fix repos

By default base64 decoder works in non-strict mode which
allows tweaking signatures having padding without failing validation.

This creates a potential problem if application treats token value as an identifier.

For example ES256 signature has length of 64 bytes and two padding symbols (stripped by default).
Therefore its base64-encoded value can only end with A, Q, g and w.
In non-strict mode last symbol could be tweaked resulting in 16 distinct
token values having the same signature and passing validation.

This change adds backward-compatible global config variable DecodeStrict
(similar to existing DecodePaddingAllowed) that enables strict base64 decoder mode.

See also https://github.com/golang/go/issues/15656.

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>

.github/workflows/build.yml

@@ -33,6 +33,8 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: "${{ matrix.go }}"
+          check-latest: true
+          cache: true
       - name: Check Go code formatting
         run: |
           if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then
@@ -42,6 +44,7 @@ jobs:
           fi
       - name: Build
         run: |
+          go install github.com/mfridman/tparse@latest
           go vet ./...
-          go test -v ./...
+          go test -v -race -count=1 -json -coverpkg=$(go list ./...) ./... | tparse -follow -notests
           go build ./...

MIGRATION_GUIDE.md

@@ -2,18 +2,18 @@
 
 Starting from [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0), the import path will be:
 
-    "github.com/golang-jwt/jwt/v5"
+    "git.internal/re/jwt/v4"
 
 The `/v4` version will be backwards compatible with existing `v3.x.y` tags in this repo, as well as 
 `github.com/dgrijalva/jwt-go`. For most users this should be a drop-in replacement, if you're having 
 troubles migrating, please open an issue.
 
-You can replace all occurrences of `github.com/dgrijalva/jwt-go` or `github.com/golang-jwt/jwt` with `github.com/golang-jwt/jwt/v5`, either manually or by using tools such as `sed` or `gofmt`.
+You can replace all occurrences of `github.com/dgrijalva/jwt-go` or `github.com/golang-jwt/jwt` with `git.internal/re/jwt/v4`, either manually or by using tools such as `sed` or `gofmt`.
 
 And then you'd typically run:
 
 ```
-go get github.com/golang-jwt/jwt/v5
+go get git.internal/re/jwt/v4
 go mod tidy
 ```
 

README.md

@@ -1,12 +1,12 @@
 # jwt-go
 
 [![build](https://github.com/golang-jwt/jwt/actions/workflows/build.yml/badge.svg)](https://github.com/golang-jwt/jwt/actions/workflows/build.yml)
-[![Go Reference](https://pkg.go.dev/badge/github.com/golang-jwt/jwt/v5.svg)](https://pkg.go.dev/github.com/golang-jwt/jwt/v5)
+[![Go Reference](https://pkg.go.dev/badge/git.internal/re/jwt/v4.svg)](https://pkg.go.dev/git.internal/re/jwt/v4)
 
 A [go](http://www.golang.org) (or 'golang' for search engine friendliness) implementation of [JSON Web Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
 
 Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0) this project adds Go module support, but maintains backwards compatibility with older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`.
-See the [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version v5.0.0 introduces major improvements to the validation of tokens, but is not entirely backwards compatible. 
+See the [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information.
 
 > After the original author of the library suggested migrating the maintenance of `jwt-go`, a dedicated team of open source maintainers decided to clone the existing library into this repository. See [dgrijalva/jwt-go#462](https://github.com/dgrijalva/jwt-go/issues/462) for a detailed discussion on this topic.
 
@@ -41,22 +41,22 @@ This library supports the parsing and verification as well as the generation and
 1. To install the jwt package, you first need to have [Go](https://go.dev/doc/install) installed, then you can use the command below to add `jwt-go` as a dependency in your Go program.
 
 ```sh
-go get -u github.com/golang-jwt/jwt/v5
+go get -u git.internal/re/jwt/v4
 ```
 
 2. Import it in your code:
 
 ```go
-import "github.com/golang-jwt/jwt/v5"
+import "git.internal/re/jwt/v4"
 ```
 
 ## Examples
 
-See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v5) for examples of usage:
+See [the project documentation](https://pkg.go.dev/git.internal/re/jwt/v4) for examples of usage:
 
-* [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-Parse-Hmac)
-* [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-New-Hmac)
-* [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#pkg-examples)
+* [Simple example of parsing and validating a token](https://pkg.go.dev/git.internal/re/jwt/v4#example-Parse-Hmac)
+* [Simple example of building and signing a token](https://pkg.go.dev/git.internal/re/jwt/v4#example-New-Hmac)
+* [Directory of Examples](https://pkg.go.dev/git.internal/re/jwt/v4#pkg-examples)
 
 ## Extensions
 
@@ -110,10 +110,10 @@ Asymmetric signing methods, such as RSA, use different keys for signing and veri
 
 Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones:
 
-* The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
-* The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
-* The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
-* The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v5#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation
+* The [HMAC signing method](https://pkg.go.dev/git.internal/re/jwt/v4#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
+* The [RSA signing method](https://pkg.go.dev/git.internal/re/jwt/v4#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
+* The [ECDSA signing method](https://pkg.go.dev/git.internal/re/jwt/v4#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
+* The [EdDSA signing method](https://pkg.go.dev/git.internal/re/jwt/v4#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation
 
 ### JWT and OAuth
 
@@ -131,7 +131,7 @@ This library uses descriptive error messages whenever possible. If you are not g
 
 ## More
 
-Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v5).
+Documentation can be found [on pkg.go.dev](https://pkg.go.dev/git.internal/re/jwt/v4).
 
 The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.
 

