Skip to content

Upgrade to the v4 release of golang-jwt#2122

Closed
abscondment wants to merge 1 commit intolabstack:masterfrom
abscondment:abscondment/jwt-v4
Closed

Upgrade to the v4 release of golang-jwt#2122
abscondment wants to merge 1 commit intolabstack:masterfrom
abscondment:abscondment/jwt-v4

Conversation

@abscondment
Copy link

@abscondment abscondment commented Mar 11, 2022

There have been a bunch of improvements to the jwt dependency.

According to the golang-jwt/jwt Releases, "any future /v4 work is intended to be backwards-compatible with existing v3.x.y tags."

This appears to be true; all tests pass for recent versions.

bribera@flask:~/code/foss/echo 👻 $ git status
On branch abscondment/jwt-v4
Your branch is up to date with 'abscondment/abscondment/jwt-v4'.

nothing to commit, working tree clean
bribera@flask:~/code/foss/echo 👻 $ git log -1
commit 130b4572b5bd24e75c8657d2699c04cf858c0bd6 (HEAD -> abscondment/jwt-v4, abscondment/abscondment/jwt-v4)
Author: Brendan Ribera <bribera@axon.com>
Date:   Wed Mar 9 11:16:37 2022 -0800

    Upgrade to the v4 release of golang-jwt
    
    According to the [4.0.0 Version History](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md#400),
    the v4 version is backwards compatible with v3.x
bribera@flask:~/code/foss/echo 👻 $ go version
go version go1.17.6 linux/amd64
bribera@flask:~/code/foss/echo 👻 $ go clean -testcache
bribera@flask:~/code/foss/echo 👻 $ make test
ok  	github.com/labstack/echo/v4	0.206s
ok  	github.com/labstack/echo/v4/middleware	0.093s
bribera@flask:~/code/foss/echo 👻 $ make race
ok  	github.com/labstack/echo/v4	0.484s
ok  	github.com/labstack/echo/v4/middleware	0.610s
bribera@flask:~/code/foss/echo 👻 $ make test_version
Unable to find image 'golang:1.15' locally
1.15: Pulling from library/golang
[... snip ...]
ok  	github.com/labstack/echo/v4	1.928s
ok  	github.com/labstack/echo/v4/middleware	0.672s
bribera@flask:~/code/foss/echo 👻 $ make test_version goversion=1.14
Unable to find image 'golang:1.14' locally
1.14: Pulling from library/golang
[...]
ok  	github.com/labstack/echo/v4	0.451s
ok  	github.com/labstack/echo/v4/middleware	0.740s

I noted that make test_version fail for go1.9.7 and go1.10.3 on the master branch, so I omitted them from my testing:

bribera@flask:~/code/foss/echo 👻 $ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
bribera@flask:~/code/foss/echo 👻 $ git log -1
commit 5ebed440aeec1abf7f08cca41cb02f6aaf0d7f6a (HEAD -> master, tag: v4.7.0, origin/master, origin/HEAD)
Author: Roland Lammel <rl@neotel.at>
Date:   Wed Mar 2 23:16:19 2022 +0100

    Update version to v4.7.0
bribera@flask:~/code/foss/echo 👻 $ make test_version goversion=1.9.7
warning: "github.com/labstack/echo/..." matched no packages
# golang.org/x/tools/internal/typeparams
/go/src/golang.org/x/tools/internal/typeparams/normalize.go:162:17: u.EmbeddedType undefined (type *types.Interface has no field or method EmbeddedType)
Makefile:12: recipe for target 'init' failed
make: *** [init] Error 2
make: *** [Makefile:34: test_version] Error 2
bribera@flask:~/code/foss/echo 👻 $ make test_version goversion=1.10.3
warning: "github.com/labstack/echo/..." matched no packages
# golang.org/x/tools/internal/typeparams
/go/src/golang.org/x/tools/internal/typeparams/normalize.go:162:17: u.EmbeddedType undefined (type *types.Interface has no field or method EmbeddedType)
Makefile:12: recipe for target 'init' failed
make: *** [init] Error 2
make: *** [Makefile:34: test_version] Error 2

@abscondment
Upgrade to the v4 release of golang-jwt
130b457 
According to the [4.0.0 Version History](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md#400),
the v4 version is backwards compatible with v3.x
@aldas
Copy link
Contributor

aldas commented Mar 12, 2022

This would be breaking change. This will come with v5

Changing to v4 would break casts in handlers that people (unaware of upgrade) are using when getting token value from context store. If golang-jwt/v4 is really needed please see workarounds for it:

import (
"github.com/golang-jwt/jwt/v4"
)

...
...
...

signingKey := []byte("secret")

config := middleware.JWTConfig{
  TokenLookup: "query:token",
  ParseTokenFunc: func(auth string, c echo.Context) (interface{}, error) {
    keyFunc := func(t *jwt.Token) (interface{}, error) {
      if t.Method.Alg() != "HS256" {
        return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
      }
      return signingKey, nil
    }

    // claims are of type `jwt.MapClaims` when token is created with `jwt.Parse`
    token, err := jwt.Parse(auth, keyFunc)
    if err != nil {
      return nil, err
    }
    if !token.Valid {
      return nil, errors.New("invalid token")
    }
    return token, nil
  },
}

e.Use(middleware.JWTWithConfig(config))

@abscondment
Copy link
Author

abscondment commented Mar 12, 2022

Makes sense, @aldas - thanks for the response. I thought I'd done a thorough search for this change in closed PRs, but I guess I missed it! We can wait for v5 :)

@aldas aldas mentioned this pull request Apr 11, 2022
Closed
This was referenced Oct 31, 2022
Closed
Closed
@aldas aldas mentioned this pull request Dec 27, 2022
Merged
@aldas
Copy link
Contributor

aldas commented Dec 27, 2022

For history sake. Release v4.10.0 marked JWT middleware as deprecated in core and recommends separate repository https://github.com/labstack/echo-jwt that uses newer version of github.com/golang-jwt/jwt

@aldas aldas mentioned this pull request Aug 4, 2024
Closed
@aldas aldas mentioned this pull request Nov 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abscondment @aldas