Commit Graph

433 Commits

Author SHA1 Message Date
dependabot[bot] 9980931f80
Bump github/codeql-action from 2 to 3 (#369) 2023-12-19 19:35:01 -05:00
dependabot[bot] 8ab6606c2f
Bump actions/setup-go from 4 to 5 (#365)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-11 11:42:49 +01:00
John Barham b27c88965d
Update MIGRATION_GUIDE.md (#363)
Use correct path for v4 migration
2023-11-24 08:36:09 +01:00
Laurin-Notemann b05644bf94
Improve ErrInvalidKeyType error messages (#361)
* Improve ErrInvalidKeyType error message

* add specific expected type to error message

* fix ErrInvalidKey error to ErrInvalidKeyType in rsa and rsapss

* format

* revert changes from example_test.go remove the comments

* fix: udpate the signing names to uppercase
2023-11-17 19:45:07 +01:00
Christian Banse a49fa5d91d
Exported `NewValidator` (#349)
* Exported `NewValidator`

Previously, we had `newValidator` as a private function. This PR exports this function so that validation can be done independently of parsing the claim.
2023-11-08 14:21:44 +01:00
Craig Pastro c776b83291
Add error handling to examples (#312) 2023-10-09 21:31:36 +02:00
Tarek Sharafi 908d356713
feat: allow making exp claim required (#351) 2023-10-09 19:58:20 +02:00
Mike Fridman 0cb4fa15e3 docs: fix comment in KeyFunc 2023-09-13 09:39:26 -04:00
Ed Pelc c80de55abe
Add explicit ClaimsValidator implementation check for custom claims (#343)
* Add explicit ClaimsValidator implementation check for custom claims

Prevent user from misnaming or fat fingering the Validate() method implementation.

* Update example_test.go

---------

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2023-09-13 15:34:54 +02:00
Michael Fridman 1e76606719
Key rotation with VerificationKeySet (#344) 2023-09-12 21:29:27 -04:00
dependabot[bot] 1691aa9e6f
Bump actions/checkout from 3 to 4 (#346)
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-11 12:07:39 +02:00
Michael Fridman 27ff2f3868
Update ci workflows (add go1.21) (#345) 2023-09-09 18:22:02 -04:00
Eduardo Haesbaert 6879d2cf1f
Update ParseUnverified godoc (#341) 2023-08-22 14:26:47 -04:00
Craig Pastro 78e25d6b09
Avoid use of json.NewDecoder (#313)
* Avoid use of json.NewDecoder

Avoid use of json.NewDecoder if not needed.

Resolves #303
2023-08-15 17:06:50 +02:00
Oleksandr Redko 8aa5d6cef8
Refactor to use strings.EqualFold (#329) 2023-08-03 11:27:46 -04:00
Oleksandr Redko fc86f52277
Refactor by removing unnecessary []byte conversion to string (#330) 2023-08-03 11:26:45 -04:00
Dcalsky 8b7470d561
perf: quick way to validate token string (#302) 2023-07-20 21:35:04 +02:00
Oleksandr Redko 873d96d0a0
Refactor code by using switch instead of if-else (#318) 2023-07-18 08:44:48 +02:00
Oleksandr Redko f53600aa9f
Refactor example: use io.ReadAll instead of io.Copy (#320) 2023-07-18 08:42:22 +02:00
Oleksandr Redko b2b650971a
Reformat code: add whitespaces, remove empty lines (#319) 2023-06-21 12:39:55 +02:00
Oleksandr Redko 33d62b4dae
Fix typos in comments and test names (#317) 2023-06-13 15:12:40 +02:00
Christian Banse 0da169122f
Using jwt's native `ErrInvalidType` instead of `json.UnsupportedTypeError` (#316)
Previously, when parsing claim values, we used `json.UnsupportedTypeError` to denote if a claim string value is not of the correct type. However, this could lead to panics if a nil value is present and the `Error` function of the `json.UnsupportedTypeError` is called, which does not check for nil types.

Instead, we just now use `ErrInvalidType` similar to the map claims.

Fixes #315
2023-06-09 14:54:51 +02:00
Tom Anderson 5e00fbc8e7
enable jwt.ParsePublicKeyFromPEM to parse PKCS1 Public Key (#120) 2023-04-17 18:59:03 +02:00
Christian Banse 6c9126f9c6
Last Documentation cleanups for `v5` release (#291)
* Updated MIGRATION_GUIDE.md after changes to Token and Parser

* Updated doc

* Cleanup of README and refer to project page

* Update MIGRATION_GUIDE.md

Co-authored-by: Michael Fridman <mf192@icloud.com>

* Wrapping markdown files at 80

---------

Co-authored-by: Michael Fridman <mf192@icloud.com>
2023-04-10 10:33:52 +02:00
Christian Banse 5ea71e36a0
Added coverage reporting (#304)
Co-authored-by: Michael Fridman <mf192@icloud.com>
2023-04-10 10:23:00 +02:00
dependabot[bot] b88a60f2d7
Bump actions/setup-go from 3 to 4 (#300)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-31 13:29:59 +02:00
dependabot[bot] 7342a71265
Bump actions/checkout from 2 to 3 (#299)
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-31 13:29:34 +02:00
Christian Banse 8cde7faf81
Added dependabot updates for GitHub actions (#298) 2023-03-31 13:26:46 +02:00
Michael Fridman 15f96b0627
Add golangci-lint (#279)
* Add golangci-lint-action