claims.go

@@ -1,16 +1,269 @@
 package jwt
 
-// Claims represent any form of a JWT Claims Set according to
-// https://datatracker.ietf.org/doc/html/rfc7519#section-4. In order to have a
-// common basis for validation, it is required that an implementation is able to
-// supply at least the claim names provided in
-// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 namely `exp`,
-// `iat`, `nbf`, `iss` and `aud`.
+import (
+	"crypto/subtle"
+	"fmt"
+	"time"
+)
+
+// Claims must just have a Valid method that determines
+// if the token is invalid for any supported reason
 type Claims interface {
-	GetExpirationTime() (*NumericDate, error)
-	GetIssuedAt() (*NumericDate, error)
-	GetNotBefore() (*NumericDate, error)
-	GetIssuer() (string, error)
-	GetSubject() (string, error)
-	GetAudience() (ClaimStrings, error)
+	Valid() error
+}
+
+// RegisteredClaims are a structured version of the JWT Claims Set,
+// restricted to Registered Claim Names, as referenced at
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
+//
+// This type can be used on its own, but then additional private and
+// public claims embedded in the JWT will not be parsed. The typical usecase
+// therefore is to embedded this in a user-defined claim type.
+//
+// See examples for how to use this with your own claim types.
+type RegisteredClaims struct {
+	// the `iss` (Issuer) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
+	Issuer string `json:"iss,omitempty"`
+
+	// the `sub` (Subject) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
+	Subject string `json:"sub,omitempty"`
+
+	// the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
+	Audience ClaimStrings `json:"aud,omitempty"`
+
+	// the `exp` (Expiration Time) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
+	ExpiresAt *NumericDate `json:"exp,omitempty"`
+
+	// the `nbf` (Not Before) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
+	NotBefore *NumericDate `json:"nbf,omitempty"`
+
+	// the `iat` (Issued At) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
+	IssuedAt *NumericDate `json:"iat,omitempty"`
+
+	// the `jti` (JWT ID) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7
+	ID string `json:"jti,omitempty"`
+}
+
+// Valid validates time based claims "exp, iat, nbf".
+// There is no accounting for clock skew.
+// As well, if any of the above claims are not in the token, it will still
+// be considered a valid claim.
+func (c RegisteredClaims) Valid() error {
+	vErr := new(ValidationError)
+	now := TimeFunc()
+
+	// The claims below are optional, by default, so if they are set to the
+	// default value in Go, let's not fail the verification for them.
+	if !c.VerifyExpiresAt(now, false) {
+		delta := now.Sub(c.ExpiresAt.Time)
+		vErr.Inner = fmt.Errorf("%s by %s", ErrTokenExpired, delta)
+		vErr.Errors |= ValidationErrorExpired
+	}
+
+	if !c.VerifyIssuedAt(now, false) {
+		vErr.Inner = ErrTokenUsedBeforeIssued
+		vErr.Errors |= ValidationErrorIssuedAt
+	}
+
+	if !c.VerifyNotBefore(now, false) {
+		vErr.Inner = ErrTokenNotValidYet
+		vErr.Errors |= ValidationErrorNotValidYet
+	}
+
+	if vErr.valid() {
+		return nil
+	}
+
+	return vErr
+}
+
+// VerifyAudience compares the aud claim against cmp.
+// If required is false, this method will return true if the value matches or is unset
+func (c *RegisteredClaims) VerifyAudience(cmp string, req bool) bool {
+	return verifyAud(c.Audience, cmp, req)
+}
+
+// VerifyExpiresAt compares the exp claim against cmp (cmp < exp).
+// If req is false, it will return true, if exp is unset.
+func (c *RegisteredClaims) VerifyExpiresAt(cmp time.Time, req bool) bool {
+	if c.ExpiresAt == nil {
+		return verifyExp(nil, cmp, req)
+	}
+
+	return verifyExp(&c.ExpiresAt.Time, cmp, req)
+}
+
+// VerifyIssuedAt compares the iat claim against cmp (cmp >= iat).
+// If req is false, it will return true, if iat is unset.
+func (c *RegisteredClaims) VerifyIssuedAt(cmp time.Time, req bool) bool {
+	if c.IssuedAt == nil {
+		return verifyIat(nil, cmp, req)
+	}
+
+	return verifyIat(&c.IssuedAt.Time, cmp, req)
+}
+
+// VerifyNotBefore compares the nbf claim against cmp (cmp >= nbf).
+// If req is false, it will return true, if nbf is unset.
+func (c *RegisteredClaims) VerifyNotBefore(cmp time.Time, req bool) bool {
+	if c.NotBefore == nil {
+		return verifyNbf(nil, cmp, req)
+	}
+
+	return verifyNbf(&c.NotBefore.Time, cmp, req)
+}
+
+// VerifyIssuer compares the iss claim against cmp.
+// If required is false, this method will return true if the value matches or is unset
+func (c *RegisteredClaims) VerifyIssuer(cmp string, req bool) bool {
+	return verifyIss(c.Issuer, cmp, req)
+}
+
+// StandardClaims are a structured version of the JWT Claims Set, as referenced at
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4. They do not follow the
+// specification exactly, since they were based on an earlier draft of the
+// specification and not updated. The main difference is that they only
+// support integer-based date fields and singular audiences. This might lead to
+// incompatibilities with other JWT implementations. The use of this is discouraged, instead
+// the newer RegisteredClaims struct should be used.
+//
+// Deprecated: Use RegisteredClaims instead for a forward-compatible way to access registered claims in a struct.
+type StandardClaims struct {
+	Audience  string `json:"aud,omitempty"`
+	ExpiresAt int64  `json:"exp,omitempty"`
+	Id        string `json:"jti,omitempty"`
+	IssuedAt  int64  `json:"iat,omitempty"`
+	Issuer    string `json:"iss,omitempty"`
+	NotBefore int64  `json:"nbf,omitempty"`
+	Subject   string `json:"sub,omitempty"`
+}
+
+// Valid validates time based claims "exp, iat, nbf". There is no accounting for clock skew.
+// As well, if any of the above claims are not in the token, it will still
+// be considered a valid claim.
+func (c StandardClaims) Valid() error {
+	vErr := new(ValidationError)
+	now := TimeFunc().Unix()
+
+	// The claims below are optional, by default, so if they are set to the
+	// default value in Go, let's not fail the verification for them.
+	if !c.VerifyExpiresAt(now, false) {
+		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
+		vErr.Inner = fmt.Errorf("%s by %s", ErrTokenExpired, delta)
+		vErr.Errors |= ValidationErrorExpired
+	}
+
+	if !c.VerifyIssuedAt(now, false) {
+		vErr.Inner = ErrTokenUsedBeforeIssued
+		vErr.Errors |= ValidationErrorIssuedAt
+	}
+
+	if !c.VerifyNotBefore(now, false) {
+		vErr.Inner = ErrTokenNotValidYet
+		vErr.Errors |= ValidationErrorNotValidYet
+	}
+
+	if vErr.valid() {
+		return nil
+	}
+
+	return vErr
+}
+
+// VerifyAudience compares the aud claim against cmp.
+// If required is false, this method will return true if the value matches or is unset
+func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool {
+	return verifyAud([]string{c.Audience}, cmp, req)
+}
+
+// VerifyExpiresAt compares the exp claim against cmp (cmp < exp).
+// If req is false, it will return true, if exp is unset.
+func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool {
+	if c.ExpiresAt == 0 {
+		return verifyExp(nil, time.Unix(cmp, 0), req)
+	}
+
+	t := time.Unix(c.ExpiresAt, 0)
+	return verifyExp(&t, time.Unix(cmp, 0), req)
+}
+
+// VerifyIssuedAt compares the iat claim against cmp (cmp >= iat).
+// If req is false, it will return true, if iat is unset.
+func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool {
+	if c.IssuedAt == 0 {
+		return verifyIat(nil, time.Unix(cmp, 0), req)
+	}
+
+	t := time.Unix(c.IssuedAt, 0)
+	return verifyIat(&t, time.Unix(cmp, 0), req)
+}
+
+// VerifyNotBefore compares the nbf claim against cmp (cmp >= nbf).
+// If req is false, it will return true, if nbf is unset.
+func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool {
+	if c.NotBefore == 0 {
+		return verifyNbf(nil, time.Unix(cmp, 0), req)
+	}
+
+	t := time.Unix(c.NotBefore, 0)
+	return verifyNbf(&t, time.Unix(cmp, 0), req)
+}
+
+// VerifyIssuer compares the iss claim against cmp.
+// If required is false, this method will return true if the value matches or is unset
+func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool {
+	return verifyIss(c.Issuer, cmp, req)
+}
+
+// ----- helpers
+
+func verifyAud(aud []string, cmp string, required bool) bool {
+	if len(aud) == 0 {
+		return !required
+	}
+	// use a var here to keep constant time compare when looping over a number of claims
+	result := false
+
+	var stringClaims string
+	for _, a := range aud {
+		if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
+			result = true
+		}
+		stringClaims = stringClaims + a
+	}
+
+	// case where "" is sent in one or many aud claims
+	if len(stringClaims) == 0 {
+		return !required
+	}
+
+	return result
+}
+
+func verifyExp(exp *time.Time, now time.Time, required bool) bool {
+	if exp == nil {
+		return !required
+	}
+	return now.Before(*exp)
+}
+
+func verifyIat(iat *time.Time, now time.Time, required bool) bool {
+	if iat == nil {
+		return !required
+	}
+	return now.After(*iat) || now.Equal(*iat)
+}
+
+func verifyNbf(nbf *time.Time, now time.Time, required bool) bool {
+	if nbf == nil {
+		return !required
+	}
+	return now.After(*nbf) || now.Equal(*nbf)
+}
+
+func verifyIss(iss string, cmp string, required bool) bool {
+	if iss == "" {
+		return !required
+	}
+	return subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0
 }

cmd/jwt/README.md

@@ -16,4 +16,4 @@ To simply display a token, use:
 
 You can install this tool with the following command:
 
