aboutsummaryrefslogtreecommitdiffstats
path: root/vendor/github.com/golang-jwt/jwt/v5
diff options
context:
space:
mode:
authorLibravatar Rutger Broekhoff2023-12-30 14:00:34 +0100
committerLibravatar Rutger Broekhoff2023-12-30 14:00:34 +0100
commitf6c92c5e2d87ab1334648b0d1293771de7aae4a5 (patch)
tree265c3a06accd398a1e0a173af56d7392a5f94a24 /vendor/github.com/golang-jwt/jwt/v5
parent4f167c0fa991aa9ddb3f0252e23694b3aa6532b1 (diff)
downloadgitolfs3-f6c92c5e2d87ab1334648b0d1293771de7aae4a5.tar.gz
gitolfs3-f6c92c5e2d87ab1334648b0d1293771de7aae4a5.zip
Implement git-lfs-authenticate
Diffstat (limited to 'vendor/github.com/golang-jwt/jwt/v5')
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/.gitignore4
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/LICENSE9
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md195
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/README.md167
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/SECURITY.md19
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md137
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/claims.go16
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/doc.go4
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/ecdsa.go134
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go69
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/ed25519.go79
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go64
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/errors.go49
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go47
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go78
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/hmac.go104
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/map_claims.go109
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/none.go50
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/parser.go238
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/parser_option.go128
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/registered_claims.go63
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/rsa.go93
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go135
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go107
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/signing_method.go49
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf1
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/token.go100
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/token_option.go5
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/types.go149
-rw-r--r--vendor/github.com/golang-jwt/jwt/v5/validator.go316
30 files changed, 2718 insertions, 0 deletions
diff --git a/vendor/github.com/golang-jwt/jwt/v5/.gitignore b/vendor/github.com/golang-jwt/jwt/v5/.gitignore
new file mode 100644
index 0000000..09573e0
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/.gitignore
@@ -0,0 +1,4 @@
1.DS_Store
2bin
3.idea/
4
diff --git a/vendor/github.com/golang-jwt/jwt/v5/LICENSE b/vendor/github.com/golang-jwt/jwt/v5/LICENSE
new file mode 100644
index 0000000..35dbc25
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/LICENSE
@@ -0,0 +1,9 @@
1Copyright (c) 2012 Dave Grijalva
2Copyright (c) 2021 golang-jwt maintainers
3
4Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
5
6The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
7
8THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
9
diff --git a/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md b/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md
new file mode 100644
index 0000000..ff9c57e
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md
@@ -0,0 +1,195 @@
1# Migration Guide (v5.0.0)
2
3Version `v5` contains a major rework of core functionalities in the `jwt-go`
4library. This includes support for several validation options as well as a
5re-design of the `Claims` interface. Lastly, we reworked how errors work under
6the hood, which should provide a better overall developer experience.
7
8Starting from [v5.0.0](https://github.com/golang-jwt/jwt/releases/tag/v5.0.0),
9the import path will be:
10
11 "github.com/golang-jwt/jwt/v5"
12
13For most users, changing the import path *should* suffice. However, since we
14intentionally changed and cleaned some of the public API, existing programs
15might need to be updated. The following sections describe significant changes
16and corresponding updates for existing programs.
17
18## Parsing and Validation Options
19
20Under the hood, a new `Validator` struct takes care of validating the claims. A
21long awaited feature has been the option to fine-tune the validation of tokens.
22This is now possible with several `ParserOption` functions that can be appended
23to most `Parse` functions, such as `ParseWithClaims`. The most important options
24and changes are:
25 * Added `WithLeeway` to support specifying the leeway that is allowed when
26 validating time-based claims, such as `exp` or `nbf`.
27 * Changed default behavior to not check the `iat` claim. Usage of this claim
28 is OPTIONAL according to the JWT RFC. The claim itself is also purely
29 informational according to the RFC, so a strict validation failure is not
30 recommended. If you want to check for sensible values in these claims,
31 please use the `WithIssuedAt` parser option.
32 * Added `WithAudience`, `WithSubject` and `WithIssuer` to support checking for
33 expected `aud`, `sub` and `iss`.
34 * Added `WithStrictDecoding` and `WithPaddingAllowed` options to allow
35 previously global settings to enable base64 strict encoding and the parsing
36 of base64 strings with padding. The latter is strictly speaking against the
37 standard, but unfortunately some of the major identity providers issue some
38 of these incorrect tokens. Both options are disabled by default.
39
40## Changes to the `Claims` interface
41
42### Complete Restructuring
43
44Previously, the claims interface was satisfied with an implementation of a
45`Valid() error` function. This had several issues:
46 * The different claim types (struct claims, map claims, etc.) then contained
47 similar (but not 100 % identical) code of how this validation was done. This
48 lead to a lot of (almost) duplicate code and was hard to maintain
49 * It was not really semantically close to what a "claim" (or a set of claims)
50 really is; which is a list of defined key/value pairs with a certain
51 semantic meaning.
52
53Since all the validation functionality is now extracted into the validator, all
54`VerifyXXX` and `Valid` functions have been removed from the `Claims` interface.
55Instead, the interface now represents a list of getters to retrieve values with
56a specific meaning. This allows us to completely decouple the validation logic
57with the underlying storage representation of the claim, which could be a
58struct, a map or even something stored in a database.
59
60```go
61type Claims interface {
62 GetExpirationTime() (*NumericDate, error)
63 GetIssuedAt() (*NumericDate, error)
64 GetNotBefore() (*NumericDate, error)
65 GetIssuer() (string, error)
66 GetSubject() (string, error)
67 GetAudience() (ClaimStrings, error)
68}
69```
70
71Users that previously directly called the `Valid` function on their claims,
72e.g., to perform validation independently of parsing/verifying a token, can now
73use the `jwt.NewValidator` function to create a `Validator` independently of the
74`Parser`.
75
76```go
77var v = jwt.NewValidator(jwt.WithLeeway(5*time.Second))
78v.Validate(myClaims)
79```
80
81### Supported Claim Types and Removal of `StandardClaims`
82
83The two standard claim types supported by this library, `MapClaims` and
84`RegisteredClaims` both implement the necessary functions of this interface. The
85old `StandardClaims` struct, which has already been deprecated in `v4` is now
86removed.
87
88Users using custom claims, in most cases, will not experience any changes in the
89behavior as long as they embedded `RegisteredClaims`. If they created a new
90claim type from scratch, they now need to implemented the proper getter
91functions.
92
93### Migrating Application Specific Logic of the old `Valid`
94
95Previously, users could override the `Valid` method in a custom claim, for
96example to extend the validation with application-specific claims. However, this
97was always very dangerous, since once could easily disable the standard
98validation and signature checking.
99
100In order to avoid that, while still supporting the use-case, a new
101`ClaimsValidator` interface has been introduced. This interface consists of the
102`Validate() error` function. If the validator sees, that a `Claims` struct
103implements this interface, the errors returned to the `Validate` function will
104be *appended* to the regular standard validation. It is not possible to disable
105the standard validation anymore (even only by accident).
106
107Usage examples can be found in [example_test.go](./example_test.go), to build
108claims structs like the following.
109
110```go
111// MyCustomClaims includes all registered claims, plus Foo.
112type MyCustomClaims struct {
113 Foo string `json:"foo"`
114 jwt.RegisteredClaims
115}
116
117// Validate can be used to execute additional application-specific claims
118// validation.
119func (m MyCustomClaims) Validate() error {
120 if m.Foo != "bar" {
121 return errors.New("must be foobar")
122 }
123
124 return nil
125}
126```
127
128## Changes to the `Token` and `Parser` struct
129
130The previously global functions `DecodeSegment` and `EncodeSegment` were moved
131to the `Parser` and `Token` struct respectively. This will allow us in the
132future to configure the behavior of these two based on options supplied on the
133parser or the token (creation). This also removes two previously global
134variables and moves them to parser options `WithStrictDecoding` and
135`WithPaddingAllowed`.
136
137In order to do that, we had to adjust the way signing methods work. Previously
138they were given a base64 encoded signature in `Verify` and were expected to
139return a base64 encoded version of the signature in `Sign`, both as a `string`.
140However, this made it necessary to have `DecodeSegment` and `EncodeSegment`
141global and was a less than perfect design because we were repeating
142encoding/decoding steps for all signing methods. Now, `Sign` and `Verify`
143operate on a decoded signature as a `[]byte`, which feels more natural for a
144cryptographic operation anyway. Lastly, `Parse` and `SignedString` take care of
145the final encoding/decoding part.
146
147In addition to that, we also changed the `Signature` field on `Token` from a
148`string` to `[]byte` and this is also now populated with the decoded form. This
149is also more consistent, because the other parts of the JWT, mainly `Header` and
150`Claims` were already stored in decoded form in `Token`. Only the signature was
151stored in base64 encoded form, which was redundant with the information in the
152`Raw` field, which contains the complete token as base64.
153
154```go
155type Token struct {
156 Raw string // Raw contains the raw token
157 Method SigningMethod // Method is the signing method used or to be used
158 Header map[string]interface{} // Header is the first segment of the token in decoded form
159 Claims Claims // Claims is the second segment of the token in decoded form
160 Signature []byte // Signature is the third segment of the token in decoded form
161 Valid bool // Valid specifies if the token is valid
162}
163```
164
165Most (if not all) of these changes should not impact the normal usage of this
166library. Only users directly accessing the `Signature` field as well as
167developers of custom signing methods should be affected.
168
169# Migration Guide (v4.0.0)
170
171Starting from [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0),
172the import path will be:
173
174 "github.com/golang-jwt/jwt/v4"
175
176The `/v4` version will be backwards compatible with existing `v3.x.y` tags in
177this repo, as well as `github.com/dgrijalva/jwt-go`. For most users this should
178be a drop-in replacement, if you're having troubles migrating, please open an
179issue.
180
181You can replace all occurrences of `github.com/dgrijalva/jwt-go` or
182`github.com/golang-jwt/jwt` with `github.com/golang-jwt/jwt/v4`, either manually
183or by using tools such as `sed` or `gofmt`.
184
185And then you'd typically run:
186
187```
188go get github.com/golang-jwt/jwt/v4
189go mod tidy
190```
191
192# Older releases (before v3.2.0)
193
194The original migration guide for older releases can be found at
195https://github.com/dgrijalva/jwt-go/blob/master/MIGRATION_GUIDE.md.
diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md
new file mode 100644
index 0000000..964598a
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/README.md
@@ -0,0 +1,167 @@
1# jwt-go
2
3[![build](https://github.com/golang-jwt/jwt/actions/workflows/build.yml/badge.svg)](https://github.com/golang-jwt/jwt/actions/workflows/build.yml)
4[![Go
5Reference](https://pkg.go.dev/badge/github.com/golang-jwt/jwt/v5.svg)](https://pkg.go.dev/github.com/golang-jwt/jwt/v5)
6[![Coverage Status](https://coveralls.io/repos/github/golang-jwt/jwt/badge.svg?branch=main)](https://coveralls.io/github/golang-jwt/jwt?branch=main)
7
8A [go](http://www.golang.org) (or 'golang' for search engine friendliness)
9implementation of [JSON Web
10Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
11
12Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0)
13this project adds Go module support, but maintains backwards compatibility with
14older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the
15[`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version
16v5.0.0 introduces major improvements to the validation of tokens, but is not
17entirely backwards compatible.
18
19> After the original author of the library suggested migrating the maintenance
20> of `jwt-go`, a dedicated team of open source maintainers decided to clone the
21> existing library into this repository. See
22> [dgrijalva/jwt-go#462](https://github.com/dgrijalva/jwt-go/issues/462) for a
23> detailed discussion on this topic.
24
25
26**SECURITY NOTICE:** Some older versions of Go have a security issue in the
27crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue
28[dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more
29detail.
30
31**SECURITY NOTICE:** It's important that you [validate the `alg` presented is
32what you
33expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
34This library attempts to make it easy to do the right thing by requiring key
35types match the expected alg, but you should take the extra step to verify it in
36your usage. See the examples provided.
37
38### Supported Go versions
39
40Our support of Go versions is aligned with Go's [version release
41policy](https://golang.org/doc/devel/release#policy). So we will support a major
42version of Go until there are two newer major releases. We no longer support
43building jwt-go with unsupported Go versions, as these contain security
44vulnerabilities which will not be fixed.
