Skip to content

Commit

Permalink
Merge pull request #10 from luthersystems/jack-clarke-luther/upgrade-…
Browse files Browse the repository at this point in the history
…vulnerable-package

bump github.com/golang-jwt/jwt/v4 from v4.5.0 to v4.5.1
  • Loading branch information
jack-clarke-luthersystems authored Dec 2, 2024
2 parents 9291b67 + 2a0b2d4 commit 367f68e
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 14 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/luthersystems/lutherauth-sdk-go
go 1.22

require (
github.com/golang-jwt/jwt/v4 v4.5.0
github.com/golang-jwt/jwt/v4 v4.5.1
github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103
github.com/sirupsen/logrus v1.9.3
github.com/stretchr/testify v1.8.4
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 h1:Z/i1e+gTZrmcGeZyWckaLfucYG6KYOXLWo4co8pZYNY=
Expand Down
32 changes: 21 additions & 11 deletions jwk/rs256.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,34 @@ import (

// parseClaims parses a token for claims, and validates using a signature key.
func parseClaims(tokenString string, pubKey *rsa.PublicKey, validate bool, claims jwtgo.Claims) (*jwtgo.Token, error) {
var parser jwtgo.Parser
var parser *jwtgo.Parser
alg := jwtgo.SigningMethodRS256.Name
parser = jwtgo.Parser{ValidMethods: []string{alg}}
if validate {
parser = jwtgo.NewParser(jwtgo.WithValidMethods([]string{alg}))
} else {
parser = jwtgo.NewParser(jwtgo.WithValidMethods([]string{alg}), jwtgo.WithoutClaimsValidation())
}

token, err := parser.ParseWithClaims(tokenString, claims, func(token *jwtgo.Token) (verifykey interface{}, err error) {
return pubKey, nil
})
// NOTE: we check err futher down due to how jwt-go handles sig verification errors

if err != nil {
if errors.Is(err, jwtgo.ErrTokenMalformed) {
return nil, fmt.Errorf("malformed token: %w", err)
}
if errors.Is(err, jwtgo.ErrTokenSignatureInvalid) {
return nil, fmt.Errorf("invalid signature: %w", err)
}
if errors.Is(err, jwtgo.ErrTokenExpired) {
return nil, fmt.Errorf("expired token: %w", err)
}
return nil, fmt.Errorf("token validation failed: %w", err)
}

if token == nil {
return nil, fmt.Errorf("nil jwk token")
}
validErr := token.Claims.Valid()
if validate && validErr != nil {
return nil, fmt.Errorf("jwk token claim invalid: %v", validErr)
}
// NOTE: check if there was a parse error from above
if err != nil {
return nil, err
}
if !token.Valid {
return nil, fmt.Errorf("invalid jwk token")
}
Expand Down

0 comments on commit 367f68e

Please sign in to comment.