diff --git a/go.mod b/go.mod index e2e1649..75d24a4 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/luthersystems/lutherauth-sdk-go go 1.22 require ( - github.com/golang-jwt/jwt/v4 v4.5.0 + github.com/golang-jwt/jwt/v4 v4.5.1 github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.8.4 diff --git a/go.sum b/go.sum index 796ad3b..d57048c 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 h1:Z/i1e+gTZrmcGeZyWckaLfucYG6KYOXLWo4co8pZYNY= diff --git a/jwk/rs256.go b/jwk/rs256.go index 230b30d..152d54a 100644 --- a/jwk/rs256.go +++ b/jwk/rs256.go @@ -23,24 +23,34 @@ import ( // parseClaims parses a token for claims, and validates using a signature key. func parseClaims(tokenString string, pubKey *rsa.PublicKey, validate bool, claims jwtgo.Claims) (*jwtgo.Token, error) { - var parser jwtgo.Parser + var parser *jwtgo.Parser alg := jwtgo.SigningMethodRS256.Name - parser = jwtgo.Parser{ValidMethods: []string{alg}} + if validate { + parser = jwtgo.NewParser(jwtgo.WithValidMethods([]string{alg})) + } else { + parser = jwtgo.NewParser(jwtgo.WithValidMethods([]string{alg}), jwtgo.WithoutClaimsValidation()) + } + token, err := parser.ParseWithClaims(tokenString, claims, func(token *jwtgo.Token) (verifykey interface{}, err error) { return pubKey, nil }) - // NOTE: we check err futher down due to how jwt-go handles sig verification errors + + if err != nil { + if errors.Is(err, jwtgo.ErrTokenMalformed) { + return nil, fmt.Errorf("malformed token: %w", err) + } + if errors.Is(err, jwtgo.ErrTokenSignatureInvalid) { + return nil, fmt.Errorf("invalid signature: %w", err) + } + if errors.Is(err, jwtgo.ErrTokenExpired) { + return nil, fmt.Errorf("expired token: %w", err) + } + return nil, fmt.Errorf("token validation failed: %w", err) + } + if token == nil { return nil, fmt.Errorf("nil jwk token") } - validErr := token.Claims.Valid() - if validate && validErr != nil { - return nil, fmt.Errorf("jwk token claim invalid: %v", validErr) - } - // NOTE: check if there was a parse error from above - if err != nil { - return nil, err - } if !token.Valid { return nil, fmt.Errorf("invalid jwk token") }