45
46## What the heck is a JWT?
47
48JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web
49Tokens.
50
51In short, it's a signed JSON object that does something useful (for example,
52authentication). It's commonly used for `Bearer` tokens in Oauth 2. A token is
53made of three parts, separated by `.`'s. The first two parts are JSON objects,
54that have been [base64url](https://datatracker.ietf.org/doc/html/rfc4648)
55encoded. The last part is the signature, encoded the same way.
56
57The first part is called the header. It contains the necessary information for
58verifying the last part, the signature. For example, which encryption method
59was used for signing and what key was used.
60
61The part in the middle is the interesting bit. It's called the Claims and
62contains the actual stuff you care about. Refer to [RFC
637519](https://datatracker.ietf.org/doc/html/rfc7519) for information about
64reserved keys and the proper way to add your own.
65
66## What's in the box?
67
68This library supports the parsing and verification as well as the generation and
69signing of JWTs. Current supported signing algorithms are HMAC SHA, RSA,
70RSA-PSS, and ECDSA, though hooks are present for adding your own.
71
72## Installation Guidelines
73
741. To install the jwt package, you first need to have
75 [Go](https://go.dev/doc/install) installed, then you can use the command
76 below to add `jwt-go` as a dependency in your Go program.
77
78```sh
79go get -u github.com/golang-jwt/jwt/v5
80```
81
822. Import it in your code:
83
84```go
85import "github.com/golang-jwt/jwt/v5"
86```
87
88## Usage
89
90A detailed usage guide, including how to sign and verify tokens can be found on
91our [documentation website](https://golang-jwt.github.io/jwt/usage/create/).
92
93## Examples
94
95See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v5)
96for examples of usage:
97
98* [Simple example of parsing and validating a
99 token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-Parse-Hmac)
100* [Simple example of building and signing a
101 token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-New-Hmac)
102* [Directory of
103 Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#pkg-examples)
104
105## Compliance
106
107This library was last reviewed to comply with [RFC
1087519](https://datatracker.ietf.org/doc/html/rfc7519) dated May 2015 with a few
109notable differences:
110
111* In order to protect against accidental use of [Unsecured
112 JWTs](https://datatracker.ietf.org/doc/html/rfc7519#section-6), tokens using
113 `alg=none` will only be accepted if the constant
114 `jwt.UnsafeAllowNoneSignatureType` is provided as the key.
115
116## Project Status & Versioning
117
118This library is considered production ready. Feedback and feature requests are
119appreciated. The API should be considered stable. There should be very few
120backwards-incompatible changes outside of major version updates (and only with
121good reason).
122
123This project uses [Semantic Versioning 2.0.0](http://semver.org). Accepted pull
124requests will land on `main`. Periodically, versions will be tagged from
125`main`. You can find all the releases on [the project releases
126page](https://github.com/golang-jwt/jwt/releases).
127
128**BREAKING CHANGES:*** A full list of breaking changes is available in
129`VERSION_HISTORY.md`. See `MIGRATION_GUIDE.md` for more information on updating
130your code.
131
132## Extensions
133
134This library publishes all the necessary components for adding your own signing
135methods or key functions. Simply implement the `SigningMethod` interface and
136register a factory method using `RegisterSigningMethod` or provide a
137`jwt.Keyfunc`.
138
139A common use case would be integrating with different 3rd party signature
140providers, like key management services from various cloud providers or Hardware
141Security Modules (HSMs) or to implement additional standards.
142
143| Extension | Purpose | Repo |
144| --------- | -------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
145| GCP | Integrates with multiple Google Cloud Platform signing tools (AppEngine, IAM API, Cloud KMS) | https://github.com/someone1/gcp-jwt-go |
146| AWS | Integrates with AWS Key Management Service, KMS | https://github.com/matelang/jwt-go-aws-kms |
147| JWKS | Provides support for JWKS ([RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517)) as a `jwt.Keyfunc` | https://github.com/MicahParks/keyfunc |
148
149*Disclaimer*: Unless otherwise specified, these integrations are maintained by
150third parties and should not be considered as a primary offer by any of the
151mentioned cloud providers
152
153## More
154
155Go package documentation can be found [on
156pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v5). Additional
157documentation can be found on [our project
158page](https://golang-jwt.github.io/jwt/).
159
160The command line utility included in this project (cmd/jwt) provides a
161straightforward example of token creation and parsing as well as a useful tool
162for debugging your own integration. You'll also find several implementation
163examples in the documentation.
164
165[golang-jwt](https://github.com/orgs/golang-jwt) incorporates a modified version
166of the JWT logo, which is distributed under the terms of the [MIT
167License](https://github.com/jsonwebtoken/jsonwebtoken.github.io/blob/master/LICENSE.txt).
diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
new file mode 100644
index 0000000..b08402c
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
@@ -0,0 +1,19 @@
1# Security Policy
2
3## Supported Versions
4
5As of February 2022 (and until this document is updated), the latest version `v4` is supported.
6
7## Reporting a Vulnerability
8
9If you think you found a vulnerability, and even if you are not sure, please report it to [email protected] or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s).
10
11You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem.
12
13## Public Discussions
14
15Please avoid publicly discussing a potential security vulnerability.
16
17Let's take this offline and find a solution first, this limits the potential impact as much as possible.
18
19We appreciate your help!
diff --git a/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md b/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
new file mode 100644
index 0000000..b5039e4
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
@@ -0,0 +1,137 @@
1# `jwt-go` Version History
2
3The following version history is kept for historic purposes. To retrieve the current changes of each version, please refer to the change-log of the specific release versions on https://github.com/golang-jwt/jwt/releases.
4
5## 4.0.0
6
7* Introduces support for Go modules. The `v4` version will be backwards compatible with `v3.x.y`.
8
9## 3.2.2
10
11* Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 ([#28](https://github.com/golang-jwt/jwt/pull/28)).
12* Fixed a potential issue that could occur when the verification of `exp`, `iat` or `nbf` was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork ([#40](https://github.com/golang-jwt/jwt/pull/40)).
13* Added support for EdDSA / ED25519 ([#36](https://github.com/golang-jwt/jwt/pull/36)).
14* Optimized allocations ([#33](https://github.com/golang-jwt/jwt/pull/33)).
15
16## 3.2.1
17
18* **Import Path Change**: See MIGRATION_GUIDE.md for tips on updating your code
19 * Changed the import path from `github.com/dgrijalva/jwt-go` to `github.com/golang-jwt/jwt`
20* Fixed type confusing issue between `string` and `[]string` in `VerifyAudience` ([#12](https://github.com/golang-jwt/jwt/pull/12)). This fixes CVE-2020-26160
21
22#### 3.2.0
23
24* Added method `ParseUnverified` to allow users to split up the tasks of parsing and validation
25* HMAC signing method returns `ErrInvalidKeyType` instead of `ErrInvalidKey` where appropriate
26* Added options to `request.ParseFromRequest`, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include `WithClaims` and `WithParser`. Existing usage of this function will continue to work as before.
27* Deprecated `ParseFromRequestWithClaims` to simplify API in the future.
28
29#### 3.1.0
30
31* Improvements to `jwt` command line tool
32* Added `SkipClaimsValidation` option to `Parser`
33* Documentation updates
34
35#### 3.0.0
36
37* **Compatibility Breaking Changes**: See MIGRATION_GUIDE.md for tips on updating your code
38 * Dropped support for `[]byte` keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
39 * `ParseFromRequest` has been moved to `request` subpackage and usage has changed
40 * The `Claims` property on `Token` is now type `Claims` instead of `map[string]interface{}`. The default value is type `MapClaims`, which is an alias to `map[string]interface{}`. This makes it possible to use a custom type when decoding claims.
41* Other Additions and Changes
42 * Added `Claims` interface type to allow users to decode the claims into a custom type
43 * Added `ParseWithClaims`, which takes a third argument of type `Claims`. Use this function instead of `Parse` if you have a custom type you'd like to decode into.
44 * Dramatically improved the functionality and flexibility of `ParseFromRequest`, which is now in the `request` subpackage
45 * Added `ParseFromRequestWithClaims` which is the `FromRequest` equivalent of `ParseWithClaims`
46 * Added new interface type `Extractor`, which is used for extracting JWT strings from http requests. Used with `ParseFromRequest` and `ParseFromRequestWithClaims`.
47 * Added several new, more specific, validation errors to error type bitmask
48 * Moved examples from README to executable example files
49 * Signing method registry is now thread safe
50 * Added new property to `ValidationError`, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)
51
52#### 2.7.0
53
54This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.
55
56* Added new option `-show` to the `jwt` command that will just output the decoded token without verifying
57* Error text for expired tokens includes how long it's been expired
58* Fixed incorrect error returned from `ParseRSAPublicKeyFromPEM`
59* Documentation updates
60
61#### 2.6.0
62
63* Exposed inner error within ValidationError
64* Fixed validation errors when using UseJSONNumber flag
65* Added several unit tests
66
67#### 2.5.0
68
69* Added support for signing method none. You shouldn't use this. The API tries to make this clear.
70* Updated/fixed some documentation
71* Added more helpful error message when trying to parse tokens that begin with `BEARER `
72
73#### 2.4.0
74
75* Added new type, Parser, to allow for configuration of various parsing parameters
76 * You can now specify a list of valid signing methods. Anything outside this set will be rejected.
77 * You can now opt to use the `json.Number` type instead of `float64` when parsing token JSON
78* Added support for [Travis CI](https://travis-ci.org/dgrijalva/jwt-go)
79* Fixed some bugs with ECDSA parsing
80
81#### 2.3.0
82
83* Added support for ECDSA signing methods
84* Added support for RSA PSS signing methods (requires go v1.4)
85
86#### 2.2.0
87
88* Gracefully handle a `nil` `Keyfunc` being passed to `Parse`. Result will now be the parsed token and an error, instead of a panic.
89
90#### 2.1.0
91
92Backwards compatible API change that was missed in 2.0.0.
93
94* The `SignedString` method on `Token` now takes `interface{}` instead of `[]byte`
95
96#### 2.0.0
97
98There were two major reasons for breaking backwards compatibility with this update. The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations. There will likely be no required code changes to support this change.
99
100The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods. Not all keys used for all signing methods have a single standard on-disk representation. Requiring `[]byte` as the type for all keys proved too limiting. Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys. Backwards compatibilty has been maintained for passing `[]byte` to the RSA signing methods, but they will also accept `*rsa.PublicKey` and `*rsa.PrivateKey`.
101
102It is likely the only integration change required here will be to change `func(t *jwt.Token) ([]byte, error)` to `func(t *jwt.Token) (interface{}, error)` when calling `Parse`.
103
104* **Compatibility Breaking Changes**
105 * `SigningMethodHS256` is now `*SigningMethodHMAC` instead of `type struct`
106 * `SigningMethodRS256` is now `*SigningMethodRSA` instead of `type struct`
107 * `KeyFunc` now returns `interface{}` instead of `[]byte`
108 * `SigningMethod.Sign` now takes `interface{}` instead of `[]byte` for the key
109 * `SigningMethod.Verify` now takes `interface{}` instead of `[]byte` for the key
110* Renamed type `SigningMethodHS256` to `SigningMethodHMAC`. Specific sizes are now just instances of this type.
111 * Added public package global `SigningMethodHS256`
112 * Added public package global `SigningMethodHS384`
113 * Added public package global `SigningMethodHS512`
114* Renamed type `SigningMethodRS256` to `SigningMethodRSA`. Specific sizes are now just instances of this type.
115 * Added public package global `SigningMethodRS256`
116 * Added public package global `SigningMethodRS384`
117 * Added public package global `SigningMethodRS512`
118* Moved sample private key for HMAC tests from an inline value to a file on disk. Value is unchanged.
