* improve code comments, including security consideration
* Add link to URL with details about security vulnerabilities.
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* Update token.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* update code comments
Co-authored-by: Christian Banse <oxisto@aybaze.com>
* accept generic crypto.Signer in ed25519 in order to allow usage of other ed25519 providers than crypto/ed25519
* add check to ensure the key is indeed of type ed25519
* adding comment clarifying crypto.Hash(0)
* Update ed25519.go
Co-authored-by: Christian Banse <oxisto@aybaze.com>
This PR aims at implementing compliance to RFC7519, as documented in #11 without breaking the public API. It creates a new struct `RegisteredClaims` and deprecates (but not removes) the `StandardClaims`. It introduces a new type `NumericDate`, which represents a JSON numeric date value as specified in the RFC. This allows us to handle float as well as int-based time fields in `aud`, `exp` and `nbf`. Additionally, it introduces the type `StringArray`, which is basically a wrapper around `[]string` to deal with the oddities of the JWT `aud` field.
* Changing pkg.go.dev URL to https://pkg.go.dev/github.com/golang-jwt/jwt/v4
Otherwise, people will end up at the v3 release and might miss on clicking the small "there is a v4 hint" on pkg.go.dev
Fixes a security vulnerability where a jwt token could potentially be validated having invalid string characters.
(cherry picked from commit a211650c6ae1cff6d7347d3e24070d65dcfb1122)
https://github.com/form3tech-oss/jwt-go/pull/14
Co-Authored-By: Giorgos Lampadakis <82932062+giorgos-f3@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* remove support for Go <= 1.14
* Add a note to README.md about supported Go versions.
* remove travis build as requested by @oxisto
* fix my spelling mistakes pointed out by @oxisto
* fix another spelling
* remove reference to specific Go versions
* Removing `go.mod` for the v3-release branch
As discussed in full length here (#17), we have run into issues that forces us to abandon go modules, at least for the `v3.x.x` releases. After this is merged in, we can release a `v3.2.1+incompatible` version, which contains a security fix.
Afterwards, we will work on non-breaking quality of life fixes and then eventually run a `v4` version, which most likely will then support go modules and have a new SIV-style import path.
* Cloning into $GOPATH for GitHub actions
* Fix issue with MapClaims VerifyAudience []string
There was an issue in MapClaims's VerifyAudiance where a []string (which
is valid in the spec) would return true (claim is found, or nil) when required
was not set.
It now checks interface types correctly and has tests written
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
* Keep aud validation constant time compare
Keep aud validation using constant time compare by not instantly
returning on a true comparison, keep comparing all options and store
result in a variable
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
Co-authored-by: Banse, Christian <christian.banse@aisec.fraunhofer.de>
* initial go module file
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* fix linting issues
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* rename module to golang-jwt/jwt
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Renamed imports to match with go module name.
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* update travis for latest go versions
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Set go version to 1.14
lowered the go version to make it consistent with matrix build
* revert accidental changes while renaming
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* remove travis CI
no longer needed since github actions workflow was created for the
project
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Revert "remove travis CI"
This reverts commit b3ae57f710.
* update travis for older go versions
* Providing full test matrix
* Only testing Go version with module support on GitHub actions
* Only testing legacy versions on travis. Will be deprecated in time
Christian Banse