-     go install github.com/golang-jwt/jwt/v5/cmd/jwt
+     go install git.internal/re/jwt/v4/cmd/jwt

cmd/jwt/main.go

@@ -17,7 +17,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 var (

ecdsa_test.go

@@ -6,7 +6,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 var ecdsaTestData = []struct {
@@ -90,7 +90,6 @@ func TestECDSASign(t *testing.T) {
 			toSign := strings.Join(parts[0:2], ".")
 			method := jwt.GetSigningMethod(data.alg)
 			sig, err := method.Sign(toSign, ecdsaKey)
-
 			if err != nil {
 				t.Errorf("[%v] Error signing token: %v", data.name, err)
 			}

ed25519_test.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 var ed25519TestData = []struct {

errors.go

@@ -18,7 +18,6 @@ var (
 	ErrTokenExpired          = errors.New("token is expired")
 	ErrTokenUsedBeforeIssued = errors.New("token used before issued")
 	ErrTokenInvalidIssuer    = errors.New("token has invalid issuer")
-	ErrTokenInvalidSubject   = errors.New("token has invalid subject")
 	ErrTokenNotValidYet      = errors.New("token is not valid yet")
 	ErrTokenInvalidId        = errors.New("token has invalid id")
 	ErrTokenInvalidClaims    = errors.New("token has invalid claims")
@@ -30,12 +29,11 @@ const (
 	ValidationErrorUnverifiable                        // Token could not be verified because of signing problems
 	ValidationErrorSignatureInvalid                    // Signature validation failed
 
-	// Registered Claim validation errors
+	// Standard Claim validation errors
 	ValidationErrorAudience      // AUD validation failed
 	ValidationErrorExpired       // EXP validation failed
 	ValidationErrorIssuedAt      // IAT validation failed
 	ValidationErrorIssuer        // ISS validation failed
-	ValidationErrorSubject       // SUB validation failed
 	ValidationErrorNotValidYet   // NBF validation failed
 	ValidationErrorId            // JTI validation failed
 	ValidationErrorClaimsInvalid // Generic claims validation error

example_test.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 // Example (atypical) using the RegisteredClaims type by itself to parse a token.
@@ -70,7 +70,7 @@ func ExampleNewWithClaims_customClaimsType() {
 	// Output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiZXhwIjoxNTE2MjM5MDIyfQ.xVuY2FZ_MRXMIEgVQ7J-TFtaucVFRXUzHm9LmV41goM <nil>
 }
 
-// Example creating a token using a custom claims type.  The RegisteredClaims is embedded
+// Example creating a token using a custom claims type.  The StandardClaim is embedded
 // in the custom type to allow for easy encoding, parsing and validation of standard claims.
 func ExampleParseWithClaims_customClaimsType() {
 	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiYXVkIjoic2luZ2xlIn0.QAWg1vGvnqRuCFTMcPkjZljXHh8U3L_qUjszOtQbeaA"
@@ -93,68 +93,10 @@ func ExampleParseWithClaims_customClaimsType() {
 	// Output: bar test
 }
 
-// Example creating a token using a custom claims type and validation options.  The RegisteredClaims is embedded
-// in the custom type to allow for easy encoding, parsing and validation of standard claims.
-func ExampleParseWithClaims_validationOptions() {
-	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiYXVkIjoic2luZ2xlIn0.QAWg1vGvnqRuCFTMcPkjZljXHh8U3L_qUjszOtQbeaA"
-
-	type MyCustomClaims struct {
-		Foo string `json:"foo"`
-		jwt.RegisteredClaims
-	}
-
-	validator := jwt.NewValidator(jwt.WithLeeway(5 * time.Second))
-	token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte("AllYourBase"), nil
-	}, jwt.WithValidator(validator))
-
-	if claims, ok := token.Claims.(*MyCustomClaims); ok && token.Valid {
-		fmt.Printf("%v %v", claims.Foo, claims.RegisteredClaims.Issuer)
-	} else {
-		fmt.Println(err)
-	}
-
-	// Output: bar test
-}
-
-type MyCustomClaims struct {
-	Foo string `json:"foo"`
-	jwt.RegisteredClaims
-}
-
-func (m MyCustomClaims) CustomValidation() error {
-	if m.Foo != "bar" {
-		return errors.New("must be foobar")
-	}
-
-	return nil
-}
-
-// Example creating a token using a custom claims type and validation options.
-// The RegisteredClaims is embedded in the custom type to allow for easy
-// encoding, parsing and validation of standard claims and the function
-// CustomValidation is implemented.
-func ExampleParseWithClaims_customValidation() {
-	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiYXVkIjoic2luZ2xlIn0.QAWg1vGvnqRuCFTMcPkjZljXHh8U3L_qUjszOtQbeaA"
-
-	validator := jwt.NewValidator(jwt.WithLeeway(5 * time.Second))
-	token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte("AllYourBase"), nil
-	}, jwt.WithValidator(validator))
-
-	if claims, ok := token.Claims.(*MyCustomClaims); ok && token.Valid {
-		fmt.Printf("%v %v", claims.Foo, claims.RegisteredClaims.Issuer)
-	} else {
-		fmt.Println(err)
-	}
-
-	// Output: bar test
-}
-
-// An example of parsing the error types using errors.Is.
+// An example of parsing the error types using bitfield checks
 func ExampleParse_errorChecking() {
 	// Token from another example.  This token is expired
-	var tokenString = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c"
+	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c"
 
 	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
 		return []byte("AllYourBase"), nil

go.mod

@@ -1,3 +1,7 @@
-module github.com/golang-jwt/jwt/v5
+module git.internal/re/jwt/v4
 
 go 1.16
+
+retract (
+    v4.4.0 // Contains a backwards incompatible change to the Claims interface.
+)

hmac_example_test.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 // For HMAC signing method, the key can be any []byte. It is recommended to generate

hmac_test.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 var hmacTestData = []struct {

http_example_test.go

@@ -16,8 +16,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/golang-jwt/jwt/v5/request"
+	"git.internal/re/jwt/v4"
+	"git.internal/re/jwt/v4/request"
 )
 
 // location of the files used for signing and verification
@@ -73,7 +73,7 @@ type CustomerInfo struct {
 }
 
 type CustomClaimsExample struct {
-	*jwt.RegisteredClaims
+	jwt.RegisteredClaims
 	TokenType string
 	CustomerInfo
 }
@@ -113,7 +113,6 @@ func Example_getTokenViaHTTP() {
 }
 
 func Example_useTokenViaHTTP() {
-
 	// Make a sample token
 	// In a real world situation, this token will have been acquired from
 	// some other API call (see Example_getTokenViaHTTP)
@@ -142,7 +141,7 @@ func createToken(user string) (string, error) {
 
 	// set our claims
 	t.Claims = &CustomClaimsExample{
-		&jwt.RegisteredClaims{
+		jwt.RegisteredClaims{
 			// set the expire time
 			// see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 1)),
@@ -197,7 +196,6 @@ func restrictedHandler(w http.ResponseWriter, r *http.Request) {
 		// we also only use its public counter part to verify
 		return verifyKey, nil
 	}, request.WithClaims(&CustomClaimsExample{}))
-
 	// If the token is missing or invalid, return error
 	if err != nil {
 		w.WriteHeader(http.StatusUnauthorized)

map_claims.go

@@ -3,109 +3,149 @@ package jwt
 import (
 	"encoding/json"
 	"errors"
+	"time"
+	// "fmt"
 )
 
 // MapClaims is a claims type that uses the map[string]interface{} for JSON decoding.
 // This is the default claims type if you don't supply one
 type MapClaims map[string]interface{}
 