* Upgrading CodeQL to v2

* Fixed linting errors

---------

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2023-03-31 13:20:59 +02:00
dillonstreator 843e9bfe4d
add documentation to hmac `Verify` & `Sign` to detail why string is not an advisable input for key (#249)
* add documentation around Verify & Sign to detail why string is not an advisable input for key

* Refer to the usage guide

---------

Co-authored-by: Dillon Streator <dillonstreator@Dillons-2nd-MacBook-Pro.local>
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2023-03-31 13:19:48 +02:00
Christian Banse 1c4047f488
Adjusting the error checking example (#270)
This PR adjusts the error checking example so that a check for an invalid signature is also included.

See discussion in #143
2023-03-24 23:11:38 +01:00
Christian Banse b357385d3e
Moving `DecodeSegement` to `Parser` (#278)
* Moving `DecodeSegement` to `Parser`

This would allow us to remove some global variables and move them to parser options as well as potentially introduce interfaces for json and b64 encoding/decoding to replace the std lib, if someone wanted to do that for performance reasons.

We keep the functions exported because of explicit user demand.

* Sign/Verify does take the decoded form now
2023-03-24 19:13:09 +01:00
Liam Newman c6ec5a22b4
Update MIGRATION_GUIDE.md (#289)
* Update MIGRATION_GUIDE.md

Saw one typo, spent a few minutes improving a few paragraphs.
2023-03-24 19:10:52 +01:00
Mones Zarrugh 0d2f0d4809
remove string slice and strings.join (#115) 2023-02-21 21:28:00 -05:00
Christian Banse 148d710109
`v5` Pre-Release (#234)
Co-authored-by: Micah Parks <66095735+MicahParks@users.noreply.github.com>
Co-authored-by: Michael Fridman <mf192@icloud.com>
2023-02-21 14:32:25 +01:00
Christian Banse 4fd5621d8d
Added GitHub Actions Markdown (#260) 2023-02-19 14:01:18 +01:00
Alexander Yastrebov 9358574a7a
Allow strict base64 decoding (#259)
By default base64 decoder works in non-strict mode which
allows tweaking signatures having padding without failing validation.

This creates a potential problem if application treats token value as an identifier.

For example ES256 signature has length of 64 bytes and two padding symbols (stripped by default).
Therefore its base64-encoded value can only end with A, Q, g and w.
In non-strict mode last symbol could be tweaked resulting in 16 distinct
token values having the same signature and passing validation.

This change adds backward-compatible global config variable DecodeStrict
(similar to existing DecodePaddingAllowed) that enables strict base64 decoder mode.

See also https://github.com/golang/go/issues/15656.

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2022-12-09 18:04:03 +01:00
Christian Banse 2f0984a28b
Using `tparse` for nicer CI test display (#251) 2022-11-29 10:00:41 -05:00
Christian Banse 2101c1f4bc
No pointer embedding in the example (#255)
Fixes #223
2022-11-08 15:43:45 +01:00
Krouton 35053d4e20
Removed unneeded if statement (#241) 2022-10-15 14:38:07 +02:00
Jacob Kopczynski 0c4e387985
Add doc comment to ParseWithClaims (#232) 2022-09-26 10:01:52 -04:00
Christian Banse bfea432b1a
Include https://github.com/golang-jwt/jwe in README (#229) 2022-08-20 17:04:58 +02:00
Michael Fridman d81acbf7f3
Bump matrix to support latest go version (go1.19) (#231)
* Bump matrix to support latest go version (go1.19)

* Fix comment
2022-08-20 16:53:04 +02:00
Hugo fdaf0eb0e0
Implement a BearerExtractor (#226)
* Implement a BearerExtractor

This is a rather common extractor; it extracts the JWT from the HTTP
Authorization header, expecting it to include the "Bearer " prefix.

This patterns is rather common and this snippet is repeated in enough
applications that it's probably best to just include it upstream and
allow reusing it.

* Ignore case-sensitivity for "Bearer"
2022-08-19 13:59:36 +02:00
KroKite f2878bb94b
fix: link update for README.md for v4 (#217)
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2022-08-15 12:45:52 +02:00
George Kechagias 9294af54b5
chore: remove unused claims in RSA table driven test (#212) 2022-06-04 08:03:41 -04:00
Qian Qiao 2da0bf7566
Fixed integer overflow in NumericDate.MarshalJSON (#200) 2022-06-03 22:13:34 -04:00
Christian Banse 8fb42696ff
Update SECURITY.md (#207) 2022-05-28 21:53:11 +02:00
Michael Fridman cf43decf7c
Create SECURITY.md (#171) 2022-05-28 12:40:34 -04:00
Michael Fridman 4426925f0c
CI check for Go code formatting (#206)
Signed-off-by: jay-dee7 <jasdeepsingh.uppal@gmail.com>
Co-authored-by: jay-dee7 <jasdeepsingh.uppal@gmail.com>
2022-05-28 16:03:15 +02:00