This commit serves as the basis for further `v5` developments. It will introduce some API-breaking changes, especially to the way tokens are validated. This will allow us to provide some long-wanted features with regards to the validation API. We are aiming to do this as smoothly as possible, however, with any major version. please expect that you might need to adapt your code.
The actual development will be done in the course of the next week, if time permits. It will be done in seperate PRs that will use this PR as a base. Afterwards, we will probably merge this and release an initial 5.0.0-alpha1 or similar.
* Implement a BearerExtractor
This is a rather common extractor; it extracts the JWT from the HTTP
Authorization header, expecting it to include the "Bearer " prefix.
This patterns is rather common and this snippet is repeated in enough
applications that it's probably best to just include it upstream and
allow reusing it.
* Ignore case-sensitivity for "Bearer"
* updated README.md to contain more extensions
* Update README.md
Co-authored-by: Luis Gabriel Gomez <lggomez@users.noreply.github.com>
Co-authored-by: Luis Gabriel Gomez <lggomez@users.noreply.github.com>
* improve code comments, including security consideration
* Add link to URL with details about security vulnerabilities.
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* update code comments
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* accept generic crypto.Signer in ed25519 in order to allow usage of other ed25519 providers than crypto/ed25519
* add check to ensure the key is indeed of type ed25519
* adding comment clarifying crypto.Hash(0)
* Update ed25519.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
This PR aims at implementing compliance to RFC7519, as documented in #11 without breaking the public API. It creates a new struct `RegisteredClaims` and deprecates (but not removes) the `StandardClaims`. It introduces a new type `NumericDate`, which represents a JSON numeric date value as specified in the RFC. This allows us to handle float as well as int-based time fields in `aud`, `exp` and `nbf`. Additionally, it introduces the type `StringArray`, which is basically a wrapper around `[]string` to deal with the oddities of the JWT `aud` field.
* Changing pkg.go.dev URL to https://pkg.go.dev/github.com/golang-jwt/jwt/v4
Otherwise, people will end up at the v3 release and might miss on clicking the small "there is a v4 hint" on pkg.go.dev
Christian Banse