-var ErrInvalidType = errors.New("invalid type for claim")
-
-// GetExpirationTime implements the Claims interface.
-func (m MapClaims) GetExpirationTime() (*NumericDate, error) {
-	return m.ParseNumericDate("exp")
-}
-
-// GetNotBefore implements the Claims interface.
-func (m MapClaims) GetNotBefore() (*NumericDate, error) {
-	return m.ParseNumericDate("nbf")
-}
-
-// GetIssuedAt implements the Claims interface.
-func (m MapClaims) GetIssuedAt() (*NumericDate, error) {
-	return m.ParseNumericDate("iat")
-}
-
-// GetAudience implements the Claims interface.
-func (m MapClaims) GetAudience() (ClaimStrings, error) {
-	return m.ParseClaimsString("aud")
-}
-
-// GetIssuer implements the Claims interface.
-func (m MapClaims) GetIssuer() (string, error) {
-	return m.ParseString("iss")
-}
-
-// GetSubject implements the Claims interface.
-func (m MapClaims) GetSubject() (string, error) {
-	return m.ParseString("sub")
-}
-
-// ParseNumericDate tries to parse a key in the map claims type as a number
-// date. This will succeed, if the underlying type is either a [float64] or a
-// [json.Number]. Otherwise, nil will be returned.
-func (m MapClaims) ParseNumericDate(key string) (*NumericDate, error) {
-	v, ok := m[key]
+// VerifyAudience Compares the aud claim against cmp.
+// If required is false, this method will return true if the value matches or is unset
+func (m MapClaims) VerifyAudience(cmp string, req bool) bool {
+	var aud []string
+	switch v := m["aud"].(type) {
+	case string:
+		aud = append(aud, v)
+	case []string:
+		aud = v
+	case []interface{}:
+		for _, a := range v {
+			vs, ok := a.(string)
 			if !ok {
-		return nil, nil
+				return false
+			}
+			aud = append(aud, vs)
+		}
+	}
+	return verifyAud(aud, cmp, req)
+}
+
+// VerifyExpiresAt compares the exp claim against cmp (cmp <= exp).
+// If req is false, it will return true, if exp is unset.
+func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool {
+	cmpTime := time.Unix(cmp, 0)
+
+	v, ok := m["exp"]
+	if !ok {
+		return !req
 	}
 
 	switch exp := v.(type) {
 	case float64:
 		if exp == 0 {
-			return nil, nil
+			return verifyExp(nil, cmpTime, req)
 		}
 
-		return newNumericDateFromSeconds(exp), nil
+		return verifyExp(&newNumericDateFromSeconds(exp).Time, cmpTime, req)
 	case json.Number:
 		v, _ := exp.Float64()
 
-		return newNumericDateFromSeconds(v), nil
+		return verifyExp(&newNumericDateFromSeconds(v).Time, cmpTime, req)
 	}
 
-	return nil, ErrInvalidType
+	return false
 }
 
-// ParseClaimsString tries to parse a key in the map claims type as a
-// [ClaimsStrings] type, which can either be a string or an array of string.
-func (m MapClaims) ParseClaimsString(key string) (ClaimStrings, error) {
-	var cs []string
-	switch v := m[key].(type) {
-	case string:
-		cs = append(cs, v)
-	case []string:
-		cs = v
-	case []interface{}:
-		for _, a := range v {
-			vs, ok := a.(string)
+// VerifyIssuedAt compares the exp claim against cmp (cmp >= iat).
+// If req is false, it will return true, if iat is unset.
+func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool {
+	cmpTime := time.Unix(cmp, 0)
+
+	v, ok := m["iat"]
 	if !ok {
-				return nil, ErrInvalidType
-			}
-			cs = append(cs, vs)
-		}
+		return !req
 	}
 
-	return cs, nil
+	switch iat := v.(type) {
+	case float64:
+		if iat == 0 {
+			return verifyIat(nil, cmpTime, req)
 		}
 
-// ParseString tries to parse a key in the map claims type as a [string] type.
-// If the key does not exist, an empty string is returned. If the key has the
-// wrong type, an error is returned.
-func (m MapClaims) ParseString(key string) (string, error) {
-	var (
-		ok  bool
-		raw interface{}
-		iss string
-	)
-	raw, ok = m[key]
+		return verifyIat(&newNumericDateFromSeconds(iat).Time, cmpTime, req)
+	case json.Number:
+		v, _ := iat.Float64()
+
+		return verifyIat(&newNumericDateFromSeconds(v).Time, cmpTime, req)
+	}
+
+	return false
+}
+
+// VerifyNotBefore compares the nbf claim against cmp (cmp >= nbf).
+// If req is false, it will return true, if nbf is unset.
+func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool {
+	cmpTime := time.Unix(cmp, 0)
+
+	v, ok := m["nbf"]
 	if !ok {
-		return "", nil
+		return !req
 	}
 
-	iss, ok = raw.(string)
-	if !ok {
-		return "", ErrInvalidType
+	switch nbf := v.(type) {
+	case float64:
+		if nbf == 0 {
+			return verifyNbf(nil, cmpTime, req)
 		}
 
-	return iss, nil
+		return verifyNbf(&newNumericDateFromSeconds(nbf).Time, cmpTime, req)
+	case json.Number:
+		v, _ := nbf.Float64()
+
+		return verifyNbf(&newNumericDateFromSeconds(v).Time, cmpTime, req)
+	}
+
+	return false
+}
+
+// VerifyIssuer compares the iss claim against cmp.
+// If required is false, this method will return true if the value matches or is unset
+func (m MapClaims) VerifyIssuer(cmp string, req bool) bool {
+	iss, _ := m["iss"].(string)
+	return verifyIss(iss, cmp, req)
+}
+
+// Valid validates time based claims "exp, iat, nbf".
+// There is no accounting for clock skew.
+// As well, if any of the above claims are not in the token, it will still
+// be considered a valid claim.
+func (m MapClaims) Valid() error {
+	vErr := new(ValidationError)
+	now := TimeFunc().Unix()
+
+	if !m.VerifyExpiresAt(now, false) {
+		// TODO(oxisto): this should be replaced with ErrTokenExpired
+		vErr.Inner = errors.New("Token is expired")
+		vErr.Errors |= ValidationErrorExpired
+	}
+
+	if !m.VerifyIssuedAt(now, false) {
+		// TODO(oxisto): this should be replaced with ErrTokenUsedBeforeIssued
+		vErr.Inner = errors.New("Token used before issued")
+		vErr.Errors |= ValidationErrorIssuedAt
+	}
+
+	if !m.VerifyNotBefore(now, false) {
+		// TODO(oxisto): this should be replaced with ErrTokenNotValidYet
+		vErr.Inner = errors.New("Token is not valid yet")
+		vErr.Errors |= ValidationErrorNotValidYet
+	}
+
+	if vErr.valid() {
+		return nil
+	}
+
+	return vErr
 }

map_claims_test.go

@@ -42,7 +42,7 @@ func TestVerifyAud(t *testing.T) {
 		{Name: "[]String Aud without match not required", MapClaims: MapClaims{"aud": []string{"not.example.com", "example.example.com"}}, Expected: false, Required: true, Comparison: "example.com"},
 
 		// Required = false
-		{Name: "Empty []String Aud without match required", MapClaims: MapClaims{"aud": []string{""}}, Expected: true, Required: false, Comparison: "example.com"},
+		{Name: "Empty []String Aud without match required", MapClaims: MapClaims{"aud": []string{""}}, Expected: false, Required: true, Comparison: "example.com"},
 
 		// []interface{}
 		{Name: "Empty []interface{} Aud without match required", MapClaims: MapClaims{"aud": nilListInterface}, Expected: true, Required: false, Comparison: "example.com"},
@@ -56,17 +56,10 @@ func TestVerifyAud(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.Name, func(t *testing.T) {
-			var opts []ValidatorOption
+			got := test.MapClaims.VerifyAudience(test.Comparison, test.Required)
 
-			if test.Required {
-				opts = append(opts, WithAudience(test.Comparison))
-			}
-
-			validator := NewValidator(opts...)
-			got := validator.Validate(test.MapClaims)
-
-			if (got == nil) != test.Expected {
-				t.Errorf("Expected %v, got %v", test.Expected, (got == nil))
+			if got != test.Expected {
+				t.Errorf("Expected %v, got %v", test.Expected, got)
 			}
 		})
 	}
@@ -77,9 +70,9 @@ func TestMapclaimsVerifyIssuedAtInvalidTypeString(t *testing.T) {
 		"iat": "foo",
 	}
 	want := false
-	got := NewValidator(WithIssuedAt()).Validate(mapClaims)
-	if want != (got == nil) {
-		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, (got == nil))
+	got := mapClaims.VerifyIssuedAt(0, false)
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 }
 
@@ -88,9 +81,9 @@ func TestMapclaimsVerifyNotBeforeInvalidTypeString(t *testing.T) {
 		"nbf": "foo",
 	}
 	want := false
-	got := NewValidator().Validate(mapClaims)
-	if want != (got == nil) {
-		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, (got == nil))
+	got := mapClaims.VerifyNotBefore(0, false)
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 }
 
