Use github.com/golang-jwt/jwt instead of github.com/dgrijalva/jwt-go

See dgrijalva/jwt-go#462 for more info. This also addresses CVE-2020-26160 since github.com/golang-jwt/jwt v3.2.1 fixes the issue.
mtraver · Aug 12, 2021 · e6d0c93 · e6d0c93
1 parent d02ff4e
commit e6d0c93
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/mtraver/iotcore
 go 1.15
 
 require (
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/eclipse/paho.mqtt.golang v1.3.5
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,7 +1,7 @@
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/eclipse/paho.mqtt.golang v1.3.5 h1:sWtmgNxYM9P2sP+xEItMozsR3w0cqZFlqnNN1bdl41Y=
 github.com/eclipse/paho.mqtt.golang v1.3.5/go.mod h1:eTzb4gxwwyWpqBUHGQZ4ABAV7+Jgm1PklsYT/eo8Hcc=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

diff --git a/iotcore.go b/iotcore.go
@@ -12,8 +12,8 @@ import (
 	"sync"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
 	mqtt "github.com/eclipse/paho.mqtt.golang"
+	jwt "github.com/golang-jwt/jwt"
 )
 
 // Google Cloud IoT Core's MQTT brokers ignore the password when authenticating (they only care about the JWT).