Michael Fridman
cf43decf7c
Create SECURITY.md ( #171 )
2022-05-28 12:40:34 -04:00
Michael Fridman
4426925f0c
CI check for Go code formatting ( #206 )
...
Signed-off-by: jay-dee7 <jasdeepsingh.uppal@gmail.com>
Co-authored-by: jay-dee7 <jasdeepsingh.uppal@gmail.com>
2022-05-28 16:03:15 +02:00
Håvard Anda Estensen
f6c6299f67
chore: replace ioutil with io and os ( #198 )
2022-05-27 19:11:16 -04:00
Luigi Morel
89a6400b7f
add installation guidelines to the README file ( #204 )
2022-05-27 19:07:25 -04:00
Vladislav Polyakov
6e2ab4291f
docs: update link to pkg.go.dev page ( #195 )
2022-04-19 17:45:50 +02:00
Christian Banse
83478b3c8f
Added MicahParks/keyfunc to extensions ( #194 )
2022-04-18 22:01:59 +02:00
Michael Fridman
0972257eba
Revert "feat: port clockskew support ( #139 )" ( #184 )
...
This reverts commit d489c99d3e
.
2022-03-26 10:13:03 -04:00
Michael Fridman
1096e506e6
Add go1.18 to ci pipeline ( #173 )
2022-03-18 07:15:45 -04:00
ksegun
d489c99d3e
feat: port clockskew support ( #139 )
...
Co-authored-by: Kolawole Segun <Kolawole.Segun@kyndryl.com>
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2022-03-08 08:43:46 +01:00
ydylla
6de17d3b3e
fix: expired token error message ( #165 )
2022-02-15 08:31:33 -05:00
Michael Fridman
279dd19720
Set json encoding precision ( #162 )
2022-02-09 21:54:31 -05:00
Giau. Tran Minh
863d23d08a
fix: fixed typo detect by cSpell ( #164 )
2022-02-09 13:14:42 -03:00
Michael Fridman
2387103809
Add JWT logo image attribution ( #161 )
2022-02-08 22:35:49 -05:00
Máté Lang
d0c0939ff8
updated README.md to contain more extensions ( #155 )
...
* updated README.md to contain more extensions
* Update README.md
Co-authored-by: Luis Gabriel Gomez <lggomez@users.noreply.github.com>
Co-authored-by: Luis Gabriel Gomez <lggomez@users.noreply.github.com>
2022-02-03 08:49:22 -03:00
hyeonjae
e01ed05a31
remove unnecessary for loop in token signing string for readability ( #34 )
...
* remove unnecessary for loop in token signing string for readability
- add testcase
- add benchmark
- improve performance slightly
* Fix benchtests on token_test.go
* Update token_test.go to v4
Co-authored-by: hyeonjae <hyeonjae@ip-192-168-1-3.ap-northeast-2.compute.internal>
Co-authored-by: Luis Gabriel Gomez <lggomez@users.noreply.github.com>
2022-02-03 08:47:58 -03:00
Christian Banse
78a18c0808
Implementing `Is(err) bool` to support Go 1.13 style error checking ( #136 )
2022-01-19 22:55:19 +01:00
Stefan Tudose
0fb40d3824
use errors.Is for extractor errors ( #141 )
2021-12-15 12:50:05 +01:00
tfonfara
c435f38291
#129 : Added VerifyIssuer method to RegisteredClaims ( #130 )
2021-11-24 14:27:41 +01:00
Alexander Yastrebov
a725c1f60c
cmd: list supported algorithms (-alg flag) ( #123 )
2021-11-16 09:00:45 -05:00
Kevin de Berk
823c014036
Unwrap for ValidationError ( #125 )
2021-11-15 09:25:32 -05:00
Alexander Yastrebov
1275a5b909
Allow `none` algorithm in jwt command ( #121 )
2021-11-10 07:33:04 +01:00
ajermaky
f4865cddea
Revert Encoding/Decoding changes for better compatibility ( #117 )
2021-11-06 07:21:20 -04:00
Alexander Yastrebov
9c3665f0fc
Fixes jwt command to support EdDSA algorithm ( #118 )
...
Fixes
```
$ echo '{"foo":"bar"}' | jwt -key test/ed25519-private.pem -alg EdDSA -sign -
Error: error signing token: key is of invalid type
```
Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2021-11-03 09:14:30 -04:00
PiotrKozimor
a2aa655627
Fix int64 overflow in newNumericDateFromSeconds ( #112 )
2021-10-26 21:14:01 -04:00
Sebastien Rosset
c0ffb890f3
Improve code comments, including security consideration ( #107 )
...
* improve code comments, including security consideration
* Add link to URL with details about security vulnerabilities.
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* update code comments
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-10-15 09:48:31 -03:00
Christian Banse
65357b9e5b
Introducing functional-style options for the Parser type ( #108 )
2021-10-13 19:36:33 +02:00
Ichinose Shogo
cac353cdc2
fix the comment of VerifyExpiresAt ( #109 )
2021-10-09 18:17:39 -03:00
Sebastien Rosset
fd8cd69d8e
Adjusted `parser_test.go` to include RSA and ECDSA tokens ( #106 )
2021-09-24 21:32:29 +02:00
Hinagiku Soranoba
02bc1ac506
When exp indicates the present, make it invalid. ( #86 )
...