@@ -99,38 +92,32 @@ func TestMapclaimsVerifyExpiresAtInvalidTypeString(t *testing.T) {
 		"exp": "foo",
 	}
 	want := false
-	got := NewValidator().Validate(mapClaims)
+	got := mapClaims.VerifyExpiresAt(0, false)
 
-	if want != (got == nil) {
-		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, (got == nil))
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 }
 
 func TestMapClaimsVerifyExpiresAtExpire(t *testing.T) {
-	exp := time.Now()
+	exp := time.Now().Unix()
 	mapClaims := MapClaims{
-		"exp": float64(exp.Unix()),
+		"exp": float64(exp),
 	}
 	want := false
-	got := NewValidator(WithTimeFunc(func() time.Time {
-		return exp
-	})).Validate(mapClaims)
-	if want != (got == nil) {
-		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, (got == nil))
+	got := mapClaims.VerifyExpiresAt(exp, true)
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 
-	got = NewValidator(WithTimeFunc(func() time.Time {
-		return exp.Add(1 * time.Second)
-	})).Validate(mapClaims)
-	if want != (got == nil) {
-		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, (got == nil))
+	got = mapClaims.VerifyExpiresAt(exp+1, true)
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 
 	want = true
-	got = NewValidator(WithTimeFunc(func() time.Time {
-		return exp.Add(-1 * time.Second)
-	})).Validate(mapClaims)
-	if want != (got == nil) {
-		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, (got == nil))
+	got = mapClaims.VerifyExpiresAt(exp-1, true)
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 }

none_test.go

@@ -4,7 +4,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 var noneTestData = []struct {

parser.go

@@ -22,15 +22,13 @@ type Parser struct {
 	//
 	// Deprecated: In future releases, this field will not be exported anymore and should be set with an option to NewParser instead.
 	SkipClaimsValidation bool
-
-	validator *Validator
 }
 
 // NewParser creates a new Parser with the specified options
 func NewParser(options ...ParserOption) *Parser {
 	p := &Parser{}
 
-	// Loop through our parsing options and apply them
+	// loop through our parsing options and apply them
 	for _, option := range options {
 		option(p)
 	}
@@ -44,6 +42,13 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
 }
 
+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
+// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
+// than the default MapClaims implementation of Claims.
+//
+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
+// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
+// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
 func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
 	token, parts, err := p.ParseUnverified(tokenString, claims)
 	if err != nil {
@@ -84,12 +89,8 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 
 	// Validate Claims
 	if !p.SkipClaimsValidation {
-		// Make sure we have at least a default validator
-		if p.validator == nil {
-			p.validator = NewValidator()
-		}
+		if err := token.Claims.Valid(); err != nil {
 
-		if err := p.validator.Validate(claims); err != nil {
 			// If the Claims Valid returned an error, check if it is a validation error,
 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
 			if e, ok := err.(*ValidationError); !ok {

parser_option.go

@@ -27,10 +27,3 @@ func WithoutClaimsValidation() ParserOption {
 		p.SkipClaimsValidation = true
 	}
 }
-
-// WithValidator is an option to include a claims validator.
-func WithValidator(v *Validator) ParserOption {
-	return func(p *Parser) {
-		p.validator = v
-	}
-}

parser_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/golang-jwt/jwt/v5/test"
+	"git.internal/re/jwt/v4"
+	"git.internal/re/jwt/v4/test"
 )
 
 var errKeyFuncError error = fmt.Errorf("error loading key")
@@ -42,7 +42,6 @@ func init() {
 	// Load private keys
 	jwtTestRSAPrivateKey = test.LoadRSAPrivateKeyFromDisk("test/sample_key")
 	jwtTestEC256PrivateKey = test.LoadECPrivateKeyFromDisk("test/ec256-private.pem")
-
 }
 
 var jwtTestData = []struct {
@@ -199,6 +198,19 @@ var jwtTestData = []struct {
 		&jwt.Parser{UseJSONNumber: true},
 		jwt.SigningMethodRS256,
 	},
+	{
+		"Standard Claims",
+		"",
+		defaultKeyFunc,
+		&jwt.StandardClaims{
+			ExpiresAt: time.Now().Add(time.Second * 10).Unix(),
+		},
+		true,
+		0,
+		nil,
+		&jwt.Parser{UseJSONNumber: true},
+		jwt.SigningMethodRS256,
+	},
 	{
 		"JSON Number - basic expired",
 		"", // autogen
@@ -308,28 +320,6 @@ var jwtTestData = []struct {
 		&jwt.Parser{UseJSONNumber: true},
 		jwt.SigningMethodRS256,
 	},
-	{
-		"RFC7519 Claims - nbf with 60s skew",
-		"", // autogen
-		defaultKeyFunc,
-		&jwt.RegisteredClaims{NotBefore: jwt.NewNumericDate(time.Now().Add(time.Second * 100))},
-		false,
-		jwt.ValidationErrorNotValidYet,
-		[]error{jwt.ErrTokenNotValidYet},
-		jwt.NewParser(jwt.WithValidator(jwt.NewValidator(jwt.WithLeeway(time.Minute)))),
-		jwt.SigningMethodRS256,
-	},
-	{
-		"RFC7519 Claims - nbf with 120s skew",
-		"", // autogen
-		defaultKeyFunc,
-		&jwt.RegisteredClaims{NotBefore: jwt.NewNumericDate(time.Now().Add(time.Second * 100))},
-		true,
-		0,
-		nil,
-		jwt.NewParser(jwt.WithValidator(jwt.NewValidator(jwt.WithLeeway(2 * time.Minute)))),
-		jwt.SigningMethodRS256,
-	},
 }
 
 // signToken creates and returns a signed JWT token using signingMethod.
@@ -347,11 +337,9 @@ func signToken(claims jwt.Claims, signingMethod jwt.SigningMethod) string {
 }
 
 func TestParser_Parse(t *testing.T) {
-
 	// Iterate over test data set and run tests
 	for _, data := range jwtTestData {
 		t.Run(data.name, func(t *testing.T) {
-
 			// If the token string is blank, use helper function to generate string
 			if data.tokenString == "" {
 				data.tokenString = signToken(data.claims, data.signingMethod)
@@ -361,14 +349,16 @@ func TestParser_Parse(t *testing.T) {
 			var token *jwt.Token
 			var ve *jwt.ValidationError
 			var err error
-			var parser = data.parser
+			parser := data.parser
 			if parser == nil {
-				parser = jwt.NewParser()
+				parser = new(jwt.Parser)
 			}
 			// Figure out correct claims type
 			switch data.claims.(type) {
 			case jwt.MapClaims:
 				token, err = parser.ParseWithClaims(data.tokenString, jwt.MapClaims{}, data.keyfunc)
+			case *jwt.StandardClaims:
+				token, err = parser.ParseWithClaims(data.tokenString, &jwt.StandardClaims{}, data.keyfunc)
 			case *jwt.RegisteredClaims:
 				token, err = parser.ParseWithClaims(data.tokenString, &jwt.RegisteredClaims{}, data.keyfunc)
 			}
@@ -411,7 +401,7 @@ func TestParser_Parse(t *testing.T) {
 				if err == nil {
 					t.Errorf("[%v] Expecting error(s). Didn't get one.", data.name)
 				} else {
-					var all = false
+					all := false
 					for _, e := range data.err {
 						all = errors.Is(err, e)
 					}
@@ -436,7 +426,6 @@ func TestParser_Parse(t *testing.T) {
 }
 
