Merge pull request #66 from portward/update-jwt

feat: update jwt library
portward · Nov 10, 2024 · 47b728c · 47b728c
2 parents 8eca5a9 + 4a94707
commit 47b728c
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 8 deletions.
diff --git a/auth/token/jwt/access.go b/auth/token/jwt/access.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/docker/libtrust"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/jonboulle/clockwork"
 
 	"github.com/portward/registry-auth/auth"

diff --git a/auth/token/jwt/jwt.go b/auth/token/jwt/jwt.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	"github.com/docker/libtrust"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 func detectSigningMethod(signingKey libtrust.PrivateKey) (jwt.SigningMethod, error) {

diff --git a/auth/token/jwt/refresh.go b/auth/token/jwt/refresh.go
@@ -2,9 +2,10 @@ package jwt
 
 import (
 	"context"
+	"time"
 
 	"github.com/docker/libtrust"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/jonboulle/clockwork"
 
 	"github.com/portward/registry-auth/auth"
@@ -79,8 +80,16 @@ func (i RefreshTokenIssuer) VerifyRefreshToken(_ context.Context, service string
 		// TODO: return error?
 	}
 
-	claims.VerifyAudience(service, true)
-	claims.VerifyIssuer(i.issuer, true)
+	validator := jwt.NewValidator(
+		jwt.WithLeeway(5*time.Second),
+		jwt.WithAudience(service),
+		jwt.WithIssuer(i.issuer),
+	)
+
+	err = validator.Validate(claims)
+	if err != nil {
+		return nil, err
+	}
 
 	return auth.SubjectIDFromString(claims.Subject), nil
 }
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.21.0
 require (
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
 	github.com/gofrs/uuid v4.4.0+incompatible
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/gorilla/schema v1.4.1
 	github.com/jonboulle/clockwork v0.4.0
 	github.com/stretchr/testify v1.9.0

diff --git a/go.sum b/go.sum
@@ -5,8 +5,8 @@ github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E=
 github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM=
 github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=