119* Refactored the RSA implementation to be easier to read
120* Exposed helper methods `ParseRSAPrivateKeyFromPEM` and `ParseRSAPublicKeyFromPEM`
121
122## 1.0.2
123
124* Fixed bug in parsing public keys from certificates
125* Added more tests around the parsing of keys for RS256
126* Code refactoring in RS256 implementation. No functional changes
127
128## 1.0.1
129
130* Fixed panic if RS256 signing method was passed an invalid key
131
132## 1.0.0
133
134* First versioned release
135* API stabilized
136* Supports creating, signing, parsing, and validating JWT tokens
137* Supports RS256 and HS256 signing methods
diff --git a/vendor/github.com/golang-jwt/jwt/v5/claims.go b/vendor/github.com/golang-jwt/jwt/v5/claims.go
new file mode 100644
index 0000000..d50ff3d
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/claims.go
@@ -0,0 +1,16 @@
1package jwt
2
3// Claims represent any form of a JWT Claims Set according to
4// https://datatracker.ietf.org/doc/html/rfc7519#section-4. In order to have a
5// common basis for validation, it is required that an implementation is able to
6// supply at least the claim names provided in
7// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 namely `exp`,
8// `iat`, `nbf`, `iss`, `sub` and `aud`.
9type Claims interface {
10 GetExpirationTime() (*NumericDate, error)
11 GetIssuedAt() (*NumericDate, error)
12 GetNotBefore() (*NumericDate, error)
13 GetIssuer() (string, error)
14 GetSubject() (string, error)
15 GetAudience() (ClaimStrings, error)
16}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/doc.go b/vendor/github.com/golang-jwt/jwt/v5/doc.go
new file mode 100644
index 0000000..a86dc1a
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/doc.go
@@ -0,0 +1,4 @@
1// Package jwt is a Go implementation of JSON Web Tokens: http://self-issued.info/docs/draft-jones-json-web-token.html
2//
3// See README.md for more info.
4package jwt
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
new file mode 100644
index 0000000..ca85659
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
@@ -0,0 +1,134 @@
1package jwt
2
3import (
4 "crypto"
5 "crypto/ecdsa"
6 "crypto/rand"
7 "errors"
8 "math/big"
9)
10
11var (
12 // Sadly this is missing from crypto/ecdsa compared to crypto/rsa
13 ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")
14)
15
16// SigningMethodECDSA implements the ECDSA family of signing methods.
17// Expects *ecdsa.PrivateKey for signing and *ecdsa.PublicKey for verification
18type SigningMethodECDSA struct {
19 Name string
20 Hash crypto.Hash
21 KeySize int
22 CurveBits int
23}
24
25// Specific instances for EC256 and company
26var (
27 SigningMethodES256 *SigningMethodECDSA
28 SigningMethodES384 *SigningMethodECDSA
29 SigningMethodES512 *SigningMethodECDSA
30)
31
32func init() {
33 // ES256
34 SigningMethodES256 = &SigningMethodECDSA{"ES256", crypto.SHA256, 32, 256}
35 RegisterSigningMethod(SigningMethodES256.Alg(), func() SigningMethod {
36 return SigningMethodES256
37 })
38
39 // ES384
40 SigningMethodES384 = &SigningMethodECDSA{"ES384", crypto.SHA384, 48, 384}
41 RegisterSigningMethod(SigningMethodES384.Alg(), func() SigningMethod {
42 return SigningMethodES384
43 })
44
45 // ES512
46 SigningMethodES512 = &SigningMethodECDSA{"ES512", crypto.SHA512, 66, 521}
47 RegisterSigningMethod(SigningMethodES512.Alg(), func() SigningMethod {
48 return SigningMethodES512
49 })
50}
51
52func (m *SigningMethodECDSA) Alg() string {
53 return m.Name
54}
55
56// Verify implements token verification for the SigningMethod.
57// For this verify method, key must be an ecdsa.PublicKey struct
58func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interface{}) error {
59 // Get the key
60 var ecdsaKey *ecdsa.PublicKey
61 switch k := key.(type) {
62 case *ecdsa.PublicKey:
63 ecdsaKey = k
64 default:
65 return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType)
66 }
67
68 if len(sig) != 2*m.KeySize {
69 return ErrECDSAVerification
70 }
71
72 r := big.NewInt(0).SetBytes(sig[:m.KeySize])
73 s := big.NewInt(0).SetBytes(sig[m.KeySize:])
74
75 // Create hasher
76 if !m.Hash.Available() {
77 return ErrHashUnavailable
78 }
79 hasher := m.Hash.New()
80 hasher.Write([]byte(signingString))
81
82 // Verify the signature
83 if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus {
84 return nil
85 }
86
87 return ErrECDSAVerification
88}
89
90// Sign implements token signing for the SigningMethod.
91// For this signing method, key must be an ecdsa.PrivateKey struct
92func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte, error) {
93 // Get the key
94 var ecdsaKey *ecdsa.PrivateKey
95 switch k := key.(type) {
96 case *ecdsa.PrivateKey:
97 ecdsaKey = k
98 default:
99 return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType)
100 }
101
102 // Create the hasher
103 if !m.Hash.Available() {
104 return nil, ErrHashUnavailable
105 }
106
107 hasher := m.Hash.New()
108 hasher.Write([]byte(signingString))
109
110 // Sign the string and return r, s
111 if r, s, err := ecdsa.Sign(rand.Reader, ecdsaKey, hasher.Sum(nil)); err == nil {
112 curveBits := ecdsaKey.Curve.Params().BitSize
113
114 if m.CurveBits != curveBits {
115 return nil, ErrInvalidKey
116 }
117
118 keyBytes := curveBits / 8
119 if curveBits%8 > 0 {
120 keyBytes += 1
121 }
122
123 // We serialize the outputs (r and s) into big-endian byte arrays
124 // padded with zeros on the left to make sure the sizes work out.
125 // Output must be 2*keyBytes long.
126 out := make([]byte, 2*keyBytes)
127 r.FillBytes(out[0:keyBytes]) // r is assigned to the first half of output.
128 s.FillBytes(out[keyBytes:]) // s is assigned to the second half of output.
129
130 return out, nil
131 } else {
132 return nil, err
133 }
134}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
new file mode 100644
index 0000000..5700636
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
@@ -0,0 +1,69 @@
1package jwt
2
3import (
4 "crypto/ecdsa"
5 "crypto/x509"
6 "encoding/pem"
7 "errors"
8)
9
10var (
11 ErrNotECPublicKey = errors.New("key is not a valid ECDSA public key")
12 ErrNotECPrivateKey = errors.New("key is not a valid ECDSA private key")
13)
14
15// ParseECPrivateKeyFromPEM parses a PEM encoded Elliptic Curve Private Key Structure
16func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) {
17 var err error
18
19 // Parse PEM block
20 var block *pem.Block
21 if block, _ = pem.Decode(key); block == nil {
22 return nil, ErrKeyMustBePEMEncoded
23 }
24
25 // Parse the key
26 var parsedKey interface{}
27 if parsedKey, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
28 if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
29 return nil, err
30 }
31 }
32
33 var pkey *ecdsa.PrivateKey
34 var ok bool
35 if pkey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
36 return nil, ErrNotECPrivateKey
37 }
38
39 return pkey, nil
40}
41
42// ParseECPublicKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 public key
43func ParseECPublicKeyFromPEM(key []byte) (*ecdsa.PublicKey, error) {
44 var err error
45
46 // Parse PEM block
47 var block *pem.Block
48 if block, _ = pem.Decode(key); block == nil {
49 return nil, ErrKeyMustBePEMEncoded
50 }
51
52 // Parse the key
53 var parsedKey interface{}
54 if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
55 if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
56 parsedKey = cert.PublicKey
57 } else {
58 return nil, err
59 }
60 }
61
62 var pkey *ecdsa.PublicKey
63 var ok bool
64 if pkey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
65 return nil, ErrNotECPublicKey
66 }
67
68 return pkey, nil
69}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ed25519.go b/vendor/github.com/golang-jwt/jwt/v5/ed25519.go
new file mode 100644
index 0000000..c213811
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ed25519.go
@@ -0,0 +1,79 @@
1package jwt
2
3import (
4 "crypto"
5 "crypto/ed25519"
6 "crypto/rand"
7 "errors"
8)
9
10var (
11 ErrEd25519Verification = errors.New("ed25519: verification error")
12)
13
14// SigningMethodEd25519 implements the EdDSA family.
15// Expects ed25519.PrivateKey for signing and ed25519.PublicKey for verification
16type SigningMethodEd25519 struct{}
17
18// Specific instance for EdDSA
19var (
20 SigningMethodEdDSA *SigningMethodEd25519
21)
22
23func init() {
24 SigningMethodEdDSA = &SigningMethodEd25519{}
25 RegisterSigningMethod(SigningMethodEdDSA.Alg(), func() SigningMethod {
26 return SigningMethodEdDSA
27 })
28}
29
30func (m *SigningMethodEd25519) Alg() string {
31 return "EdDSA"
32}
33
34// Verify implements token verification for the SigningMethod.
35// For this verify method, key must be an ed25519.PublicKey
36func (m *SigningMethodEd25519) Verify(signingString string, sig []byte, key interface{}) error {
37 var ed25519Key ed25519.PublicKey
38 var ok bool
39
40 if ed25519Key, ok = key.(ed25519.PublicKey); !ok {
41 return newError("Ed25519 verify expects ed25519.PublicKey", ErrInvalidKeyType)
42 }
43
44 if len(ed25519Key) != ed25519.PublicKeySize {
45 return ErrInvalidKey
46 }
47
48 // Verify the signature
49 if !ed25519.Verify(ed25519Key, []byte(signingString), sig) {
50 return ErrEd25519Verification
51 }
52
53 return nil
54}
55
56// Sign implements token signing for the SigningMethod.
57// For this signing method, key must be an ed25519.PrivateKey
58func (m *SigningMethodEd25519) Sign(signingString string, key interface{}) ([]byte, error) {
59 var ed25519Key crypto.Signer
60 var ok bool
61
62 if ed25519Key, ok = key.(crypto.Signer); !ok {
63 return nil, newError("Ed25519 sign expects crypto.Signer", ErrInvalidKeyType)
64 }
65
66 if _, ok := ed25519Key.Public().(ed25519.PublicKey); !ok {
67 return nil, ErrInvalidKey
68 }
69
70 // Sign the string and return the result. ed25519 performs a two-pass hash
71 // as part of its algorithm. Therefore, we need to pass a non-prehashed
72 // message into the Sign function, as indicated by crypto.Hash(0)
73 sig, err := ed25519Key.Sign(rand.Reader, []byte(signingString), crypto.Hash(0))
74 if err != nil {
75 return nil, err
76 }
77
78 return sig, nil
79}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go b/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
new file mode 100644
index 0000000..cdb5e68
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
@@ -0,0 +1,64 @@
1package jwt
2
3import (
4 "crypto"
5 "crypto/ed25519"
6 "crypto/x509"
7 "encoding/pem"
8 "errors"
9)
10
11var (
12 ErrNotEdPrivateKey = errors.New("key is not a valid Ed25519 private key")
13 ErrNotEdPublicKey = errors.New("key is not a valid Ed25519 public key")
14)
15
16// ParseEdPrivateKeyFromPEM parses a PEM-encoded Edwards curve private key
17func ParseEdPrivateKeyFromPEM(key []byte) (crypto.PrivateKey, error) {
18 var err error
19
20 // Parse PEM block
21 var block *pem.Block
22 if block, _ = pem.Decode(key); block == nil {
23 return nil, ErrKeyMustBePEMEncoded
24 }
25
26 // Parse the key
27 var parsedKey interface{}
28 if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
29 return nil, err
30 }
31
32 var pkey ed25519.PrivateKey
33 var ok bool
34 if pkey, ok = parsedKey.(ed25519.PrivateKey); !ok {
35 return nil, ErrNotEdPrivateKey
36 }
37
38 return pkey, nil
39}
40
41// ParseEdPublicKeyFromPEM parses a PEM-encoded Edwards curve public key
42func ParseEdPublicKeyFromPEM(key []byte) (crypto.PublicKey, error) {
43 var err error
44
45 // Parse PEM block
46 var block *pem.Block
47 if block, _ = pem.Decode(key); block == nil {
48 return nil, ErrKeyMustBePEMEncoded
49 }
50
51 // Parse the key
52 var parsedKey interface{}
53 if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
54 return nil, err
55 }
56
57 var pkey ed25519.PublicKey
58 var ok bool
59 if pkey, ok = parsedKey.(ed25519.PublicKey); !ok {
60 return nil, ErrNotEdPublicKey
61 }
62
63 return pkey, nil
64}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/errors.go b/vendor/github.com/golang-jwt/jwt/v5/errors.go
new file mode 100644
index 0000000..23bb616
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/errors.go
@@ -0,0 +1,49 @@
1package jwt
2
3import (
4 "errors"
5 "strings"
6)
7
8var (
9 ErrInvalidKey = errors.New("key is invalid")
10 ErrInvalidKeyType = errors.New("key is of invalid type")
11 ErrHashUnavailable = errors.New("the requested hash function is unavailable")
12 ErrTokenMalformed = errors.New("token is malformed")
13 ErrTokenUnverifiable = errors.New("token is unverifiable")
14 ErrTokenSignatureInvalid = errors.New("token signature is invalid")
15 ErrTokenRequiredClaimMissing = errors.New("token is missing required claim")
16 ErrTokenInvalidAudience = errors.New("token has invalid audience")
17 ErrTokenExpired = errors.New("token is expired")
18 ErrTokenUsedBeforeIssued = errors.New("token used before issued")
19 ErrTokenInvalidIssuer = errors.New("token has invalid issuer")
20 ErrTokenInvalidSubject = errors.New("token has invalid subject")
21 ErrTokenNotValidYet = errors.New("token is not valid yet")
22 ErrTokenInvalidId = errors.New("token has invalid id")
23 ErrTokenInvalidClaims = errors.New("token has invalid claims")
24 ErrInvalidType = errors.New("invalid type for claim")
25)
26
27// joinedError is an error type that works similar to what [errors.Join]
28// produces, with the exception that it has a nice error string; mainly its
29// error messages are concatenated using a comma, rather than a newline.