 func TestParser_ParseUnverified(t *testing.T) {
-
 	// Iterate over test data set and run tests
 	for _, data := range jwtTestData {
 		// Skip test data, that intentionally contains malformed tokens, as they would lead to an error
@@ -453,7 +442,7 @@ func TestParser_ParseUnverified(t *testing.T) {
 			// Parse the token
 			var token *jwt.Token
 			var err error
-			var parser = data.parser
+			parser := data.parser
 			if parser == nil {
 				parser = new(jwt.Parser)
 			}
@@ -461,6 +450,8 @@ func TestParser_ParseUnverified(t *testing.T) {
 			switch data.claims.(type) {
 			case jwt.MapClaims:
 				token, _, err = parser.ParseUnverified(data.tokenString, jwt.MapClaims{})
+			case *jwt.StandardClaims:
+				token, _, err = parser.ParseUnverified(data.tokenString, &jwt.StandardClaims{})
 			case *jwt.RegisteredClaims:
 				token, _, err = parser.ParseUnverified(data.tokenString, &jwt.RegisteredClaims{})
 			}
@@ -494,6 +485,7 @@ var setPaddingTestData = []struct {
 	tokenString   string
 	claims        jwt.Claims
 	paddedDecode  bool
+	strictDecode  bool
 	signingMethod jwt.SigningMethod
 	keyfunc       jwt.Keyfunc
 	valid         bool
@@ -552,19 +544,108 @@ var setPaddingTestData = []struct {
 		keyfunc:       paddedKeyFunc,
 		valid:         true,
 	},
+	// DecodeStrict tests, DecodePaddingAllowed=false
+	{
+		name: "Validated non-padded token with padding disabled, non-strict decode, non-tweaked signature",
+		tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
+			"g",
+		claims:        nil,
+		paddedDecode:  false,
+		strictDecode:  false,
+		signingMethod: jwt.SigningMethodRS256,
+		keyfunc:       defaultKeyFunc,
+		valid:         true,
+	},
+	{
+		name: "Validated non-padded token with padding disabled, non-strict decode, tweaked signature",
+		tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
+			"h",
+		claims:        nil,
+		paddedDecode:  false,
+		strictDecode:  false,
+		signingMethod: jwt.SigningMethodRS256,
+		keyfunc:       defaultKeyFunc,
+		valid:         true,
+	},
+	{
+		name: "Validated non-padded token with padding disabled, strict decode, non-tweaked signature",
+		tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
+			"g",
+		claims:        nil,
+		paddedDecode:  false,
+		strictDecode:  true,
+		signingMethod: jwt.SigningMethodRS256,
+		keyfunc:       defaultKeyFunc,
+		valid:         true,
+	},
+	{
+		name: "Error for non-padded token with padding disabled, strict decode, tweaked signature",
+		tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
+			"h",
+		claims:        nil,
+		paddedDecode:  false,
+		strictDecode:  true,
+		signingMethod: jwt.SigningMethodRS256,
+		keyfunc:       defaultKeyFunc,
+		valid:         false,
+	},
+	// DecodeStrict tests, DecodePaddingAllowed=true
+	{
+		name: "Validated padded token with padding enabled, non-strict decode, non-tweaked signature",
+		tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
+			"w==",
+		claims:        nil,
+		paddedDecode:  true,
+		strictDecode:  false,
+		signingMethod: jwt.SigningMethodES256,
+		keyfunc:       paddedKeyFunc,
+		valid:         true,
+	},
+	{
+		name: "Validated padded token with padding enabled, non-strict decode, tweaked signature",
+		tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
+			"x==",
+		claims:        nil,
+		paddedDecode:  true,
+		strictDecode:  false,
+		signingMethod: jwt.SigningMethodES256,
+		keyfunc:       paddedKeyFunc,
+		valid:         true,
+	},
+	{
+		name: "Validated padded token with padding enabled, strict decode, non-tweaked signature",
+		tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
+			"w==",
+		claims:        nil,
+		paddedDecode:  true,
+		strictDecode:  true,
+		signingMethod: jwt.SigningMethodES256,
+		keyfunc:       paddedKeyFunc,
+		valid:         true,
+	},
+	{
+		name: "Error for padded token with padding enabled, strict decode, tweaked signature",
+		tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
+			"x==",
+		claims:        nil,
+		paddedDecode:  true,
+		strictDecode:  true,
+		signingMethod: jwt.SigningMethodES256,
+		keyfunc:       paddedKeyFunc,
+		valid:         false,
+	},
 }
 
 // Extension of Parsing, this is to test out functionality specific to switching codecs with padding.
 func TestSetPadding(t *testing.T) {
 	for _, data := range setPaddingTestData {
 		t.Run(data.name, func(t *testing.T) {
+			jwt.DecodePaddingAllowed = data.paddedDecode
+			jwt.DecodeStrict = data.strictDecode
 
 			// If the token string is blank, use helper function to generate string
-			jwt.DecodePaddingAllowed = data.paddedDecode
-
 			if data.tokenString == "" {
 				data.tokenString = signToken(data.claims, data.signingMethod)
-
 			}
 
 			// Parse the token
@@ -583,15 +664,13 @@ func TestSetPadding(t *testing.T) {
 					err,
 				)
 			}
-
 		})
 		jwt.DecodePaddingAllowed = false
-
+		jwt.DecodeStrict = false
 	}
 }
 
 func BenchmarkParseUnverified(b *testing.B) {
-
 	// Iterate over test data set and run tests
 	for _, data := range jwtTestData {
 		// If the token string is blank, use helper function to generate string
@@ -600,7 +679,7 @@ func BenchmarkParseUnverified(b *testing.B) {
 		}
 
 		// Parse the token
-		var parser = data.parser
+		parser := data.parser
 		if parser == nil {
 			parser = new(jwt.Parser)
 		}
@@ -610,9 +689,9 @@ func BenchmarkParseUnverified(b *testing.B) {
 			b.Run("map_claims", func(b *testing.B) {
 				benchmarkParsing(b, parser, data.tokenString, jwt.MapClaims{})
 			})
-		case *jwt.RegisteredClaims:
-			b.Run("registered_claims", func(b *testing.B) {
-				benchmarkParsing(b, parser, data.tokenString, &jwt.RegisteredClaims{})
+		case *jwt.StandardClaims:
+			b.Run("standard_claims", func(b *testing.B) {
+				benchmarkParsing(b, parser, data.tokenString, &jwt.StandardClaims{})
 			})
 		}
 	}

registered_claims.go

@@ -1,63 +0,0 @@
-package jwt
-
-// RegisteredClaims are a structured version of the JWT Claims Set,
-// restricted to Registered Claim Names, as referenced at
-// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
-//
-// This type can be used on its own, but then additional private and
-// public claims embedded in the JWT will not be parsed. The typical use-case
-// therefore is to embedded this in a user-defined claim type.
-//
-// See examples for how to use this with your own claim types.
-type RegisteredClaims struct {
-	// the `iss` (Issuer) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
-	Issuer string `json:"iss,omitempty"`
-
-	// the `sub` (Subject) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
-	Subject string `json:"sub,omitempty"`
-
-	// the `aud` (Audience) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
-	Audience ClaimStrings `json:"aud,omitempty"`
-
-	// the `exp` (Expiration Time) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
-	ExpiresAt *NumericDate `json:"exp,omitempty"`
-
-	// the `nbf` (Not Before) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
-	NotBefore *NumericDate `json:"nbf,omitempty"`
-
-	// the `iat` (Issued At) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
-	IssuedAt *NumericDate `json:"iat,omitempty"`
-
-	// the `jti` (JWT ID) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7
-	ID string `json:"jti,omitempty"`
-}
-
-// GetExpirationTime implements the Claims interface.
-func (c RegisteredClaims) GetExpirationTime() (*NumericDate, error) {
-	return c.ExpiresAt, nil
-}
-
-// GetNotBefore implements the Claims interface.
-func (c RegisteredClaims) GetNotBefore() (*NumericDate, error) {
-	return c.NotBefore, nil
-}
-
-// GetIssuedAt implements the Claims interface.
-func (c RegisteredClaims) GetIssuedAt() (*NumericDate, error) {
-	return c.IssuedAt, nil
-}
-
-// GetAudience implements the Claims interface.
-func (c RegisteredClaims) GetAudience() (ClaimStrings, error) {
-	return c.Audience, nil
-}
-
-// GetIssuer implements the Claims interface.
-func (c RegisteredClaims) GetIssuer() (string, error) {
-	return c.Issuer, nil
-}
-
-// GetSubject implements the Claims interface.
-func (c RegisteredClaims) GetSubject() (string, error) {
-	return c.Subject, nil
-}

request/request.go

@@ -3,7 +3,7 @@ package request
 import (
 	"net/http"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 // ParseFromRequest extracts and parses a JWT token from an HTTP request.

