From 1c6db3ceac5f4d28b35ee4b9949a3f80030aa6a3 Mon Sep 17 00:00:00 2001 From: Andres Perez <1676612+andresperezl@users.noreply.github.com> Date: Wed, 6 Jan 2021 15:47:52 -0500 Subject: [PATCH] Update jwt-go to v4 to address CVE-2020-26160 (#69) --- README.md | 6 ++++-- examples/martini-example/main.go | 2 +- examples/negroni-example/main.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- jwtmiddleware.go | 2 +- jwtmiddleware_test.go | 2 +- 7 files changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 1e1a7c4d..59bcaad0 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # GO JWT Middleware +**NOTE:** We released this version using a fork of jwt-go in order to address a security vulnerability. Due to jwt-go not being actively maintained we will be looking to switch to a more actively maintained package in the near future. + A middleware that will check that a [JWT](http://jwt.io/) is sent on the `Authorization` header and will then set the content of the JWT into the `user` variable of the request. This module lets you authenticate HTTP requests using JWT tokens in your Go Programming Language applications. JWTs are typically used to protect API endpoints, and are often issued using OpenID Connect. @@ -28,7 +30,7 @@ import ( "net/http" "github.com/auth0/go-jwt-middleware" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "context" ) @@ -70,7 +72,7 @@ import ( "github.com/auth0/go-jwt-middleware" "github.com/urfave/negroni" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "github.com/gorilla/mux" ) diff --git a/examples/martini-example/main.go b/examples/martini-example/main.go index 7c31241d..3a76fc15 100644 --- a/examples/martini-example/main.go +++ b/examples/martini-example/main.go @@ -5,7 +5,7 @@ import ( "net/http" jwtmiddleware "github.com/auth0/go-jwt-middleware" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "github.com/go-martini/martini" ) diff --git a/examples/negroni-example/main.go b/examples/negroni-example/main.go index 39414cb0..a2640a4d 100644 --- a/examples/negroni-example/main.go +++ b/examples/negroni-example/main.go @@ -5,7 +5,7 @@ import ( "net/http" jwtmiddleware "github.com/auth0/go-jwt-middleware" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "github.com/gorilla/mux" "github.com/urfave/negroni" ) diff --git a/go.mod b/go.mod index b00b4f48..5ea135e5 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.14 require ( github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect - github.com/dgrijalva/jwt-go v3.2.0+incompatible + github.com/form3tech-oss/jwt-go v3.2.2+incompatible github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 // indirect github.com/gorilla/mux v1.7.4 diff --git a/go.sum b/go.sum index 5e637eb2..736f537d 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= +github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= diff --git a/jwtmiddleware.go b/jwtmiddleware.go index 8b01d8e5..c146b946 100644 --- a/jwtmiddleware.go +++ b/jwtmiddleware.go @@ -8,7 +8,7 @@ import ( "net/http" "strings" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" ) // A function called whenever an error is encountered diff --git a/jwtmiddleware_test.go b/jwtmiddleware_test.go index 51698cae..cab5cd51 100644 --- a/jwtmiddleware_test.go +++ b/jwtmiddleware_test.go @@ -9,7 +9,7 @@ import ( "strings" "testing" - "github.com/dgrijalva/jwt-go" + "github.com/form3tech-oss/jwt-go" "github.com/gorilla/mux" . "github.com/smartystreets/goconvey/convey" "github.com/urfave/negroni"