30type joinedError struct {
31 errs []error
32}
33
34func (je joinedError) Error() string {
35 msg := []string{}
36 for _, err := range je.errs {
37 msg = append(msg, err.Error())
38 }
39
40 return strings.Join(msg, ", ")
41}
42
43// joinErrors joins together multiple errors. Useful for scenarios where
44// multiple errors next to each other occur, e.g., in claims validation.
45func joinErrors(errs ...error) error {
46 return &joinedError{
47 errs: errs,
48 }
49}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go b/vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go
new file mode 100644
index 0000000..a893d35
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/errors_go1_20.go
@@ -0,0 +1,47 @@
1//go:build go1.20
2// +build go1.20
3
4package jwt
5
6import (
7 "fmt"
8)
9
10// Unwrap implements the multiple error unwrapping for this error type, which is
11// possible in Go 1.20.
12func (je joinedError) Unwrap() []error {
13 return je.errs
14}
15
16// newError creates a new error message with a detailed error message. The
17// message will be prefixed with the contents of the supplied error type.
18// Additionally, more errors, that provide more context can be supplied which
19// will be appended to the message. This makes use of Go 1.20's possibility to
20// include more than one %w formatting directive in [fmt.Errorf].
21//
22// For example,
23//
24// newError("no keyfunc was provided", ErrTokenUnverifiable)
25//
26// will produce the error string
27//
28// "token is unverifiable: no keyfunc was provided"
29func newError(message string, err error, more ...error) error {
30 var format string
31 var args []any
32 if message != "" {
33 format = "%w: %s"
34 args = []any{err, message}
35 } else {
36 format = "%w"
37 args = []any{err}
38 }
39
40 for _, e := range more {
41 format += ": %w"
42 args = append(args, e)
43 }
44
45 err = fmt.Errorf(format, args...)
46 return err
47}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go b/vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go
new file mode 100644
index 0000000..2ad542f
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go
@@ -0,0 +1,78 @@
1//go:build !go1.20
2// +build !go1.20
3
4package jwt
5
6import (
7 "errors"
8 "fmt"
9)
10
11// Is implements checking for multiple errors using [errors.Is], since multiple
12// error unwrapping is not possible in versions less than Go 1.20.
13func (je joinedError) Is(err error) bool {
14 for _, e := range je.errs {
15 if errors.Is(e, err) {
16 return true
17 }
18 }
19
20 return false
21}
22
23// wrappedErrors is a workaround for wrapping multiple errors in environments
24// where Go 1.20 is not available. It basically uses the already implemented
25// functionality of joinedError to handle multiple errors with supplies a
26// custom error message that is identical to the one we produce in Go 1.20 using
27// multiple %w directives.
28type wrappedErrors struct {
29 msg string
30 joinedError
31}
32
33// Error returns the stored error string
34func (we wrappedErrors) Error() string {
35 return we.msg
36}
37
38// newError creates a new error message with a detailed error message. The
39// message will be prefixed with the contents of the supplied error type.
40// Additionally, more errors, that provide more context can be supplied which
41// will be appended to the message. Since we cannot use of Go 1.20's possibility
42// to include more than one %w formatting directive in [fmt.Errorf], we have to
43// emulate that.
44//
45// For example,
46//
47// newError("no keyfunc was provided", ErrTokenUnverifiable)
48//
49// will produce the error string
50//
51// "token is unverifiable: no keyfunc was provided"
52func newError(message string, err error, more ...error) error {
53 // We cannot wrap multiple errors here with %w, so we have to be a little
54 // bit creative. Basically, we are using %s instead of %w to produce the
55 // same error message and then throw the result into a custom error struct.
56 var format string
57 var args []any
58 if message != "" {
59 format = "%s: %s"
60 args = []any{err, message}
61 } else {
62 format = "%s"
63 args = []any{err}
64 }
65 errs := []error{err}
66
67 for _, e := range more {
68 format += ": %s"
69 args = append(args, e)
70 errs = append(errs, e)
71 }
72
73 err = &wrappedErrors{
74 msg: fmt.Sprintf(format, args...),
75 joinedError: joinedError{errs: errs},
76 }
77 return err
78}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
new file mode 100644
index 0000000..96c6272
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
@@ -0,0 +1,104 @@
1package jwt
2
3import (
4 "crypto"
5 "crypto/hmac"
6 "errors"
7)
8
9// SigningMethodHMAC implements the HMAC-SHA family of signing methods.
10// Expects key type of []byte for both signing and validation
11type SigningMethodHMAC struct {
12 Name string
13 Hash crypto.Hash
14}
15
16// Specific instances for HS256 and company
17var (
18 SigningMethodHS256 *SigningMethodHMAC
19 SigningMethodHS384 *SigningMethodHMAC
20 SigningMethodHS512 *SigningMethodHMAC
21 ErrSignatureInvalid = errors.New("signature is invalid")
22)
23
24func init() {
25 // HS256
26 SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
27 RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
28 return SigningMethodHS256
29 })
30
31 // HS384
32 SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
33 RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
34 return SigningMethodHS384
35 })
36
37 // HS512
38 SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
39 RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
40 return SigningMethodHS512
41 })
42}
43
44func (m *SigningMethodHMAC) Alg() string {
45 return m.Name
46}
47
48// Verify implements token verification for the SigningMethod. Returns nil if
49// the signature is valid. Key must be []byte.
50//
51// Note it is not advised to provide a []byte which was converted from a 'human
52// readable' string using a subset of ASCII characters. To maximize entropy, you
53// should ideally be providing a []byte key which was produced from a
54// cryptographically random source, e.g. crypto/rand. Additional information
55// about this, and why we intentionally are not supporting string as a key can
56// be found on our usage guide
57// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types.
58func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interface{}) error {
59 // Verify the key is the right type
60 keyBytes, ok := key.([]byte)
61 if !ok {
62 return newError("HMAC verify expects []byte", ErrInvalidKeyType)
63 }
64
65 // Can we use the specified hashing method?
66 if !m.Hash.Available() {
67 return ErrHashUnavailable
68 }
69
70 // This signing method is symmetric, so we validate the signature
71 // by reproducing the signature from the signing string and key, then
72 // comparing that against the provided signature.
73 hasher := hmac.New(m.Hash.New, keyBytes)
74 hasher.Write([]byte(signingString))
75 if !hmac.Equal(sig, hasher.Sum(nil)) {
76 return ErrSignatureInvalid
77 }
78
79 // No validation errors. Signature is good.
80 return nil
81}
82
83// Sign implements token signing for the SigningMethod. Key must be []byte.
84//
85// Note it is not advised to provide a []byte which was converted from a 'human
86// readable' string using a subset of ASCII characters. To maximize entropy, you
87// should ideally be providing a []byte key which was produced from a
88// cryptographically random source, e.g. crypto/rand. Additional information
89// about this, and why we intentionally are not supporting string as a key can
90// be found on our usage guide https://golang-jwt.github.io/jwt/usage/signing_methods/.
91func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
92 if keyBytes, ok := key.([]byte); ok {
93 if !m.Hash.Available() {
94 return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
95 }
96
97 hasher := hmac.New(m.Hash.New, keyBytes)
98 hasher.Write([]byte(signingString))
99
100 return hasher.Sum(nil), nil
101 }
102
103 return nil, ErrInvalidKeyType
104}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/map_claims.go b/vendor/github.com/golang-jwt/jwt/v5/map_claims.go
new file mode 100644
index 0000000..b2b51a1
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/map_claims.go
@@ -0,0 +1,109 @@
1package jwt
2
3import (
4 "encoding/json"
5 "fmt"
6)
7
8// MapClaims is a claims type that uses the map[string]interface{} for JSON
9// decoding. This is the default claims type if you don't supply one
10type MapClaims map[string]interface{}
11
12// GetExpirationTime implements the Claims interface.
13func (m MapClaims) GetExpirationTime() (*NumericDate, error) {
14 return m.parseNumericDate("exp")
15}
16
17// GetNotBefore implements the Claims interface.
18func (m MapClaims) GetNotBefore() (*NumericDate, error) {
19 return m.parseNumericDate("nbf")
20}
21
22// GetIssuedAt implements the Claims interface.
23func (m MapClaims) GetIssuedAt() (*NumericDate, error) {
24 return m.parseNumericDate("iat")
25}
26
27// GetAudience implements the Claims interface.
28func (m MapClaims) GetAudience() (ClaimStrings, error) {
29 return m.parseClaimsString("aud")
30}
31
32// GetIssuer implements the Claims interface.
33func (m MapClaims) GetIssuer() (string, error) {
34 return m.parseString("iss")
35}
36
37// GetSubject implements the Claims interface.
38func (m MapClaims) GetSubject() (string, error) {
39 return m.parseString("sub")
40}
41
42// parseNumericDate tries to parse a key in the map claims type as a number
43// date. This will succeed, if the underlying type is either a [float64] or a
44// [json.Number]. Otherwise, nil will be returned.
45func (m MapClaims) parseNumericDate(key string) (*NumericDate, error) {
46 v, ok := m[key]
47 if !ok {
48 return nil, nil
49 }
50
51 switch exp := v.(type) {
52 case float64:
53 if exp == 0 {
54 return nil, nil
55 }
56
57 return newNumericDateFromSeconds(exp), nil
58 case json.Number:
59 v, _ := exp.Float64()
60
61 return newNumericDateFromSeconds(v), nil
62 }
63
64 return nil, newError(fmt.Sprintf("%s is invalid", key), ErrInvalidType)
65}
66
67// parseClaimsString tries to parse a key in the map claims type as a
68// [ClaimsStrings] type, which can either be a string or an array of string.
69func (m MapClaims) parseClaimsString(key string) (ClaimStrings, error) {
70 var cs []string
71 switch v := m[key].(type) {
72 case string:
73 cs = append(cs, v)
74 case []string:
75 cs = v
76 case []interface{}:
77 for _, a := range v {
78 vs, ok := a.(string)
79 if !ok {
80 return nil, newError(fmt.Sprintf("%s is invalid", key), ErrInvalidType)
81 }
82 cs = append(cs, vs)
83 }
84 }
85
86 return cs, nil
87}
88
89// parseString tries to parse a key in the map claims type as a [string] type.
90// If the key does not exist, an empty string is returned. If the key has the
91// wrong type, an error is returned.
92func (m MapClaims) parseString(key string) (string, error) {
93 var (
94 ok bool
95 raw interface{}
96 iss string
97 )
98 raw, ok = m[key]
99 if !ok {
100 return "", nil
101 }
102
103 iss, ok = raw.(string)
104 if !ok {
105 return "", newError(fmt.Sprintf("%s is invalid", key), ErrInvalidType)
106 }
107
108 return iss, nil
109}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/none.go b/vendor/github.com/golang-jwt/jwt/v5/none.go
new file mode 100644
index 0000000..685c2ea
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/none.go
@@ -0,0 +1,50 @@
1package jwt
2
3// SigningMethodNone implements the none signing method. This is required by the spec
4// but you probably should never use it.