request/request_test.go

@@ -8,8 +8,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/golang-jwt/jwt/v5/test"
+	"git.internal/re/jwt/v4"
+	"git.internal/re/jwt/v4/test"
 )
 
 var requestTestData = []struct {

rsa_pss_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/golang-jwt/jwt/v5/test"
+	"git.internal/re/jwt/v4"
+	"git.internal/re/jwt/v4/test"
 )
 
 var rsaPSSTestData = []struct {

rsa_test.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 var rsaTestData = []struct {
@@ -147,7 +147,6 @@ func TestRSAKeyParsing(t *testing.T) {
 	if k, e := jwt.ParseRSAPublicKeyFromPEM(badKey); e == nil {
 		t.Errorf("Parsed invalid key as valid private key: %v", k)
 	}
-
 }
 
 func BenchmarkRSAParsing(b *testing.B) {

test/helpers.go

@@ -5,7 +5,7 @@ import (
 	"crypto/rsa"
 	"os"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 func LoadRSAPrivateKeyFromDisk(location string) *rsa.PrivateKey {

token.go

@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"strings"
+	"time"
 )
 
 // DecodePaddingAllowed will switch the codec used for decoding JWTs respectively. Note that the JWS RFC7515
@@ -13,6 +14,17 @@ import (
 // To use the non-recommended decoding, set this boolean to `true` prior to using this package.
 var DecodePaddingAllowed bool
 
+// DecodeStrict will switch the codec used for decoding JWTs into strict mode.
+// In this mode, the decoder requires that trailing padding bits are zero, as described in RFC 4648 section 3.5.
+// Note that this is a global variable, and updating it will change the behavior on a package level, and is also NOT go-routine safe.
+// To use strict decoding, set this boolean to `true` prior to using this package.
+var DecodeStrict bool
+
+// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
+// You can override it to use another time value.  This is useful for testing or if your
+// server uses a different time zone than your tokens.
+var TimeFunc = time.Now
+
 // Keyfunc will be used by the Parse methods as a callback function to supply
 // the key for verification.  The function receives the parsed,
 // but unverified Token.  This allows you to use properties in the
@@ -93,6 +105,11 @@ func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token
 	return NewParser(options...).Parse(tokenString, keyFunc)
 }
 
+// ParseWithClaims is a shortcut for NewParser().ParseWithClaims().
+//
+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
+// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
+// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
 func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
 	return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc)
 }
@@ -110,12 +127,17 @@ func EncodeSegment(seg []byte) string {
 // Deprecated: In a future release, we will demote this function to a non-exported function, since it
 // should only be used internally
 func DecodeSegment(seg string) ([]byte, error) {
+	encoding := base64.RawURLEncoding
+
 	if DecodePaddingAllowed {
 		if l := len(seg) % 4; l > 0 {
 			seg += strings.Repeat("=", 4-l)
 		}
-		return base64.URLEncoding.DecodeString(seg)
+		encoding = base64.URLEncoding
 	}
 
-	return base64.RawURLEncoding.DecodeString(seg)
+	if DecodeStrict {
+		encoding = encoding.Strict()
+	}
+	return encoding.DecodeString(seg)
 }

token_test.go

@@ -3,7 +3,7 @@ package jwt_test
 import (
 	"testing"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 func TestToken_SigningString(t1 *testing.T) {
@@ -30,7 +30,7 @@ func TestToken_SigningString(t1 *testing.T) {
 					"typ": "JWT",
 					"alg": jwt.SigningMethodHS256.Alg(),
 				},
-				Claims:    jwt.RegisteredClaims{},
+				Claims:    jwt.StandardClaims{},
 				Signature: "",
 				Valid:     false,
 			},
@@ -67,7 +67,7 @@ func BenchmarkToken_SigningString(b *testing.B) {
 			"typ": "JWT",
 			"alg": jwt.SigningMethodHS256.Alg(),
 		},
-		Claims: jwt.RegisteredClaims{},
+		Claims: jwt.StandardClaims{},
 	}
 	b.Run("BenchmarkToken_SigningString", func(b *testing.B) {
 		b.ResetTimer()

types_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
+	"git.internal/re/jwt/v4"
 )
 
 func TestNumericDate(t *testing.T) {
@@ -41,7 +41,6 @@ func TestSingleArrayMarshal(t *testing.T) {
 	expected := `"test"`
 
 	b, err := json.Marshal(s)
-
 	if err != nil {
 		t.Errorf("Unexpected error: %s", err)
 	}

