From 641990fa07cb6df006f516c1ba9c25e2fdbe6f4c Mon Sep 17 00:00:00 2001 From: "mend-for-github-com[bot]" <50673670+mend-for-github-com[bot]@users.noreply.github.com> Date: Thu, 19 Jan 2023 14:37:20 +0200 Subject: [PATCH] =?UTF-8?q?chore(deps):=20update=20=E2=AC=86=EF=B8=8F=20go?= =?UTF-8?q?lang=20module=20github.com/golang-jwt/jwt/v4=20to=20v4.4.3=20(#?= =?UTF-8?q?42)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/golang-jwt/jwt/v4](https://togithub.com/golang-jwt/jwt) | require | patch | `v4.4.2` -> `v4.4.3` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes
golang-jwt/jwt ### [`v4.4.3`](https://togithub.com/golang-jwt/jwt/releases/tag/v4.4.3) [Compare Source](https://togithub.com/golang-jwt/jwt/compare/v4.4.2...v4.4.3) #### What's Changed - fix: link update for README.md for v4 by [@​krokite](https://togithub.com/krokite) in [https://github.com/golang-jwt/jwt/pull/217](https://togithub.com/golang-jwt/jwt/pull/217) - Implement a BearerExtractor by [@​WhyNotHugo](https://togithub.com/WhyNotHugo) in [https://github.com/golang-jwt/jwt/pull/226](https://togithub.com/golang-jwt/jwt/pull/226) - Bump matrix to support latest go version (go1.19) by [@​mfridman](https://togithub.com/mfridman) in [https://github.com/golang-jwt/jwt/pull/231](https://togithub.com/golang-jwt/jwt/pull/231) - Include https://github.com/golang-jwt/jwe in README by [@​oxisto](https://togithub.com/oxisto) in [https://github.com/golang-jwt/jwt/pull/229](https://togithub.com/golang-jwt/jwt/pull/229) - Add doc comment to ParseWithClaims by [@​jkopczyn](https://togithub.com/jkopczyn) in [https://github.com/golang-jwt/jwt/pull/232](https://togithub.com/golang-jwt/jwt/pull/232) - Refactor: removed the unneeded if statement by [@​Krout0n](https://togithub.com/Krout0n) in [https://github.com/golang-jwt/jwt/pull/241](https://togithub.com/golang-jwt/jwt/pull/241) - No pointer embedding in the example by [@​oxisto](https://togithub.com/oxisto) in [https://github.com/golang-jwt/jwt/pull/255](https://togithub.com/golang-jwt/jwt/pull/255) #### New Contributors - [@​krokite](https://togithub.com/krokite) made their first contribution in [https://github.com/golang-jwt/jwt/pull/217](https://togithub.com/golang-jwt/jwt/pull/217) - [@​WhyNotHugo](https://togithub.com/WhyNotHugo) made their first contribution in [https://github.com/golang-jwt/jwt/pull/226](https://togithub.com/golang-jwt/jwt/pull/226) - [@​jkopczyn](https://togithub.com/jkopczyn) made their first contribution in [https://github.com/golang-jwt/jwt/pull/232](https://togithub.com/golang-jwt/jwt/pull/232) - [@​Krout0n](https://togithub.com/Krout0n) made their first contribution in [https://github.com/golang-jwt/jwt/pull/241](https://togithub.com/golang-jwt/jwt/pull/241) **Full Changelog**: https://github.com/golang-jwt/jwt/compare/v4.4.2...v4.4.3
--- ### Configuration 📅 **Schedule**: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, click this checkbox. Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- vendor/github.com/golang-jwt/jwt/v4/README.md | 18 +++++++++--------- vendor/github.com/golang-jwt/jwt/v4/claims.go | 6 +----- vendor/github.com/golang-jwt/jwt/v4/parser.go | 7 +++++++ vendor/github.com/golang-jwt/jwt/v4/token.go | 5 +++++ vendor/modules.txt | 2 +- 7 files changed, 26 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 231c2a33..c8b09508 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/dustin/go-humanize v1.0.0 github.com/fatih/color v1.13.0 github.com/gobuffalo/uuid v2.0.5+incompatible - github.com/golang-jwt/jwt/v4 v4.4.2 + github.com/golang-jwt/jwt/v4 v4.4.3 github.com/hinshun/vt10x v0.0.0-20220301184237-5011da428d02 github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f github.com/jarcoal/httpmock v1.2.0 diff --git a/go.sum b/go.sum index 26b9dd24..8a78a602 100644 --- a/go.sum +++ b/go.sum @@ -182,8 +182,8 @@ github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= -github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU= +github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= diff --git a/vendor/github.com/golang-jwt/jwt/v4/README.md b/vendor/github.com/golang-jwt/jwt/v4/README.md index f5d551ca..30f2f2a6 100644 --- a/vendor/github.com/golang-jwt/jwt/v4/README.md +++ b/vendor/github.com/golang-jwt/jwt/v4/README.md @@ -54,9 +54,9 @@ import "github.com/golang-jwt/jwt/v4" See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v4) for examples of usage: -* [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-Parse-Hmac) -* [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-New-Hmac) -* [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt#pkg-examples) +* [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#example-Parse-Hmac) +* [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#example-New-Hmac) +* [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#pkg-examples) ## Extensions @@ -96,7 +96,7 @@ A token is simply a JSON object that is signed by its author. this tells you exa * The author of the token was in the possession of the signing secret * The data has not been modified since it was signed -It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. JWE is currently outside the scope of this library. +It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. The companion project https://github.com/golang-jwt/jwe aims at a (very) experimental implementation of the JWE standard. ### Choosing a Signing Method @@ -110,10 +110,10 @@ Asymmetric signing methods, such as RSA, use different keys for signing and veri Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones: -* The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation -* The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation -* The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation -* The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation +* The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation +* The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation +* The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation +* The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation ### JWT and OAuth @@ -131,7 +131,7 @@ This library uses descriptive error messages whenever possible. If you are not g ## More -Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt). +Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v4). The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation. diff --git a/vendor/github.com/golang-jwt/jwt/v4/claims.go b/vendor/github.com/golang-jwt/jwt/v4/claims.go index 9d95cad2..364cec87 100644 --- a/vendor/github.com/golang-jwt/jwt/v4/claims.go +++ b/vendor/github.com/golang-jwt/jwt/v4/claims.go @@ -265,9 +265,5 @@ func verifyIss(iss string, cmp string, required bool) bool { if iss == "" { return !required } - if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 { - return true - } else { - return false - } + return subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 } diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go index 2f61a69d..c0a6f692 100644 --- a/vendor/github.com/golang-jwt/jwt/v4/parser.go +++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go @@ -42,6 +42,13 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) } +// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims +// interface. This provides default values which can be overridden and allows a caller to use their own type, rather +// than the default MapClaims implementation of Claims. +// +// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims), +// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the +// proper memory for it before passing in the overall claims, otherwise you might run into a panic. func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { token, parts, err := p.ParseUnverified(tokenString, claims) if err != nil { diff --git a/vendor/github.com/golang-jwt/jwt/v4/token.go b/vendor/github.com/golang-jwt/jwt/v4/token.go index 3cb0f3f0..71e909ea 100644 --- a/vendor/github.com/golang-jwt/jwt/v4/token.go +++ b/vendor/github.com/golang-jwt/jwt/v4/token.go @@ -99,6 +99,11 @@ func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token return NewParser(options...).Parse(tokenString, keyFunc) } +// ParseWithClaims is a shortcut for NewParser().ParseWithClaims(). +// +// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims), +// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the +// proper memory for it before passing in the overall claims, otherwise you might run into a panic. func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) { return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 631aa5fd..8039a42d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -259,7 +259,7 @@ github.com/gobuffalo/uuid # github.com/gofrs/uuid v3.2.0+incompatible ## explicit github.com/gofrs/uuid -# github.com/golang-jwt/jwt/v4 v4.4.2 +# github.com/golang-jwt/jwt/v4 v4.4.3 ## explicit; go 1.16 github.com/golang-jwt/jwt/v4 # github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da