5var SigningMethodNone *signingMethodNone
6
7const UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"
8
9var NoneSignatureTypeDisallowedError error
10
11type signingMethodNone struct{}
12type unsafeNoneMagicConstant string
13
14func init() {
15 SigningMethodNone = &signingMethodNone{}
16 NoneSignatureTypeDisallowedError = newError("'none' signature type is not allowed", ErrTokenUnverifiable)
17
18 RegisterSigningMethod(SigningMethodNone.Alg(), func() SigningMethod {
19 return SigningMethodNone
20 })
21}
22
23func (m *signingMethodNone) Alg() string {
24 return "none"
25}
26
27// Only allow 'none' alg type if UnsafeAllowNoneSignatureType is specified as the key
28func (m *signingMethodNone) Verify(signingString string, sig []byte, key interface{}) (err error) {
29 // Key must be UnsafeAllowNoneSignatureType to prevent accidentally
30 // accepting 'none' signing method
31 if _, ok := key.(unsafeNoneMagicConstant); !ok {
32 return NoneSignatureTypeDisallowedError
33 }
34 // If signing method is none, signature must be an empty string
35 if len(sig) != 0 {
36 return newError("'none' signing method with non-empty signature", ErrTokenUnverifiable)
37 }
38
39 // Accept 'none' signing method.
40 return nil
41}
42
43// Only allow 'none' signing if UnsafeAllowNoneSignatureType is specified as the key
44func (m *signingMethodNone) Sign(signingString string, key interface{}) ([]byte, error) {
45 if _, ok := key.(unsafeNoneMagicConstant); ok {
46 return []byte{}, nil
47 }
48
49 return nil, NoneSignatureTypeDisallowedError
50}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
new file mode 100644
index 0000000..ecf99af
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
@@ -0,0 +1,238 @@
1package jwt
2
3import (
4 "bytes"
5 "encoding/base64"
6 "encoding/json"
7 "fmt"
8 "strings"
9)
10
11type Parser struct {
12 // If populated, only these methods will be considered valid.
13 validMethods []string
14
15 // Use JSON Number format in JSON decoder.
16 useJSONNumber bool
17
18 // Skip claims validation during token parsing.
19 skipClaimsValidation bool
20
21 validator *Validator
22
23 decodeStrict bool
24
25 decodePaddingAllowed bool
26}
27
28// NewParser creates a new Parser with the specified options
29func NewParser(options ...ParserOption) *Parser {
30 p := &Parser{
31 validator: &Validator{},
32 }
33
34 // Loop through our parsing options and apply them
35 for _, option := range options {
36 option(p)
37 }
38
39 return p
40}
41
42// Parse parses, validates, verifies the signature and returns the parsed token.
43// keyFunc will receive the parsed token and should return the key for validating.
44func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
45 return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
46}
47
48// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
49// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
50// than the default MapClaims implementation of Claims.
51//
52// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
53// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
54// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
55func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
56 token, parts, err := p.ParseUnverified(tokenString, claims)
57 if err != nil {
58 return token, err
59 }
60
61 // Verify signing method is in the required set
62 if p.validMethods != nil {
63 var signingMethodValid = false
64 var alg = token.Method.Alg()
65 for _, m := range p.validMethods {
66 if m == alg {
67 signingMethodValid = true
68 break
69 }
70 }
71 if !signingMethodValid {
72 // signing method is not in the listed set
73 return token, newError(fmt.Sprintf("signing method %v is invalid", alg), ErrTokenSignatureInvalid)
74 }
75 }
76
77 // Decode signature
78 token.Signature, err = p.DecodeSegment(parts[2])
79 if err != nil {
80 return token, newError("could not base64 decode signature", ErrTokenMalformed, err)
81 }
82 text := strings.Join(parts[0:2], ".")
83
84 // Lookup key(s)
85 if keyFunc == nil {
86 // keyFunc was not provided. short circuiting validation
87 return token, newError("no keyfunc was provided", ErrTokenUnverifiable)
88 }
89
90 got, err := keyFunc(token)
91 if err != nil {
92 return token, newError("error while executing keyfunc", ErrTokenUnverifiable, err)
93 }
94
95 switch have := got.(type) {
96 case VerificationKeySet:
97 if len(have.Keys) == 0 {
98 return token, newError("keyfunc returned empty verification key set", ErrTokenUnverifiable)
99 }
100 // Iterate through keys and verify signature, skipping the rest when a match is found.
101 // Return the last error if no match is found.
102 for _, key := range have.Keys {
103 if err = token.Method.Verify(text, token.Signature, key); err == nil {
104 break
105 }
106 }
107 default:
108 err = token.Method.Verify(text, token.Signature, have)
109 }
110 if err != nil {
111 return token, newError("", ErrTokenSignatureInvalid, err)
112 }
113
114 // Validate Claims
115 if !p.skipClaimsValidation {
116 // Make sure we have at least a default validator
117 if p.validator == nil {
118 p.validator = NewValidator()
119 }
120
121 if err := p.validator.Validate(claims); err != nil {
122 return token, newError("", ErrTokenInvalidClaims, err)
123 }
124 }
125
126 // No errors so far, token is valid.
127 token.Valid = true
128
129 return token, nil
130}
131
132// ParseUnverified parses the token but doesn't validate the signature.
133//
134// WARNING: Don't use this method unless you know what you're doing.
135//
136// It's only ever useful in cases where you know the signature is valid (since it has already
137// been or will be checked elsewhere in the stack) and you want to extract values from it.
138func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
139 parts = strings.Split(tokenString, ".")
140 if len(parts) != 3 {
141 return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
142 }
143
144 token = &Token{Raw: tokenString}
145
146 // parse Header
147 var headerBytes []byte
148 if headerBytes, err = p.DecodeSegment(parts[0]); err != nil {
149 return token, parts, newError("could not base64 decode header", ErrTokenMalformed, err)
150 }
151 if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
152 return token, parts, newError("could not JSON decode header", ErrTokenMalformed, err)
153 }
154
155 // parse Claims
156 token.Claims = claims
157
158 claimBytes, err := p.DecodeSegment(parts[1])
159 if err != nil {
160 return token, parts, newError("could not base64 decode claim", ErrTokenMalformed, err)
161 }
162
163 // If `useJSONNumber` is enabled then we must use *json.Decoder to decode
164 // the claims. However, this comes with a performance penalty so only use
165 // it if we must and, otherwise, simple use json.Unmarshal.
166 if !p.useJSONNumber {
167 // JSON Unmarshal. Special case for map type to avoid weird pointer behavior.
168 if c, ok := token.Claims.(MapClaims); ok {
169 err = json.Unmarshal(claimBytes, &c)
170 } else {
171 err = json.Unmarshal(claimBytes, &claims)
172 }
173 } else {
174 dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
175 dec.UseNumber()
176 // JSON Decode. Special case for map type to avoid weird pointer behavior.
177 if c, ok := token.Claims.(MapClaims); ok {
178 err = dec.Decode(&c)
179 } else {
180 err = dec.Decode(&claims)
181 }
182 }
183 if err != nil {
184 return token, parts, newError("could not JSON decode claim", ErrTokenMalformed, err)
185 }
186
187 // Lookup signature method
188 if method, ok := token.Header["alg"].(string); ok {
189 if token.Method = GetSigningMethod(method); token.Method == nil {
190 return token, parts, newError("signing method (alg) is unavailable", ErrTokenUnverifiable)
191 }
192 } else {
193 return token, parts, newError("signing method (alg) is unspecified", ErrTokenUnverifiable)
194 }
195
196 return token, parts, nil
197}
198
199// DecodeSegment decodes a JWT specific base64url encoding. This function will
200// take into account whether the [Parser] is configured with additional options,
201// such as [WithStrictDecoding] or [WithPaddingAllowed].
202func (p *Parser) DecodeSegment(seg string) ([]byte, error) {
203 encoding := base64.RawURLEncoding
204
205 if p.decodePaddingAllowed {
206 if l := len(seg) % 4; l > 0 {
207 seg += strings.Repeat("=", 4-l)
208 }
209 encoding = base64.URLEncoding
210 }
211
212 if p.decodeStrict {
213 encoding = encoding.Strict()
214 }
215 return encoding.DecodeString(seg)
216}
217
218// Parse parses, validates, verifies the signature and returns the parsed token.
219// keyFunc will receive the parsed token and should return the cryptographic key
220// for verifying the signature. The caller is strongly encouraged to set the
221// WithValidMethods option to validate the 'alg' claim in the token matches the
222// expected algorithm. For more details about the importance of validating the
223// 'alg' claim, see
224// https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
225func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
226 return NewParser(options...).Parse(tokenString, keyFunc)
227}
228
229// ParseWithClaims is a shortcut for NewParser().ParseWithClaims().
230//
231// Note: If you provide a custom claim implementation that embeds one of the
232// standard claims (such as RegisteredClaims), make sure that a) you either
233// embed a non-pointer version of the claims or b) if you are using a pointer,
234// allocate the proper memory for it before passing in the overall claims,
235// otherwise you might run into a panic.
236func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
237 return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc)
238}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser_option.go b/vendor/github.com/golang-jwt/jwt/v5/parser_option.go
new file mode 100644
index 0000000..88a780f
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser_option.go
@@ -0,0 +1,128 @@
1package jwt
2
3import "time"
4
5// ParserOption is used to implement functional-style options that modify the
6// behavior of the parser. To add new options, just create a function (ideally
7// beginning with With or Without) that returns an anonymous function that takes
8// a *Parser type as input and manipulates its configuration accordingly.
9type ParserOption func(*Parser)
10
11// WithValidMethods is an option to supply algorithm methods that the parser
12// will check. Only those methods will be considered valid. It is heavily
13// encouraged to use this option in order to prevent attacks such as
14// https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/.
15func WithValidMethods(methods []string) ParserOption {
16 return func(p *Parser) {
17 p.validMethods = methods
18 }
19}
20
21// WithJSONNumber is an option to configure the underlying JSON parser with
22// UseNumber.
23func WithJSONNumber() ParserOption {
24 return func(p *Parser) {
25 p.useJSONNumber = true
26 }
27}
28
29// WithoutClaimsValidation is an option to disable claims validation. This
30// option should only be used if you exactly know what you are doing.
31func WithoutClaimsValidation() ParserOption {
32 return func(p *Parser) {
33 p.skipClaimsValidation = true
34 }
35}
36
37// WithLeeway returns the ParserOption for specifying the leeway window.
38func WithLeeway(leeway time.Duration) ParserOption {
39 return func(p *Parser) {
40 p.validator.leeway = leeway
41 }
42}
43
44// WithTimeFunc returns the ParserOption for specifying the time func. The
45// primary use-case for this is testing. If you are looking for a way to account
46// for clock-skew, WithLeeway should be used instead.
47func WithTimeFunc(f func() time.Time) ParserOption {
48 return func(p *Parser) {
49 p.validator.timeFunc = f
50 }
51}
52
53// WithIssuedAt returns the ParserOption to enable verification
54// of issued-at.
55func WithIssuedAt() ParserOption {
56 return func(p *Parser) {
57 p.validator.verifyIat = true
58 }
59}
60
61// WithExpirationRequired returns the ParserOption to make exp claim required.
62// By default exp claim is optional.
63func WithExpirationRequired() ParserOption {
64 return func(p *Parser) {
65 p.validator.requireExp = true
66 }
67}
68
69// WithAudience configures the validator to require the specified audience in
70// the `aud` claim. Validation will fail if the audience is not listed in the
71// token or the `aud` claim is missing.
72//
73// NOTE: While the `aud` claim is OPTIONAL in a JWT, the handling of it is
74// application-specific. Since this validation API is helping developers in
75// writing secure application, we decided to REQUIRE the existence of the claim,
76// if an audience is expected.
77func WithAudience(aud string) ParserOption {
78 return func(p *Parser) {
79 p.validator.expectedAud = aud
80 }
81}
82
83// WithIssuer configures the validator to require the specified issuer in the
84// `iss` claim. Validation will fail if a different issuer is specified in the
85// token or the `iss` claim is missing.