* When exp indicates the present, make it invalid.
* Update map_claims_test.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-09-10 17:44:55 -04:00
Hyun
d2c5d5ab01
Add EdDSA to "Signing methods and Key types" in README.md ( #103 )
2021-09-10 20:30:13 +02:00
Yoan Blanc
205b3dc4bb
fix link ( #102 )
2021-09-10 08:27:13 -04:00
Michael Fridman
93130d3c71
Create codeql-analysis.yml ( #101 )
2021-09-09 10:42:26 -04:00
yoogo
3f50a786ff
Harmonising capitalisation of "token" in error strings ( #97 )
2021-08-29 20:45:24 +02:00
Mark Karpelès
2bd8ee77fc
Accept `crypto.Signer` that contains a `ed25519.PublicKey` in ed25519 ( #95 )
...
* accept generic crypto.Signer in ed25519 in order to allow usage of other ed25519 providers than crypto/ed25519
* add check to ensure the key is indeed of type ed25519
* adding comment clarifying crypto.Hash(0)
* Update ed25519.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-23 22:56:11 -03:00
Christian Banse
80625fb516
Backwards-compatible implementation of RFC7519's registered claim's structure ( #15 )
...
This PR aims at implementing compliance to RFC7519, as documented in #11 without breaking the public API. It creates a new struct `RegisteredClaims` and deprecates (but not removes) the `StandardClaims`. It introduces a new type `NumericDate`, which represents a JSON numeric date value as specified in the RFC. This allows us to handle float as well as int-based time fields in `aud`, `exp` and `nbf`. Additionally, it introduces the type `StringArray`, which is basically a wrapper around `[]string` to deal with the oddities of the JWT `aud` field.
2021-08-22 19:23:13 +02:00
Luis Gabriel Gomez
c9ab96ba53
jwt: Fix Verify methods documentation ( #83 )
2021-08-22 10:18:33 +02:00
Alexander F. Rødseth
eac9e9edf2
Format code with "go fmt" ( #53 )
2021-08-20 20:43:08 -03:00
Michael Fridman
a06361ba65
ci: add support for go1.17 ( #89 )
2021-08-17 10:05:04 +02:00
Zach Wasserman
bac80eaac8
Link to migration guide in README.md ( #87 )
2021-08-11 16:19:58 -03:00
Francois Lebel
85f0a979dd
Fix typo in note ( #82 )
2021-08-03 17:59:46 -03:00
Luis Gabriel Gomez
3258b3fca0
jwt: Add parser benchmarks ( #70 )
2021-08-03 17:57:36 -03:00
Christian Banse
bd2db2d4a2
Changing pkg.go.dev URL to github.com/golang-jwt/jwt/v4 ( #77 )
...
* Changing pkg.go.dev URL to https://pkg.go.dev/github.com/golang-jwt/jwt/v4
Otherwise, people will end up at the v3 release and might miss on clicking the small "there is a v4 hint" on pkg.go.dev
2021-08-03 19:41:00 +02:00
Michael Fridman
2ebb50f957
Adds go module support /v4 ( #41 )
...
Additionally, added `staticcheck` for basic static code analysis (#44 )
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-03 15:51:01 +02:00
Christian Banse
4bbdd8ac62
Prepare release 3.2.2 ( #42 )
2021-07-30 16:54:04 -04:00
Sebastiaan van Stijn
8e9d9ebf6f
Fix security vulnerability ( #40 )
...
Fixes a security vulnerability where a jwt token could potentially be validated having invalid string characters.
(cherry picked from commit a211650c6ae1cff6d7347d3e24070d65dcfb1122)
https://github.com/form3tech-oss/jwt-go/pull/14
Co-Authored-By: Giorgos Lampadakis <82932062+giorgos-f3@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-30 22:27:54 +02:00
Vasiliy Tolstov
324836737f
add ed25519 support ( #36 )
...
Signed-off-by: Vasiliy Tolstov <v.tolstov@unistack.org>
2021-07-29 23:57:09 +02:00
Josh Kline
860640e886
Allocation optimization ( #33 )
...
* Test to ensure ECDSA signature is valid
Add assertions to ensure ECDSA signing methods return valid signatures.
This is probably covered elsewhere as well, but putting it in
ecdsa_test.go makes it more obvious and easier to find.
* Benchmark ECDSA signing methods
Add benchmark coverage of ECDSA signing methods.
Benchmarks are run using the existing helper for comparability with
existing benchmarks.
Sign method is also tested directly, to avoid the overhead of *Token.
Report allocations for all benchmarks.
Allocation count for ES384 and ES512 fluctuate across test runs,
other signing methods consistently report the same number of allocations.
Sample output:
```
$ go test -bench=Bench -run=NONE .
