From 6ca39e3cbff6159c4238a0e723fabc5c5369c363 Mon Sep 17 00:00:00 2001 From: Andres Perez <1676612+andresperezl@users.noreply.github.com> Date: Wed, 6 Jan 2021 15:47:52 -0500 Subject: [PATCH] Update jwt-go to v4 to address CVE-2020-26160 (#69) --- README.md | 6 ++- examples/martini-example/README.md | 10 ----- examples/martini-example/main.go | 57 ---------------------------- examples/negroni-example/README.md | 10 ----- examples/negroni-example/main.go | 61 ------------------------------ go.mod | 2 +- go.sum | 4 +- jwtmiddleware.go | 2 +- jwtmiddleware_test.go | 2 +- 9 files changed, 9 insertions(+), 145 deletions(-) delete mode 100644 examples/martini-example/README.md delete mode 100644 examples/martini-example/main.go delete mode 100644 examples/negroni-example/README.md delete mode 100644 examples/negroni-example/main.go diff --git a/README.md b/README.md index 8bc4ea55..aa0c240c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # GO JWT Middleware +**NOTE:** We released this version using a fork of jwt-go in order to address a security vulnerability. Due to jwt-go not being actively maintained we will be looking to switch to a more actively maintained package in the near future. + A middleware that will check that a [JWT](http://jwt.io/) is sent on the `Authorization` header and will then set the content of the JWT into the `user` variable of the request. This module lets you authenticate HTTP requests using JWT tokens in your Go Programming Language applications. JWTs are typically used to protect API endpoints, and are often issued using OpenID Connect. @@ -28,7 +30,7 @@ import ( "net/http" "github.com/Zattix/go-jwt-middleware" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "context" ) @@ -70,7 +72,7 @@ import ( "github.com/Zattix/go-jwt-middleware" "github.com/urfave/negroni" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "github.com/gorilla/mux" ) diff --git a/examples/martini-example/README.md b/examples/martini-example/README.md deleted file mode 100644 index 62394f4f..00000000 --- a/examples/martini-example/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Martini example - -This is an example of how to use the middleware with Martini. - -# Using it - -To try this out, first install all dependencies with `go install` and then run `go run main.go` to start the app. - -* Call `http://localhost:3001/ping` to get a JSon response without the need of a JWT. -* Call `http://localhost:3001/secured/ping` with a JWT signed with `My Secret` to get a response back. diff --git a/examples/martini-example/main.go b/examples/martini-example/main.go deleted file mode 100644 index 69e1621f..00000000 --- a/examples/martini-example/main.go +++ /dev/null @@ -1,57 +0,0 @@ -package main - -import ( - "encoding/json" - "net/http" - - jwtmiddleware "github.com/Zattix/go-jwt-middleware" - "github.com/dgrijalva/jwt-go" - "github.com/go-martini/martini" -) - -func main() { - - StartServer() - -} - -func StartServer() { - m := martini.Classic() - - jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{ - ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) { - return []byte("My Secret"), nil - }, - SigningMethod: jwt.SigningMethodHS256, - }) - - m.Get("/ping", PingHandler) - m.Get("/secured/ping", jwtMiddleware.CheckJWT, SecuredPingHandler) - - m.Run() -} - -type Response struct { - Text string `json:"text"` -} - -func respondJSON(text string, w http.ResponseWriter) { - response := Response{text} - - jsonResponse, err := json.Marshal(response) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - w.Header().Set("Content-Type", "application/json") - w.Write(jsonResponse) -} - -func PingHandler(w http.ResponseWriter, r *http.Request) { - respondJSON("All good. You don't need to be authenticated to call this", w) -} - -func SecuredPingHandler(w http.ResponseWriter, r *http.Request) { - respondJSON("All good. You only get this message if you're authenticated", w) -} diff --git a/examples/negroni-example/README.md b/examples/negroni-example/README.md deleted file mode 100644 index 0e1a035d..00000000 --- a/examples/negroni-example/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Negroni example - -This is an example of how to use the Negroni middleware. - -# Using it - -To try this out, first install all dependencies with `go install` and then run `go run main.go` to start the app. - -* Call `http://localhost:3001/ping` to get a JSon response without the need of a JWT. -* Call `http://localhost:3001/secured/ping` with a JWT signed with `My Secret` to get a response back. \ No newline at end of file diff --git a/examples/negroni-example/main.go b/examples/negroni-example/main.go deleted file mode 100644 index a3348122..00000000 --- a/examples/negroni-example/main.go +++ /dev/null @@ -1,61 +0,0 @@ -package main - -import ( - "encoding/json" - "net/http" - - jwtmiddleware "github.com/Zattix/go-jwt-middleware" - "github.com/dgrijalva/jwt-go" - "github.com/gorilla/mux" - "github.com/urfave/negroni" -) - -func main() { - - StartServer() - -} - -func StartServer() { - r := mux.NewRouter() - - jwtMiddleware := jwtmiddleware.New(jwtmiddleware.Options{ - ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) { - return []byte("My Secret"), nil - }, - SigningMethod: jwt.SigningMethodHS256, - }) - - r.HandleFunc("/ping", PingHandler) - r.Handle("/secured/ping", negroni.New( - negroni.HandlerFunc(jwtMiddleware.HandlerWithNext), - negroni.Wrap(http.HandlerFunc(SecuredPingHandler)), - )) - http.Handle("/", r) - http.ListenAndServe(":3001", nil) -} - -type Response struct { - Text string `json:"text"` -} - -func respondJSON(text string, w http.ResponseWriter) { - response := Response{text} - - jsonResponse, err := json.Marshal(response) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - w.Header().Set("Content-Type", "application/json") - w.Write(jsonResponse) -} - -func PingHandler(w http.ResponseWriter, r *http.Request) { - respondJSON("All good. You don't need to be authenticated to call this", w) -} - -func SecuredPingHandler(w http.ResponseWriter, r *http.Request) { - respondJSON("All good. You only get this message if you're authenticated", w) -} diff --git a/go.mod b/go.mod index 53ec14ce..0a9fd149 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.14 require ( github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect - github.com/dgrijalva/jwt-go v3.2.0+incompatible + github.com/form3tech-oss/jwt-go v3.2.2+incompatible github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 // indirect github.com/gorilla/mux v1.7.4 diff --git a/go.sum b/go.sum index 5e637eb2..736f537d 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= diff --git a/jwtmiddleware.go b/jwtmiddleware.go index 24cd2ff4..470d4efd 100644 --- a/jwtmiddleware.go +++ b/jwtmiddleware.go @@ -8,7 +8,7 @@ import ( "net/http" "strings" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" ) // A function called whenever an error is encountered diff --git a/jwtmiddleware_test.go b/jwtmiddleware_test.go index 51698cae..cab5cd51 100644 --- a/jwtmiddleware_test.go +++ b/jwtmiddleware_test.go @@ -9,7 +9,7 @@ import ( "strings" "testing" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "github.com/gorilla/mux" . "github.com/smartystreets/goconvey/convey" "github.com/urfave/negroni"