86//
87// NOTE: While the `iss` claim is OPTIONAL in a JWT, the handling of it is
88// application-specific. Since this validation API is helping developers in
89// writing secure application, we decided to REQUIRE the existence of the claim,
90// if an issuer is expected.
91func WithIssuer(iss string) ParserOption {
92 return func(p *Parser) {
93 p.validator.expectedIss = iss
94 }
95}
96
97// WithSubject configures the validator to require the specified subject in the
98// `sub` claim. Validation will fail if a different subject is specified in the
99// token or the `sub` claim is missing.
100//
101// NOTE: While the `sub` claim is OPTIONAL in a JWT, the handling of it is
102// application-specific. Since this validation API is helping developers in
103// writing secure application, we decided to REQUIRE the existence of the claim,
104// if a subject is expected.
105func WithSubject(sub string) ParserOption {
106 return func(p *Parser) {
107 p.validator.expectedSub = sub
108 }
109}
110
111// WithPaddingAllowed will enable the codec used for decoding JWTs to allow
112// padding. Note that the JWS RFC7515 states that the tokens will utilize a
113// Base64url encoding with no padding. Unfortunately, some implementations of
114// JWT are producing non-standard tokens, and thus require support for decoding.
115func WithPaddingAllowed() ParserOption {
116 return func(p *Parser) {
117 p.decodePaddingAllowed = true
118 }
119}
120
121// WithStrictDecoding will switch the codec used for decoding JWTs into strict
122// mode. In this mode, the decoder requires that trailing padding bits are zero,
123// as described in RFC 4648 section 3.5.
124func WithStrictDecoding() ParserOption {
125 return func(p *Parser) {
126 p.decodeStrict = true
127 }
128}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/registered_claims.go b/vendor/github.com/golang-jwt/jwt/v5/registered_claims.go
new file mode 100644
index 0000000..77951a5
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/registered_claims.go
@@ -0,0 +1,63 @@
1package jwt
2
3// RegisteredClaims are a structured version of the JWT Claims Set,
4// restricted to Registered Claim Names, as referenced at
5// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
6//
7// This type can be used on its own, but then additional private and
8// public claims embedded in the JWT will not be parsed. The typical use-case
9// therefore is to embedded this in a user-defined claim type.
10//
11// See examples for how to use this with your own claim types.
12type RegisteredClaims struct {
13 // the `iss` (Issuer) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
14 Issuer string `json:"iss,omitempty"`
15
16 // the `sub` (Subject) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
17 Subject string `json:"sub,omitempty"`
18
19 // the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
20 Audience ClaimStrings `json:"aud,omitempty"`
21
22 // the `exp` (Expiration Time) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
23 ExpiresAt *NumericDate `json:"exp,omitempty"`
24
25 // the `nbf` (Not Before) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
26 NotBefore *NumericDate `json:"nbf,omitempty"`
27
28 // the `iat` (Issued At) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
29 IssuedAt *NumericDate `json:"iat,omitempty"`
30
31 // the `jti` (JWT ID) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7
32 ID string `json:"jti,omitempty"`
33}
34
35// GetExpirationTime implements the Claims interface.
36func (c RegisteredClaims) GetExpirationTime() (*NumericDate, error) {
37 return c.ExpiresAt, nil
38}
39
40// GetNotBefore implements the Claims interface.
41func (c RegisteredClaims) GetNotBefore() (*NumericDate, error) {
42 return c.NotBefore, nil
43}
44
45// GetIssuedAt implements the Claims interface.
46func (c RegisteredClaims) GetIssuedAt() (*NumericDate, error) {
47 return c.IssuedAt, nil
48}
49
50// GetAudience implements the Claims interface.
51func (c RegisteredClaims) GetAudience() (ClaimStrings, error) {
52 return c.Audience, nil
53}
54
55// GetIssuer implements the Claims interface.
56func (c RegisteredClaims) GetIssuer() (string, error) {
57 return c.Issuer, nil
58}
59
60// GetSubject implements the Claims interface.
61func (c RegisteredClaims) GetSubject() (string, error) {
62 return c.Subject, nil
63}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/rsa.go b/vendor/github.com/golang-jwt/jwt/v5/rsa.go
new file mode 100644
index 0000000..83cbee6
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa.go
@@ -0,0 +1,93 @@
1package jwt
2
3import (
4 "crypto"
5 "crypto/rand"
6 "crypto/rsa"
7)
8
9// SigningMethodRSA implements the RSA family of signing methods.
10// Expects *rsa.PrivateKey for signing and *rsa.PublicKey for validation
11type SigningMethodRSA struct {
12 Name string
13 Hash crypto.Hash
14}
15
16// Specific instances for RS256 and company
17var (
18 SigningMethodRS256 *SigningMethodRSA
19 SigningMethodRS384 *SigningMethodRSA
20 SigningMethodRS512 *SigningMethodRSA
21)
22
23func init() {
24 // RS256
25 SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}
26 RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {
27 return SigningMethodRS256
28 })
29
30 // RS384
31 SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}
32 RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {
33 return SigningMethodRS384
34 })
35
36 // RS512
37 SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}
38 RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {
39 return SigningMethodRS512
40 })
41}
42
43func (m *SigningMethodRSA) Alg() string {
44 return m.Name
45}
46
47// Verify implements token verification for the SigningMethod
48// For this signing method, must be an *rsa.PublicKey structure.
49func (m *SigningMethodRSA) Verify(signingString string, sig []byte, key interface{}) error {
50 var rsaKey *rsa.PublicKey
51 var ok bool
52
53 if rsaKey, ok = key.(*rsa.PublicKey); !ok {
54 return newError("RSA verify expects *rsa.PublicKey", ErrInvalidKeyType)
55 }
56
57 // Create hasher
58 if !m.Hash.Available() {
59 return ErrHashUnavailable
60 }
61 hasher := m.Hash.New()
62 hasher.Write([]byte(signingString))
63
64 // Verify the signature
65 return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
66}
67
68// Sign implements token signing for the SigningMethod
69// For this signing method, must be an *rsa.PrivateKey structure.
70func (m *SigningMethodRSA) Sign(signingString string, key interface{}) ([]byte, error) {
71 var rsaKey *rsa.PrivateKey
72 var ok bool
73
74 // Validate type of key
75 if rsaKey, ok = key.(*rsa.PrivateKey); !ok {
76 return nil, newError("RSA sign expects *rsa.PrivateKey", ErrInvalidKeyType)
77 }
78
79 // Create the hasher
80 if !m.Hash.Available() {
81 return nil, ErrHashUnavailable
82 }
83
84 hasher := m.Hash.New()
85 hasher.Write([]byte(signingString))
86
87 // Sign the string and return the encoded bytes
88 if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
89 return sigBytes, nil
90 } else {
91 return nil, err
92 }
93}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go b/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
new file mode 100644
index 0000000..28c386e
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
@@ -0,0 +1,135 @@
1//go:build go1.4
2// +build go1.4
3
4package jwt
5
6import (
7 "crypto"
8 "crypto/rand"
9 "crypto/rsa"
10)
11
12// SigningMethodRSAPSS implements the RSAPSS family of signing methods signing methods
13type SigningMethodRSAPSS struct {
14 *SigningMethodRSA
15 Options *rsa.PSSOptions
16 // VerifyOptions is optional. If set overrides Options for rsa.VerifyPPS.
17 // Used to accept tokens signed with rsa.PSSSaltLengthAuto, what doesn't follow
18 // https://tools.ietf.org/html/rfc7518#section-3.5 but was used previously.
19 // See https://github.com/dgrijalva/jwt-go/issues/285#issuecomment-437451244 for details.
20 VerifyOptions *rsa.PSSOptions
21}
22
23// Specific instances for RS/PS and company.
24var (
25 SigningMethodPS256 *SigningMethodRSAPSS
26 SigningMethodPS384 *SigningMethodRSAPSS
27 SigningMethodPS512 *SigningMethodRSAPSS
28)
29
30func init() {
31 // PS256
32 SigningMethodPS256 = &SigningMethodRSAPSS{
33 SigningMethodRSA: &SigningMethodRSA{
34 Name: "PS256",
35 Hash: crypto.SHA256,
36 },
37 Options: &rsa.PSSOptions{
38 SaltLength: rsa.PSSSaltLengthEqualsHash,
39 },
40 VerifyOptions: &rsa.PSSOptions{
41 SaltLength: rsa.PSSSaltLengthAuto,
42 },
43 }
44 RegisterSigningMethod(SigningMethodPS256.Alg(), func() SigningMethod {
45 return SigningMethodPS256
46 })
47
48 // PS384
49 SigningMethodPS384 = &SigningMethodRSAPSS{
50 SigningMethodRSA: &SigningMethodRSA{
51 Name: "PS384",
52 Hash: crypto.SHA384,
53 },
54 Options: &rsa.PSSOptions{
55 SaltLength: rsa.PSSSaltLengthEqualsHash,
56 },
57 VerifyOptions: &rsa.PSSOptions{
58 SaltLength: rsa.PSSSaltLengthAuto,
59 },
60 }
61 RegisterSigningMethod(SigningMethodPS384.Alg(), func() SigningMethod {
62 return SigningMethodPS384
63 })
64
65 // PS512
66 SigningMethodPS512 = &SigningMethodRSAPSS{
67 SigningMethodRSA: &SigningMethodRSA{
68 Name: "PS512",
69 Hash: crypto.SHA512,
70 },
71 Options: &rsa.PSSOptions{
72 SaltLength: rsa.PSSSaltLengthEqualsHash,
73 },
74 VerifyOptions: &rsa.PSSOptions{
75 SaltLength: rsa.PSSSaltLengthAuto,
76 },
77 }
78 RegisterSigningMethod(SigningMethodPS512.Alg(), func() SigningMethod {
79 return SigningMethodPS512
80 })
81}
82
83// Verify implements token verification for the SigningMethod.
84// For this verify method, key must be an rsa.PublicKey struct
85func (m *SigningMethodRSAPSS) Verify(signingString string, sig []byte, key interface{}) error {
86 var rsaKey *rsa.PublicKey
87 switch k := key.(type) {
88 case *rsa.PublicKey:
89 rsaKey = k
90 default:
91 return newError("RSA-PSS verify expects *rsa.PublicKey", ErrInvalidKeyType)
92 }
93
94 // Create hasher
95 if !m.Hash.Available() {
96 return ErrHashUnavailable
97 }
98 hasher := m.Hash.New()
99 hasher.Write([]byte(signingString))
100
101 opts := m.Options
102 if m.VerifyOptions != nil {
103 opts = m.VerifyOptions
104 }
105
106 return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, opts)
107}
108
109// Sign implements token signing for the SigningMethod.
110// For this signing method, key must be an rsa.PrivateKey struct
111func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) ([]byte, error) {
112 var rsaKey *rsa.PrivateKey
113
114 switch k := key.(type) {
115 case *rsa.PrivateKey:
116 rsaKey = k
117 default:
118 return nil, newError("RSA-PSS sign expects *rsa.PrivateKey", ErrInvalidKeyType)
119 }
120
121 // Create the hasher
122 if !m.Hash.Available() {
123 return nil, ErrHashUnavailable
124 }
125
126 hasher := m.Hash.New()
127 hasher.Write([]byte(signingString))
128
129 // Sign the string and return the encoded bytes
130 if sigBytes, err := rsa.SignPSS(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil), m.Options); err == nil {
131 return sigBytes, nil
132 } else {
133 return nil, err
134 }
135}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go b/vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go
new file mode 100644
index 0000000..b3aeebb
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go
@@ -0,0 +1,107 @@
1package jwt
2
3import (
4 "crypto/rsa"
5 "crypto/x509"
6 "encoding/pem"
7 "errors"
8)
9
10var (
11 ErrKeyMustBePEMEncoded = errors.New("invalid key: Key must be a PEM encoded PKCS1 or PKCS8 key")
12 ErrNotRSAPrivateKey = errors.New("key is not a valid RSA private key")
13 ErrNotRSAPublicKey = errors.New("key is not a valid RSA public key")
14)
15
16// ParseRSAPrivateKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 private key
17func ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error) {
18 var err error
19
20 // Parse PEM block
21 var block *pem.Block
22 if block, _ = pem.Decode(key); block == nil {
23 return nil, ErrKeyMustBePEMEncoded
24 }
25
26 var parsedKey interface{}
27 if parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
28 if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
29 return nil, err
30 }
31 }
32
33 var pkey *rsa.PrivateKey
34 var ok bool
35 if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
36 return nil, ErrNotRSAPrivateKey
37 }
38
39 return pkey, nil
40}
41
42// ParseRSAPrivateKeyFromPEMWithPassword parses a PEM encoded PKCS1 or PKCS8 private key protected with password
43//
44// Deprecated: This function is deprecated and should not be used anymore. It uses the deprecated x509.DecryptPEMBlock
45// function, which was deprecated since RFC 1423 is regarded insecure by design. Unfortunately, there is no alternative
46// in the Go standard library for now. See https://github.com/golang/go/issues/8860.
