Update jwt-go to v4 to address CVE-2020-26160

[andresperezl]

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

Update github.com/dgrijalva/jwt-go dependency to github.com/dgrijalva/jwt-go/v4 to address CVE-2020-26160

References

• CVE-2020-26160

Testing

=== RUN   TestUnauthenticatedRequest

  Simple unauthenticated request 
    Unauthenticated GET to / path should return a 200 response [negroni] 2020-10-02T14:08:22-04:00 | 200 |       383.933µs |  | GET /
✔
    Unauthenticated GET to /protected path should return a 401 response [negroni] 2020-10-02T14:08:22-04:00 | 401 |      109.987µs |  | GET /protected
✔


2 total assertions

--- PASS: TestUnauthenticatedRequest (0.00s)
=== RUN   TestAuthenticatedRequest

  Simple authenticated requests 
    Authenticated GET to / path should return a 200 response [negroni] 2020-10-02T14:08:22-04:00 | 200 |         70.352µs |  | GET /
✔
    Authenticated GET to /protected path should return a 200 response if expected algorithm is not specified [negroni] 2020-10-02T14:08:22-04:00 | 200 |         287.425µs |  | GET /protected
✔✔
    Authenticated GET to /protected path should return a 200 response if expected algorithm is correct [negroni] 2020-10-02T14:08:22-04:00 | 200 |       300.828µs |  | GET /protected
✔✔
    Authenticated GET to /protected path should return a 401 response if algorithm is not expected one [negroni] 2020-10-02T14:08:22-04:00 | 401 |       130.401µs |  | GET /protected
✔✔


9 total assertions

--- PASS: TestAuthenticatedRequest (0.01s)
PASS
ok      github.com/auth0/go-jwt-middleware      3.967s
?       github.com/auth0/go-jwt-middleware/examples/martini-example     [no test files]
?       github.com/auth0/go-jwt-middleware/examples/negroni-example     [no test files]

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not master

[grounded042]

Thanks @andresperezl! Since this package is used in production for many folks I'd like to hold off on this until the new version of jwt-go has officially been released. It looks like that should happen soon based on dgrijalva/jwt-go#248

[andresperezl]

@grounded042 it seems that the project has not been active for at least 9 month now, have read in other issues and projects that are moving to other libraries.

[grounded042]

Gotcha. Thanks for the info @andresperezl. What libraries are the other projects moving to?

[andresperezl]

My team is doing some internal testing with github.com/lestrrat-go/jwx, let me see If I can make that modification using that library instead for this one

[hi019]

We at Fiber are using form3tech's fork - https://github.com/form3tech-oss/jwt-go.

A security focused middleware like this should not be using an unmaintained and insecure JWT library. Please look into this @mgonto @asheshv @lxfontes

[dlorenc]

I'd just like to +1 this, others are moving to the form3tech fork, dgrijalva's appears to be unmaintained. The planned v4 version is over 2 years old at this point, it's probably not coming soon.

[grounded042]

Thanks for the input all - we had an internal discussion about this and will be moving it along. Sorry for that wait!

[grounded042]

For the short term we will be going with https://github.com/form3tech-oss/jwt-go as we need to fix this security vulnerability. However, this is a breaking change due to the claims audience going from a string to a slice of strings. Since we have not versioned this package up to this point we will release this as v1.0.0.

We are not confident that the form3tech-oss/jwt-go library will be consistently updated and maintained (they haven't even updated the README), so we will immediately begin work on the next version of this package which will most likely use https://github.com/lestrrat-go/jwx.

I'll shortly be pushing a change up in this PR and will have someone from my team review this so we can get it merged and released.

[johneke-auth0]

LGTM

[dlorenc]

LGTM! Thanks for taking such a detailed look here and coming up with a plan going forward.

For long term maintenance of things like this, I stumbled on the https://github.com/gofrs organization which seems like it was created for exactly this type of situation, but unfortunately that doesn't seem very active either...

[dschreij]

Hi there. thanks for your efforts. Has this been released with v1.0.0? This still appears to be using form3tech-oss/jwt-go under the hood if I check the go.mod and the source code. I stumbled upon another issue that is fixed in v4 of dgrijalva/jwt-go (dgrijalva/jwt-go#314), so I am looking forward to the release that uses that package :)

[dschreij]

Sorry, I think I read this incorrectly

Since we have not versioned this package up to this point we will release this as v1.0.0.

with which you probably refer to using the form3tech package in that release.

[ezk84]

Seems that github.com/form3tech-oss/jwt-go is not actually v4, it's just updated to deal with the security issue at hand: dgrijalva/jwt-go@master...form3tech-oss:master

[grounded042]

Hey @dschreij and @ezk84 at this point we do not have plans to use v4 of dgrijalva/jwt-go due to it being unmaintained. We released v1.0.0 with form3tech-oss/jwt-go as we did not want to wait any longer on addressing the security issue. We have #73 to track the replacement of jwt-go. If you have any specific things you would like to see in the replacement please leave a comment on that issue.

[dschreij]

Thanks for the heads up. I actually saw that issue too, but it slipped my mind I guess. I know the chi router dev team also wanted to move away from dgrijalva/jwt-go at one point and chose https://github.com/lestrrat-go/jwx in the end. Maybe worth looking into.