, r *http.Request) {
 			From:  r.URL.Query().Get("from"),
 		},
 		SessionOnly: r.URL.Query().Get("session") != "" && r.URL.Query().Get("session") != "0",
-		StandardClaims: jwt.StandardClaims{
-			Id:        cid,
-			Audience:  r.URL.Query().Get("site"),
-			ExpiresAt: time.Now().Add(30 * time.Minute).Unix(),
-			NotBefore: time.Now().Add(-1 * time.Minute).Unix(),
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:        cid,
+			Audience:  []string{r.URL.Query().Get("site")},
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)),
+			NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
 		},
 	}
 
@@ -140,9 +140,9 @@ func (h Oauth1Handler) AuthHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	claims := token.Claims{
 		User: &u,
-		StandardClaims: jwt.StandardClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:   h.Issuer,
-			Id:       cid,
+			ID:       cid,
 			Audience: oauthClaims.Audience,
 		},
 		SessionOnly: oauthClaims.SessionOnly,

@@ -62,7 +62,7 @@ func TestOauth1Login(t *testing.T) {
 	require.NoError(t, err)
 	t.Log(claims)
 	assert.Equal(t, "remark42", claims.Issuer)
-	assert.Equal(t, "remark", claims.Audience)
+	assert.Equal(t, "remark", claims.Audience[0])
 
 	// check admin user
 	resp, err = client.Get(fmt.Sprintf("http://localhost:%d/login?site=remark", loginPort))

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/go-pkgz/rest"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"golang.org/x/oauth2"
 
 	"github.com/go-pkgz/auth/logger"
@@ -111,11 +111,11 @@ func (p Oauth2Handler) LoginHandler(w http.ResponseWriter, r *http.Request) {
 			From:  r.URL.Query().Get("from"),
 		},
 		SessionOnly: r.URL.Query().Get("session") != "" && r.URL.Query().Get("session") != "0",
-		StandardClaims: jwt.StandardClaims{
-			Id:        cid,
-			Audience:  aud,
-			ExpiresAt: time.Now().Add(30 * time.Minute).Unix(),
-			NotBefore: time.Now().Add(-1 * time.Minute).Unix(),
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:        cid,
+			Audience:  []string{aud},
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)),
+			NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
 		},
 		NoAva: r.URL.Query().Get("noava") == "1",
 	}
@@ -208,9 +208,9 @@ func (p Oauth2Handler) AuthHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	claims := token.Claims{
 		User: &u,
-		StandardClaims: jwt.StandardClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:   p.Issuer,
-			Id:       cid,
+			ID:       cid,
 			Audience: oauthClaims.Audience,
 		},
 		SessionOnly: oauthClaims.SessionOnly,

@@ -73,7 +73,7 @@ func TestOauth2Login(t *testing.T) {
 	require.NoError(t, err)
 	t.Log(claims)
 	assert.Equal(t, "remark42", claims.Issuer)
-	assert.Equal(t, "remark", claims.Audience)
+	assert.Equal(t, "remark", claims.Audience[0])
 
 	// check admin user
 	resp, err = client.Get("http://localhost:8981/login?site=remark")

@@ -17,7 +17,7 @@ import (
 
 	"github.com/go-pkgz/repeater"
 	"github.com/go-pkgz/rest"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/go-pkgz/auth/logger"
 	authtoken "github.com/go-pkgz/auth/token"
@@ -302,12 +302,12 @@ func (th *TelegramHandler) LoginHandler(w http.ResponseWriter, r *http.Request)
 
 	claims := authtoken.Claims{
 		User: &u,
-		StandardClaims: jwt.StandardClaims{
-			Audience:  r.URL.Query().Get("site"),
-			Id:        queryToken,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Audience:  []string{r.URL.Query().Get("site")},
+			ID:        queryToken,
 			Issuer:    th.ProviderName,
-			ExpiresAt: time.Now().Add(30 * time.Minute).Unix(),
-			NotBefore: time.Now().Add(-1 * time.Minute).Unix(),
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)),
+			NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
 		},
 		SessionOnly: false, // TODO review?
 	}

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/go-pkgz/rest"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/go-pkgz/auth/avatar"
 	"github.com/go-pkgz/auth/logger"
@@ -111,8 +111,8 @@ func (e VerifyHandler) LoginHandler(w http.ResponseWriter, r *http.Request) {
 
 	claims := token.Claims{
 		User: &u,
-		StandardClaims: jwt.StandardClaims{
-			Id:       cid,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:       cid,
 			Issuer:   e.Issuer,
 			Audience: confClaims.Audience,
 		},
@@ -146,10 +146,10 @@ func (e VerifyHandler) sendConfirmation(w http.ResponseWriter, r *http.Request)
 			ID:    user + "::" + address,
 		},
 		SessionOnly: r.URL.Query().Get("session") != "" && r.URL.Query().Get("session") != "0",
-		StandardClaims: jwt.StandardClaims{
-			Audience:  site,
-			ExpiresAt: time.Now().Add(30 * time.Minute).Unix(),
-			NotBefore: time.Now().Add(-1 * time.Minute).Unix(),
+		RegisteredClaims: jwt.RegisteredClaims{
+			Audience:  []string{site},
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)),
+			NotBefore: jwt.NewNumericDate(time.Now().Add(-1 * time.Minute)),
 			Issuer:    e.Issuer,
 		},
 	}