2021/02/26 18:18:30 Listening...
goos: darwin
goarch: amd64
pkg: github.com/dgrijalva/jwt-go
BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op
BenchmarkECDSASigning/Basic_ES384-8 1113 1252975 ns/op 1750744 B/op 14474 allocs/op
BenchmarkECDSASigning/Basic_ES384/sign-only-8 286 3937773 ns/op 1746175 B/op 14423 allocs/op
BenchmarkECDSASigning/Basic_ES512-8 662 1949937 ns/op 3028386 B/op 19608 allocs/op
BenchmarkECDSASigning/Basic_ES512/sign-only-8 170 6856189 ns/op 3025471 B/op 19571 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190638 6665 ns/op 4249 B/op 65 allocs/op
BenchmarkHS256Signing-8 1000000 1024 ns/op 1584 B/op 32 allocs/op
BenchmarkHS384Signing-8 917286 1447 ns/op 1969 B/op 32 allocs/op
BenchmarkHS512Signing-8 827744 1470 ns/op 2065 B/op 32 allocs/op
BenchmarkRS256Signing-8 3037 390077 ns/op 32576 B/op 136 allocs/op
BenchmarkRS384Signing-8 2976 379155 ns/op 32684 B/op 136 allocs/op
BenchmarkRS512Signing-8 3205 388628 ns/op 32704 B/op 136 allocs/op
```
* Reduce allocations during ECDSA signing
Reduce the number of byte arrays allocated by using big.Int.FillBytes
when calculating ECDSA signature.
After this change, Benchmarks of ES256 signing method consistently
report 4 fewer allocations.
Before:
```
BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op
```
After:
```
BenchmarkECDSASigning/Basic_ES256-8 187682 6725 ns/op 4121 B/op 61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 48656 24446 ns/op 3201 B/op 39 allocs/op
```
* Use base64.RawURLEncoding to avoid padding
JWT uses a non-padded base64 encoding.
Current code uses base64.URLEncoding to generate a padded string and
then removes the padding.
Likewise, current code adds padding before decoding.
Instead, use base64.RawURLEncoding which does not add or require the
padding in the first place.
In addition to making the code cleaner, this reduces memory allocations
as reported by benchmarks.
Before:
```
BenchmarkECDSASigning/Basic_ES256-8 191396 6917 ns/op 4121 B/op 61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 49347 25039 ns/op 3201 B/op 39 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190668 6586 ns/op 4121 B/op 61 allocs/op
BenchmarkHS256Signing-8 1260060 1131 ns/op 1585 B/op 32 allocs/op
BenchmarkHS384Signing-8 861378 1387 ns/op 1969 B/op 32 allocs/op
BenchmarkHS512Signing-8 896745 1463 ns/op 2065 B/op 32 allocs/op
BenchmarkRS256Signing-8 3086 355769 ns/op 32576 B/op 136 allocs/op
BenchmarkRS384Signing-8 3414 353570 ns/op 32694 B/op 136 allocs/op
BenchmarkRS512Signing-8 3235 349394 ns/op 32706 B/op 136 allocs/op
```
After:
```
BenchmarkECDSASigning/Basic_ES256-8 176617 6827 ns/op 4021 B/op 58 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 48038 24213 ns/op 3169 B/op 38 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 194352 6928 ns/op 4021 B/op 58 allocs/op
BenchmarkHS256Signing-8 1000000 1127 ns/op 1488 B/op 29 allocs/op
BenchmarkHS384Signing-8 972552 1369 ns/op 1873 B/op 29 allocs/op
BenchmarkHS512Signing-8 780751 1368 ns/op 1969 B/op 29 allocs/op
BenchmarkRS256Signing-8 3014 387326 ns/op 32475 B/op 133 allocs/op
BenchmarkRS384Signing-8 3044 361411 ns/op 32591 B/op 133 allocs/op
BenchmarkRS512Signing-8 3273 355504 ns/op 32607 B/op 133 allocs/op
```
Benchmarks of signing methods ES384 and ES512 are omitted because their
allocations are not consistent.
2021-07-13 08:31:42 +02:00
Amnon
3008b2bdea
remove support for Go <= 1.14 ( #28 )
...
* remove support for Go <= 1.14
* Add a note to README.md about supported Go versions.
* remove travis build as requested by @oxisto
* fix my spelling mistakes pointed out by @oxisto
* fix another spelling
* remove reference to specific Go versions
2021-06-22 12:49:56 -04:00
Christian Banse
5130b59fa7
Update VERSION_HISTORY.md and MIGRATION_GUIDE.md ( #27 )
...
* Update VERSION_HISTORY.md
* Updated README and migration
* Added replacement command
2021-06-08 14:18:15 +02:00
Christian Banse
8a7d546bae
Removing `go.mod` for v3 releases ( #26 )
...
* Removing `go.mod` for the v3-release branch
As discussed in full length here (#17 ), we have run into issues that forces us to abandon go modules, at least for the `v3.x.x` releases. After this is merged in, we can release a `v3.2.1+incompatible` version, which contains a security fix.
Afterwards, we will work on non-breaking quality of life fixes and then eventually run a `v4` version, which most likely will then support go modules and have a new SIV-style import path.
* Cloning into $GOPATH for GitHub actions
2021-06-04 16:47:42 +02:00