47func ParseRSAPrivateKeyFromPEMWithPassword(key []byte, password string) (*rsa.PrivateKey, error) {
48 var err error
49
50 // Parse PEM block
51 var block *pem.Block
52 if block, _ = pem.Decode(key); block == nil {
53 return nil, ErrKeyMustBePEMEncoded
54 }
55
56 var parsedKey interface{}
57
58 var blockDecrypted []byte
59 if blockDecrypted, err = x509.DecryptPEMBlock(block, []byte(password)); err != nil {
60 return nil, err
61 }
62
63 if parsedKey, err = x509.ParsePKCS1PrivateKey(blockDecrypted); err != nil {
64 if parsedKey, err = x509.ParsePKCS8PrivateKey(blockDecrypted); err != nil {
65 return nil, err
66 }
67 }
68
69 var pkey *rsa.PrivateKey
70 var ok bool
71 if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
72 return nil, ErrNotRSAPrivateKey
73 }
74
75 return pkey, nil
76}
77
78// ParseRSAPublicKeyFromPEM parses a certificate or a PEM encoded PKCS1 or PKIX public key
79func ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error) {
80 var err error
81
82 // Parse PEM block
83 var block *pem.Block
84 if block, _ = pem.Decode(key); block == nil {
85 return nil, ErrKeyMustBePEMEncoded
86 }
87
88 // Parse the key
89 var parsedKey interface{}
90 if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
91 if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
92 parsedKey = cert.PublicKey
93 } else {
94 if parsedKey, err = x509.ParsePKCS1PublicKey(block.Bytes); err != nil {
95 return nil, err
96 }
97 }
98 }
99
100 var pkey *rsa.PublicKey
101 var ok bool
102 if pkey, ok = parsedKey.(*rsa.PublicKey); !ok {
103 return nil, ErrNotRSAPublicKey
104 }
105
106 return pkey, nil
107}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/signing_method.go b/vendor/github.com/golang-jwt/jwt/v5/signing_method.go
new file mode 100644
index 0000000..0d73631
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/signing_method.go
@@ -0,0 +1,49 @@
1package jwt
2
3import (
4 "sync"
5)
6
7var signingMethods = map[string]func() SigningMethod{}
8var signingMethodLock = new(sync.RWMutex)
9
10// SigningMethod can be used add new methods for signing or verifying tokens. It
11// takes a decoded signature as an input in the Verify function and produces a
12// signature in Sign. The signature is then usually base64 encoded as part of a
13// JWT.
14type SigningMethod interface {
15 Verify(signingString string, sig []byte, key interface{}) error // Returns nil if signature is valid
16 Sign(signingString string, key interface{}) ([]byte, error) // Returns signature or error
17 Alg() string // returns the alg identifier for this method (example: 'HS256')
18}
19
20// RegisterSigningMethod registers the "alg" name and a factory function for signing method.
21// This is typically done during init() in the method's implementation
22func RegisterSigningMethod(alg string, f func() SigningMethod) {
23 signingMethodLock.Lock()
24 defer signingMethodLock.Unlock()
25
26 signingMethods[alg] = f
27}
28
29// GetSigningMethod retrieves a signing method from an "alg" string
30func GetSigningMethod(alg string) (method SigningMethod) {
31 signingMethodLock.RLock()
32 defer signingMethodLock.RUnlock()
33
34 if methodF, ok := signingMethods[alg]; ok {
35 method = methodF()
36 }
37 return
38}
39
40// GetAlgorithms returns a list of registered "alg" names
41func GetAlgorithms() (algs []string) {
42 signingMethodLock.RLock()
43 defer signingMethodLock.RUnlock()
44
45 for alg := range signingMethods {
46 algs = append(algs, alg)
47 }
48 return
49}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf b/vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf
new file mode 100644
index 0000000..53745d5
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf
@@ -0,0 +1 @@
checks = ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1023"]
diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go
new file mode 100644
index 0000000..352873a
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/token.go
@@ -0,0 +1,100 @@
1package jwt
2
3import (
4 "crypto"
5 "encoding/base64"
6 "encoding/json"
7)
8
9// Keyfunc will be used by the Parse methods as a callback function to supply
10// the key for verification. The function receives the parsed, but unverified
11// Token. This allows you to use properties in the Header of the token (such as
12// `kid`) to identify which key to use.
13//
14// The returned interface{} may be a single key or a VerificationKeySet containing
15// multiple keys.
16type Keyfunc func(*Token) (interface{}, error)
17
18// VerificationKey represents a public or secret key for verifying a token's signature.
19type VerificationKey interface {
20 crypto.PublicKey | []uint8
21}
22
23// VerificationKeySet is a set of public or secret keys. It is used by the parser to verify a token.
24type VerificationKeySet struct {
25 Keys []VerificationKey
26}
27
28// Token represents a JWT Token. Different fields will be used depending on
29// whether you're creating or parsing/verifying a token.
30type Token struct {
31 Raw string // Raw contains the raw token. Populated when you [Parse] a token
32 Method SigningMethod // Method is the signing method used or to be used
33 Header map[string]interface{} // Header is the first segment of the token in decoded form
34 Claims Claims // Claims is the second segment of the token in decoded form
35 Signature []byte // Signature is the third segment of the token in decoded form. Populated when you Parse a token
36 Valid bool // Valid specifies if the token is valid. Populated when you Parse/Verify a token
37}
38
39// New creates a new [Token] with the specified signing method and an empty map
40// of claims. Additional options can be specified, but are currently unused.
41func New(method SigningMethod, opts ...TokenOption) *Token {
42 return NewWithClaims(method, MapClaims{}, opts...)
43}
44
45// NewWithClaims creates a new [Token] with the specified signing method and
46// claims. Additional options can be specified, but are currently unused.
47func NewWithClaims(method SigningMethod, claims Claims, opts ...TokenOption) *Token {
48 return &Token{
49 Header: map[string]interface{}{
50 "typ": "JWT",
51 "alg": method.Alg(),
52 },
53 Claims: claims,
54 Method: method,
55 }
56}
57
58// SignedString creates and returns a complete, signed JWT. The token is signed
59// using the SigningMethod specified in the token. Please refer to
60// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types
61// for an overview of the different signing methods and their respective key
62// types.
63func (t *Token) SignedString(key interface{}) (string, error) {
64 sstr, err := t.SigningString()
65 if err != nil {
66 return "", err
67 }
68
69 sig, err := t.Method.Sign(sstr, key)
70 if err != nil {
71 return "", err
72 }
73
74 return sstr + "." + t.EncodeSegment(sig), nil
75}
76
77// SigningString generates the signing string. This is the most expensive part
78// of the whole deal. Unless you need this for something special, just go
79// straight for the SignedString.
80func (t *Token) SigningString() (string, error) {
81 h, err := json.Marshal(t.Header)
82 if err != nil {
83 return "", err
84 }
85
86 c, err := json.Marshal(t.Claims)
87 if err != nil {
88 return "", err
89 }
90
91 return t.EncodeSegment(h) + "." + t.EncodeSegment(c), nil
92}
93
94// EncodeSegment encodes a JWT specific base64url encoding with padding
95// stripped. In the future, this function might take into account a
96// [TokenOption]. Therefore, this function exists as a method of [Token], rather
97// than a global function.
98func (*Token) EncodeSegment(seg []byte) string {
99 return base64.RawURLEncoding.EncodeToString(seg)
100}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/token_option.go b/vendor/github.com/golang-jwt/jwt/v5/token_option.go
new file mode 100644
index 0000000..b4ae3ba
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/token_option.go
@@ -0,0 +1,5 @@
1package jwt
2
3// TokenOption is a reserved type, which provides some forward compatibility,
4// if we ever want to introduce token creation-related options.
5type TokenOption func(*Token)
diff --git a/vendor/github.com/golang-jwt/jwt/v5/types.go b/vendor/github.com/golang-jwt/jwt/v5/types.go
new file mode 100644
index 0000000..b2655a9
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/types.go
@@ -0,0 +1,149 @@
1package jwt
2
3import (
4 "encoding/json"
5 "fmt"
6 "math"
7 "strconv"
8 "time"
9)
10
11// TimePrecision sets the precision of times and dates within this library. This
12// has an influence on the precision of times when comparing expiry or other
13// related time fields. Furthermore, it is also the precision of times when
14// serializing.
15//
16// For backwards compatibility the default precision is set to seconds, so that
17// no fractional timestamps are generated.
18var TimePrecision = time.Second
19
20// MarshalSingleStringAsArray modifies the behavior of the ClaimStrings type,
21// especially its MarshalJSON function.
22//
23// If it is set to true (the default), it will always serialize the type as an
24// array of strings, even if it just contains one element, defaulting to the
25// behavior of the underlying []string. If it is set to false, it will serialize
26// to a single string, if it contains one element. Otherwise, it will serialize
27// to an array of strings.
28var MarshalSingleStringAsArray = true
29
30// NumericDate represents a JSON numeric date value, as referenced at
31// https://datatracker.ietf.org/doc/html/rfc7519#section-2.
32type NumericDate struct {
33 time.Time
34}
35
36// NewNumericDate constructs a new *NumericDate from a standard library time.Time struct.
37// It will truncate the timestamp according to the precision specified in TimePrecision.
38func NewNumericDate(t time.Time) *NumericDate {
39 return &NumericDate{t.Truncate(TimePrecision)}
40}
41
42// newNumericDateFromSeconds creates a new *NumericDate out of a float64 representing a
43// UNIX epoch with the float fraction representing non-integer seconds.
44func newNumericDateFromSeconds(f float64) *NumericDate {
45 round, frac := math.Modf(f)
46 return NewNumericDate(time.Unix(int64(round), int64(frac*1e9)))
47}
48
49// MarshalJSON is an implementation of the json.RawMessage interface and serializes the UNIX epoch
50// represented in NumericDate to a byte array, using the precision specified in TimePrecision.
51func (date NumericDate) MarshalJSON() (b []byte, err error) {
52 var prec int
53 if TimePrecision < time.Second {
54 prec = int(math.Log10(float64(time.Second) / float64(TimePrecision)))
55 }
56 truncatedDate := date.Truncate(TimePrecision)
57
58 // For very large timestamps, UnixNano would overflow an int64, but this
59 // function requires nanosecond level precision, so we have to use the
60 // following technique to get round the issue:
61 //
62 // 1. Take the normal unix timestamp to form the whole number part of the
63 // output,
64 // 2. Take the result of the Nanosecond function, which returns the offset
65 // within the second of the particular unix time instance, to form the
66 // decimal part of the output
67 // 3. Concatenate them to produce the final result
68 seconds := strconv.FormatInt(truncatedDate.Unix(), 10)
69 nanosecondsOffset := strconv.FormatFloat(float64(truncatedDate.Nanosecond())/float64(time.Second), 'f', prec, 64)
70
71 output := append([]byte(seconds), []byte(nanosecondsOffset)[1:]...)
72
73 return output, nil
74}
75
76// UnmarshalJSON is an implementation of the json.RawMessage interface and
77// deserializes a [NumericDate] from a JSON representation, i.e. a
78// [json.Number]. This number represents an UNIX epoch with either integer or
79// non-integer seconds.
