fix: jwks validation using the wrong type (#286)

* fix: jwks validation using the wrong type refs #281 Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore: var name --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
charmbracelet · Jun 11, 2024 · 2785ee1 · 2785ee1
1 parent f74c905
commit 2785ee1
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 11 deletions.
diff --git a/go.mod b/go.mod
@@ -14,7 +14,6 @@ require (
 	github.com/charmbracelet/ssh v0.0.0-20221117183211-483d43d97103
 	github.com/charmbracelet/wish v1.1.1
 	github.com/dgraph-io/badger/v3 v3.2103.2
-	github.com/go-jose/go-jose v2.6.2+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/uuid v1.3.0
 	github.com/jacobsa/crypto v0.0.0-20190317225127-9f44e2d11115
@@ -32,6 +31,7 @@ require (
 	goji.io v2.0.2+incompatible
 	golang.org/x/crypto v0.21.0
 	golang.org/x/sync v0.6.0
+	gopkg.in/go-jose/go-jose.v2 v2.6.2
 	modernc.org/sqlite v1.29.2
 )
 
@@ -83,7 +83,6 @@ require (
 	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.2 // indirect
 	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
 	modernc.org/libc v1.41.0 // indirect
 	modernc.org/mathutil v1.6.0 // indirect

diff --git a/go.sum b/go.sum
@@ -139,8 +139,6 @@ github.com/go-git/go-git/v5 v5.6.1/go.mod h1:mvyoL6Unz0PiTQrGQfSfiLFhBH1c1e84ylC
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose v2.6.2+incompatible h1:X6pNb5PAs58olW3wThjNqIEh3CfyV+21e/cW+wQrwBU=
-github.com/go-jose/go-jose v2.6.2+incompatible/go.mod h1:coBhWG9DQz8V/JlBMg3LkUGnarUaxjQlWQUUv9Cv7tw=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=

diff --git a/server/http.go b/server/http.go
@@ -19,12 +19,12 @@ import (
 	charm "github.com/charmbracelet/charm/proto"
 	"github.com/charmbracelet/charm/server/db"
 	"github.com/charmbracelet/charm/server/storage"
-	"github.com/go-jose/go-jose"
 	"github.com/meowgorithm/babylogger"
 	"goji.io"
 	"goji.io/pat"
 	"goji.io/pattern"
 	"golang.org/x/sync/errgroup"
+	"gopkg.in/go-jose/go-jose.v2"
 )
 
 const resultsPerPage = 50

diff --git a/server/jwk.go b/server/jwk.go
@@ -5,7 +5,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 
-	jose "github.com/go-jose/go-jose"
+	"gopkg.in/go-jose/go-jose.v2"
 )
 
 // JSONWebKeyPair holds the ED25519 private key and JSON Web Key used in JWT

diff --git a/server/middleware.go b/server/middleware.go
@@ -2,12 +2,12 @@ package server
 
 import (
 	"context"
-	"crypto"
 	"fmt"
 	"net/http"
 	"strings"
 
 	"github.com/charmbracelet/log"
+	"gopkg.in/go-jose/go-jose.v2"
 
 	jwtmiddleware "github.com/auth0/go-jwt-middleware/v2"
 	"github.com/auth0/go-jwt-middleware/v2/validator"
@@ -65,7 +65,7 @@ func PublicPrefixesMiddleware(prefixes []string) func(http.Handler) http.Handler
 
 // JWTMiddleware creates a new middleware function that will validate JWT
 // tokens based on the supplied public key.
-func JWTMiddleware(pk crypto.PublicKey, iss string, aud []string) (func(http.Handler) http.Handler, error) {
+func JWTMiddleware(pk jose.JSONWebKey, iss string, aud []string) (func(http.Handler) http.Handler, error) {
 	jm, err := jwtMiddlewareImpl(pk, iss, aud)
 	if err != nil {
 		return nil, err
@@ -134,9 +134,12 @@ func charmIDFromRequest(r *http.Request) (string, error) {
 	return sub, nil
 }
 
-func jwtMiddlewareImpl(pk crypto.PublicKey, iss string, aud []string) (func(http.Handler) http.Handler, error) {
-	kf := func(ctx context.Context) (interface{}, error) {
-		return pk, nil
+func jwtMiddlewareImpl(pk jose.JSONWebKey, iss string, aud []string) (func(http.Handler) http.Handler, error) {
+	kf := func(context.Context) (interface{}, error) {
+		jwks := jose.JSONWebKeySet{
+			Keys: []jose.JSONWebKey{pk},
+		}
+		return &jwks, nil
 	}
 	v, err := validator.New(
 		kf,