Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove gopkg.in/square/go-jose.v2 dep #203

Merged
merged 3 commits into from
Apr 22, 2024
Merged

Remove gopkg.in/square/go-jose.v2 dep #203

merged 3 commits into from
Apr 22, 2024

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Apr 19, 2024
edited
Loading

There is no fix for the GO-2024-2631 vuln for gopkg.in/square/go-jose.v2, so now seems like a good time to remove it from the dependencies and standardise on the latest v4 version of the module.

Unfortunately it does mean we need to be more selective about the signature algorithms we allow when receiving a JWT during a login request. I think RS256 is the correct choice based on empirical evidence, but I do have concerns that there's no public commitment to that signature algorithm in Google's docs, so it's possible they could change this signature algorithm at any point.

References:

swenson
swenson approved these changes Apr 19, 2024
View reviewed changes
Copy link
Contributor

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, though based on our discussions, I think it would be a good idea to support HS256 and ES256 as well.

tomhjp added 2 commits April 19, 2024 20:01
@tomhjp
Add support for ES256 and HS256 signature algorithms
18f4361 
Based on https://www.rfc-editor.org/rfc/rfc7519#section-8, this gives us good coverage
of all the most commonly expected signature algorithms for a JWT, although for now
Google only uses RS256 in my testing
@tomhjp
Add changelog note
6deb921
@tomhjp
Copy link
Contributor Author

tomhjp commented Apr 19, 2024

Thanks, added those 2 as well 👍 I also updated the target release version to 0.17.0 as that seems more appropriate with the change in accepted algorithms.

@tomhjp tomhjp merged commit 13c73ea into main Apr 22, 2024
5 checks passed
@tomhjp tomhjp deleted the remove-go-jose.v2-dep branch April 22, 2024 08:14
This was referenced May 21, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swenson swenson swenson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tomhjp @swenson