80func (date *NumericDate) UnmarshalJSON(b []byte) (err error) {
81 var (
82 number json.Number
83 f float64
84 )
85
86 if err = json.Unmarshal(b, &number); err != nil {
87 return fmt.Errorf("could not parse NumericData: %w", err)
88 }
89
90 if f, err = number.Float64(); err != nil {
91 return fmt.Errorf("could not convert json number value to float: %w", err)
92 }
93
94 n := newNumericDateFromSeconds(f)
95 *date = *n
96
97 return nil
98}
99
100// ClaimStrings is basically just a slice of strings, but it can be either
101// serialized from a string array or just a string. This type is necessary,
102// since the "aud" claim can either be a single string or an array.
103type ClaimStrings []string
104
105func (s *ClaimStrings) UnmarshalJSON(data []byte) (err error) {
106 var value interface{}
107
108 if err = json.Unmarshal(data, &value); err != nil {
109 return err
110 }
111
112 var aud []string
113
114 switch v := value.(type) {
115 case string:
116 aud = append(aud, v)
117 case []string:
118 aud = ClaimStrings(v)
119 case []interface{}:
120 for _, vv := range v {
121 vs, ok := vv.(string)
122 if !ok {
123 return ErrInvalidType
124 }
125 aud = append(aud, vs)
126 }
127 case nil:
128 return nil
129 default:
130 return ErrInvalidType
131 }
132
133 *s = aud
134
135 return
136}
137
138func (s ClaimStrings) MarshalJSON() (b []byte, err error) {
139 // This handles a special case in the JWT RFC. If the string array, e.g.
140 // used by the "aud" field, only contains one element, it MAY be serialized
141 // as a single string. This may or may not be desired based on the ecosystem
142 // of other JWT library used, so we make it configurable by the variable
143 // MarshalSingleStringAsArray.
144 if len(s) == 1 && !MarshalSingleStringAsArray {
145 return json.Marshal(s[0])
146 }
147
148 return json.Marshal([]string(s))
149}
diff --git a/vendor/github.com/golang-jwt/jwt/v5/validator.go b/vendor/github.com/golang-jwt/jwt/v5/validator.go
new file mode 100644
index 0000000..008ecd8
--- /dev/null
+++ b/vendor/github.com/golang-jwt/jwt/v5/validator.go
@@ -0,0 +1,316 @@
1package jwt
2
3import (
4 "crypto/subtle"
5 "fmt"
6 "time"
7)
8
9// ClaimsValidator is an interface that can be implemented by custom claims who
10// wish to execute any additional claims validation based on
11// application-specific logic. The Validate function is then executed in
12// addition to the regular claims validation and any error returned is appended
13// to the final validation result.
14//
15// type MyCustomClaims struct {
16// Foo string `json:"foo"`
17// jwt.RegisteredClaims
18// }
19//
20// func (m MyCustomClaims) Validate() error {
21// if m.Foo != "bar" {
22// return errors.New("must be foobar")
23// }
24// return nil
25// }
26type ClaimsValidator interface {
27 Claims
28 Validate() error
29}
30
31// Validator is the core of the new Validation API. It is automatically used by
32// a [Parser] during parsing and can be modified with various parser options.
33//
34// The [NewValidator] function should be used to create an instance of this
35// struct.
36type Validator struct {
37 // leeway is an optional leeway that can be provided to account for clock skew.
38 leeway time.Duration
39
40 // timeFunc is used to supply the current time that is needed for
41 // validation. If unspecified, this defaults to time.Now.
42 timeFunc func() time.Time
43
44 // requireExp specifies whether the exp claim is required
45 requireExp bool
46
47 // verifyIat specifies whether the iat (Issued At) claim will be verified.
48 // According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
49 // only specifies the age of the token, but no validation check is
50 // necessary. However, if wanted, it can be checked if the iat is
51 // unrealistic, i.e., in the future.
52 verifyIat bool
53
54 // expectedAud contains the audience this token expects. Supplying an empty
55 // string will disable aud checking.
56 expectedAud string
57
58 // expectedIss contains the issuer this token expects. Supplying an empty
59 // string will disable iss checking.
60 expectedIss string
61
62 // expectedSub contains the subject this token expects. Supplying an empty
63 // string will disable sub checking.
64 expectedSub string
65}
66
67// NewValidator can be used to create a stand-alone validator with the supplied
68// options. This validator can then be used to validate already parsed claims.
69//
70// Note: Under normal circumstances, explicitly creating a validator is not
71// needed and can potentially be dangerous; instead functions of the [Parser]
72// class should be used.
73//
74// The [Validator] is only checking the *validity* of the claims, such as its
75// expiration time, but it does NOT perform *signature verification* of the
76// token.
77func NewValidator(opts ...ParserOption) *Validator {
78 p := NewParser(opts...)
79 return p.validator
80}
81
82// Validate validates the given claims. It will also perform any custom
83// validation if claims implements the [ClaimsValidator] interface.
84//
85// Note: It will NOT perform any *signature verification* on the token that
86// contains the claims and expects that the [Claim] was already successfully
87// verified.
88func (v *Validator) Validate(claims Claims) error {
89 var (
90 now time.Time
91 errs []error = make([]error, 0, 6)
92 err error
93 )
94
95 // Check, if we have a time func
96 if v.timeFunc != nil {
97 now = v.timeFunc()
98 } else {
99 now = time.Now()
100 }
101
102 // We always need to check the expiration time, but usage of the claim
103 // itself is OPTIONAL by default. requireExp overrides this behavior
104 // and makes the exp claim mandatory.
105 if err = v.verifyExpiresAt(claims, now, v.requireExp); err != nil {
106 errs = append(errs, err)
107 }
108
109 // We always need to check not-before, but usage of the claim itself is
110 // OPTIONAL.
111 if err = v.verifyNotBefore(claims, now, false); err != nil {
112 errs = append(errs, err)
113 }
114
115 // Check issued-at if the option is enabled
116 if v.verifyIat {
117 if err = v.verifyIssuedAt(claims, now, false); err != nil {
118 errs = append(errs, err)
119 }
120 }
121
122 // If we have an expected audience, we also require the audience claim
123 if v.expectedAud != "" {
124 if err = v.verifyAudience(claims, v.expectedAud, true); err != nil {
125 errs = append(errs, err)
126 }
127 }
128
129 // If we have an expected issuer, we also require the issuer claim
130 if v.expectedIss != "" {
131 if err = v.verifyIssuer(claims, v.expectedIss, true); err != nil {
132 errs = append(errs, err)
133 }
134 }
135
136 // If we have an expected subject, we also require the subject claim
137 if v.expectedSub != "" {
138 if err = v.verifySubject(claims, v.expectedSub, true); err != nil {
139 errs = append(errs, err)
140 }
141 }
142
143 // Finally, we want to give the claim itself some possibility to do some
144 // additional custom validation based on a custom Validate function.
145 cvt, ok := claims.(ClaimsValidator)
146 if ok {
147 if err := cvt.Validate(); err != nil {
148 errs = append(errs, err)
149 }
150 }
151
152 if len(errs) == 0 {
153 return nil
154 }
155
156 return joinErrors(errs...)
157}
158
159// verifyExpiresAt compares the exp claim in claims against cmp. This function
160// will succeed if cmp < exp. Additional leeway is taken into account.
161//
162// If exp is not set, it will succeed if the claim is not required,
163// otherwise ErrTokenRequiredClaimMissing will be returned.
164//
165// Additionally, if any error occurs while retrieving the claim, e.g., when its
166// the wrong type, an ErrTokenUnverifiable error will be returned.
167func (v *Validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool) error {
168 exp, err := claims.GetExpirationTime()
169 if err != nil {
170 return err
171 }
172
173 if exp == nil {
174 return errorIfRequired(required, "exp")
175 }
176
177 return errorIfFalse(cmp.Before((exp.Time).Add(+v.leeway)), ErrTokenExpired)
178}
179
180// verifyIssuedAt compares the iat claim in claims against cmp. This function
181// will succeed if cmp >= iat. Additional leeway is taken into account.
182//
183// If iat is not set, it will succeed if the claim is not required,
184// otherwise ErrTokenRequiredClaimMissing will be returned.
185//
186// Additionally, if any error occurs while retrieving the claim, e.g., when its
187// the wrong type, an ErrTokenUnverifiable error will be returned.
188func (v *Validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool) error {
189 iat, err := claims.GetIssuedAt()
190 if err != nil {
191 return err
192 }
193
194 if iat == nil {
195 return errorIfRequired(required, "iat")
196 }
197
198 return errorIfFalse(!cmp.Before(iat.Add(-v.leeway)), ErrTokenUsedBeforeIssued)
199}
200
201// verifyNotBefore compares the nbf claim in claims against cmp. This function
202// will return true if cmp >= nbf. Additional leeway is taken into account.
203//
204// If nbf is not set, it will succeed if the claim is not required,
205// otherwise ErrTokenRequiredClaimMissing will be returned.
206//
207// Additionally, if any error occurs while retrieving the claim, e.g., when its
208// the wrong type, an ErrTokenUnverifiable error will be returned.
209func (v *Validator) verifyNotBefore(claims Claims, cmp time.Time, required bool) error {
210 nbf, err := claims.GetNotBefore()
211 if err != nil {
212 return err
213 }
214
215 if nbf == nil {
216 return errorIfRequired(required, "nbf")
217 }
218
219 return errorIfFalse(!cmp.Before(nbf.Add(-v.leeway)), ErrTokenNotValidYet)
220}
221
222// verifyAudience compares the aud claim against cmp.
223//
224// If aud is not set or an empty list, it will succeed if the claim is not required,
225// otherwise ErrTokenRequiredClaimMissing will be returned.
226//
227// Additionally, if any error occurs while retrieving the claim, e.g., when its
228// the wrong type, an ErrTokenUnverifiable error will be returned.
229func (v *Validator) verifyAudience(claims Claims, cmp string, required bool) error {
230 aud, err := claims.GetAudience()
231 if err != nil {
232 return err
233 }
234
235 if len(aud) == 0 {
236 return errorIfRequired(required, "aud")
237 }
238
239 // use a var here to keep constant time compare when looping over a number of claims
240 result := false
241
242 var stringClaims string
243 for _, a := range aud {
244 if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
245 result = true
246 }
247 stringClaims = stringClaims + a
248 }
249
250 // case where "" is sent in one or many aud claims
251 if stringClaims == "" {
252 return errorIfRequired(required, "aud")
253 }
254
255 return errorIfFalse(result, ErrTokenInvalidAudience)
256}
257
258// verifyIssuer compares the iss claim in claims against cmp.
259//
260// If iss is not set, it will succeed if the claim is not required,
261// otherwise ErrTokenRequiredClaimMissing will be returned.
262//
263// Additionally, if any error occurs while retrieving the claim, e.g., when its
264// the wrong type, an ErrTokenUnverifiable error will be returned.
265func (v *Validator) verifyIssuer(claims Claims, cmp string, required bool) error {
266 iss, err := claims.GetIssuer()
267 if err != nil {
268 return err
269 }
270
271 if iss == "" {
272 return errorIfRequired(required, "iss")
273 }
274
275 return errorIfFalse(iss == cmp, ErrTokenInvalidIssuer)
276}
277
278// verifySubject compares the sub claim against cmp.
279//
280// If sub is not set, it will succeed if the claim is not required,
281// otherwise ErrTokenRequiredClaimMissing will be returned.
282//
283// Additionally, if any error occurs while retrieving the claim, e.g., when its
284// the wrong type, an ErrTokenUnverifiable error will be returned.
285func (v *Validator) verifySubject(claims Claims, cmp string, required bool) error {
286 sub, err := claims.GetSubject()
287 if err != nil {
288 return err
289 }
290
291 if sub == "" {
292 return errorIfRequired(required, "sub")
293 }
294
295 return errorIfFalse(sub == cmp, ErrTokenInvalidSubject)
296}
297
298// errorIfFalse returns the error specified in err, if the value is true.
299// Otherwise, nil is returned.
300func errorIfFalse(value bool, err error) error {
301 if value {
302 return nil
303 } else {
304 return err
305 }
306}
307
308// errorIfRequired returns an ErrTokenRequiredClaimMissing error if required is
309// true. Otherwise, nil is returned.
310func errorIfRequired(required bool, claim string) error {
311 if required {
312 return newError(fmt.Sprintf("%s claim is required", claim), ErrTokenRequiredClaimMissing)
313 } else {
314 return nil
315 }
316}