validator.go

@@ -1,265 +0,0 @@
-package jwt
-
-import (
-	"crypto/subtle"
-	"time"
-)
-
-// Validator is the core of the new Validation API. It can either be used to
-// modify the validation used during parsing with the [WithValidator] parser
-// option or used standalone to validate an already parsed [Claim]. It can be
-// further customized with a range of specified [ValidatorOption]s.
-type Validator struct {
-	// leeway is an optional leeway that can be provided to account for clock skew.
-	leeway time.Duration
-
-	// timeFunc is used to supply the current time that is needed for
-	// validation. If unspecified, this defaults to time.Now.
-	timeFunc func() time.Time
-
-	// verifyIat specifies whether the iat (Issued At) claim will be verified.
-	// According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
-	// only specifies the age of the token, but no validation check is
-	// necessary. However, if wanted, it can be checked if the iat is
-	// unrealistic, i.e., in the future.
-	verifyIat bool
-
-	// expectedAud contains the audience this token expects. Supplying an empty
-	// string will disable aud checking.
-	expectedAud string
-
-	// expectedIss contains the issuer this token expects. Supplying an empty
-	// string will disable iss checking.
-	expectedIss string
-
-	expectedSubPattern PatternFunc
-}
-
-// CustomClaims represents a custom claims interface, which can be built upon the integrated
-// claim types, such as map claims or registered claims.
-type CustomClaims interface {
-	// CustomValidation can be implemented by a user-specific claim to support
-	// additional validation steps in addition to the regular validation.
-	CustomValidation() error
-}
-
-func NewValidator(opts ...ValidatorOption) *Validator {
-	v := &Validator{}
-
-	// Apply the validator options
-	for _, o := range opts {
-		o(v)
-	}
-
-	return v
-}
-
-// Validate validates the given claims. It will also perform any custom validation if claims implements the CustomValidator interface.
-func (v *Validator) Validate(claims Claims) error {
-	var now time.Time
-	vErr := new(ValidationError)
-
-	// Check, if we have a time func
-	if v.timeFunc != nil {
-		now = v.timeFunc()
-	} else {
-		now = time.Now()
-	}
-
-	// We always need to check the expiration time, but the claim itself is OPTIONAL
-	if !v.VerifyExpiresAt(claims, now, false) {
-		vErr.Inner = ErrTokenExpired
-		vErr.Errors |= ValidationErrorExpired
-	}
-
-	// We always need to check not-before, but the claim itself is OPTIONAL
-	if !v.VerifyNotBefore(claims, now, false) {
-		vErr.Inner = ErrTokenNotValidYet
-		vErr.Errors |= ValidationErrorNotValidYet
-	}
-
-	// Check issued-at if the option is enabled
-	if v.verifyIat && !v.VerifyIssuedAt(claims, now, false) {
-		vErr.Inner = ErrTokenUsedBeforeIssued
-		vErr.Errors |= ValidationErrorIssuedAt
-	}
-
-	// If we have an expected audience, we also require the audience claim
-	if v.expectedAud != "" && !v.VerifyAudience(claims, v.expectedAud, true) {
-		vErr.Inner = ErrTokenInvalidAudience
-		vErr.Errors |= ValidationErrorAudience
-	}
-
-	// If we have an expected issuer, we also require the issuer claim
-	if v.expectedIss != "" && !v.VerifyIssuer(claims, v.expectedIss, true) {
-		vErr.Inner = ErrTokenInvalidIssuer
-		vErr.Errors |= ValidationErrorIssuer
-	}
-
-	// If we have an expected subject, we also require the subject claim
-	if v.expectedSubPattern != nil && !v.VerifySubject(claims, v.expectedSubPattern, true) {
-		vErr.Inner = ErrTokenInvalidSubject
-		vErr.Errors |= ValidationErrorSubject
-	}
-
-	// Finally, we want to give the claim itself some possibility to do some
-	// additional custom validation based on their custom claims
-	cvt, ok := claims.(CustomClaims)
-	if ok {
-		if err := cvt.CustomValidation(); err != nil {
-			vErr.Inner = err
-			vErr.Errors |= ValidationErrorClaimsInvalid
-		}
-	}
-
-	if vErr.valid() {
-		return nil
-	}
-
-	return vErr
-}
-
-// VerifyAudience compares the aud claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (v *Validator) VerifyAudience(claims Claims, cmp string, req bool) bool {
-	aud, err := claims.GetAudience()
-	if err != nil {
-		return false
-	}
-
-	return verifyAud(aud, cmp, req)
-}
-
-// VerifyExpiresAt compares the exp claim against cmp (cmp < exp).
-// If req is false, it will return true, if exp is unset.
-func (v *Validator) VerifyExpiresAt(claims Claims, cmp time.Time, req bool) bool {
-	var time *time.Time = nil
-
-	exp, err := claims.GetExpirationTime()
-	if err != nil {
-		return false
-	} else if exp != nil {
-		time = &exp.Time
-	}
-
-	return verifyExp(time, cmp, req, v.leeway)
-}
-
-// VerifyIssuedAt compares the iat claim against cmp (cmp >= iat).
-// If req is false, it will return true, if iat is unset.
-func (v *Validator) VerifyIssuedAt(claims Claims, cmp time.Time, req bool) bool {
-	var time *time.Time = nil
-
-	iat, err := claims.GetIssuedAt()
-	if err != nil {
-		return false
-	} else if iat != nil {
-		time = &iat.Time
-	}
-
-	return verifyIat(time, cmp, req, v.leeway)
-}
-
-// VerifyNotBefore compares the nbf claim against cmp (cmp >= nbf).
-// If req is false, it will return true, if nbf is unset.
-func (v *Validator) VerifyNotBefore(claims Claims, cmp time.Time, req bool) bool {
-	var time *time.Time = nil
-
-	nbf, err := claims.GetNotBefore()
-	if err != nil {
-		return false
-	} else if nbf != nil {
-		time = &nbf.Time
-	}
-
-	return verifyNbf(time, cmp, req, v.leeway)
-}
-
-// VerifyIssuer compares the iss claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (v *Validator) VerifyIssuer(claims Claims, cmp string, req bool) bool {
-	iss, err := claims.GetIssuer()
-	if err != nil {
-		return false
-	}
-
-	return verifyIss(iss, cmp, req)
-}
-
-// VerifySubject compares the sub claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (v *Validator) VerifySubject(claims Claims, cmp PatternFunc, req bool) bool {
-	iss, err := claims.GetSubject()
-	if err != nil {
-		return false
-	}
-
-	return verifySub(iss, cmp, req)
-}
-
-// ----- helpers
-
-func verifyAud(aud []string, cmp string, required bool) bool {
-	if len(aud) == 0 {
-		return !required
-	}
-	// use a var here to keep constant time compare when looping over a number of claims
-	result := false
-
-	var stringClaims string
-	for _, a := range aud {
-		if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
-			result = true
-		}
-		stringClaims = stringClaims + a
-	}
-
-	// case where "" is sent in one or many aud claims
-	if stringClaims == "" {
-		return !required
-	}
-
-	return result
-}
-
-func verifyExp(exp *time.Time, now time.Time, required bool, skew time.Duration) bool {
-	if exp == nil {
-		return !required
-	}
-
-	return now.Before((*exp).Add(+skew))
-}
-
-func verifyIat(iat *time.Time, now time.Time, required bool, skew time.Duration) bool {
-	if iat == nil {
-		return !required
-	}
-
-	t := iat.Add(-skew)
-	return !now.Before(t)
-}
-
-func verifyNbf(nbf *time.Time, now time.Time, required bool, skew time.Duration) bool {
-	if nbf == nil {
-		return !required
-	}
-
-	t := nbf.Add(-skew)
-	return !now.Before(t)
-}
-
-func verifyIss(iss string, cmp string, required bool) bool {
-	if iss == "" {
-		return !required
-	}
-
-	return iss == cmp
-}
-
-func verifySub(sub string, cmp PatternFunc, required bool) bool {
-	if sub == "" {
-		return !required
-	}
-
-	return cmp(sub)
-}

validator_option.go

@@ -1,96 +0,0 @@
-package jwt
-
-import (
-	"strings"
-	"time"
-)
-
-// ValidatorOption is used to implement functional-style options that modify the
-// behavior of the validator. To add new options, just create a function
-// (ideally beginning with With or Without) that returns an anonymous function
-// that takes a *Parser type as input and manipulates its configuration
-// accordingly.
-type ValidatorOption func(*Validator)
-
-type PatternFunc func(s string) bool
-
-func HasPrefix(prefix string) PatternFunc {
-	return func(s string) bool {
-		return strings.HasPrefix(s, prefix)
-	}
-}
-
-func Equals(cmp string) PatternFunc {
-	return func(s string) bool {
-		return cmp == s
-	}
-}
-
-// WithLeeway returns the ValidatorOption for specifying the leeway window.
-func WithLeeway(leeway time.Duration) ValidatorOption {
-	return func(v *Validator) {
-		v.leeway = leeway
-	}
-}
-
-// WithTimeFunc returns the ValidatorOption for specifying the time func. The
-// primary use-case for this is testing. If you are looking for a way to account
-// for clock-skew, WithLeeway should be used instead.
-func WithTimeFunc(f func() time.Time) ValidatorOption {
-	return func(v *Validator) {
-		v.timeFunc = f
-	}
-}
-
-// WithIssuedAt returns the ValidatorOption to enable verification
-// of issued-at.
-func WithIssuedAt() ValidatorOption {
-	return func(v *Validator) {
-		v.verifyIat = true
-	}
-}
-
-// WithAudience configures the validator to require the specified audience in
-// the `aud` claim. Validation will fail if the audience is not listed in the
-// token or the `aud` claim is missing.
-//
-// NOTE: While the `aud` claim is OPTIONAL is a JWT, the handling of it is
-// application-specific. Since this validation API is helping developers in
-// writing secure application, we decided to REQUIRE the existence of the claim.
-func WithAudience(aud string) ValidatorOption {
-	return func(v *Validator) {
-		v.expectedAud = aud
-	}
-}
-
-// WithIssuer configures the validator to require the specified issuer in the
-// `iss` claim. Validation will fail if a different issuer is specified in the
-// token or the `iss` claim is missing.
-//
-// NOTE: While the `iss` claim is OPTIONAL is a JWT, the handling of it is
-// application-specific. Since this validation API is helping developers in
-// writing secure application, we decided to REQUIRE the existence of the claim.
-func WithIssuer(iss string) ValidatorOption {
-	return func(v *Validator) {
-		v.expectedIss = iss
-	}
-}
-
-// WithSubject configures the validator to require the specified subject in the
-// `sub` claim. Validation will fail if a different subject is specified in the
-// token or the `sub` claim is missing.
-//
-// NOTE: While the `sub` claim is OPTIONAL is a JWT, the handling of it is
-// application-specific. Since this validation API is helping developers in
-// writing secure application, we decided to REQUIRE the existence of the claim.
-func WithSubject(sub string) ValidatorOption {
-	return func(v *Validator) {
-		v.expectedSubPattern = Equals(sub)
-	}
-}
-
-func WithSubjectPattern(pattern PatternFunc) ValidatorOption {
-	return func(v *Validator) {
-		v.expectedSubPattern = pattern
-	}
-}

validator_test.go

@@ -1,51 +0,0 @@
-package jwt
-
-import (
-	"testing"
-	"time"
-)
-
-func TestValidator_Validate(t *testing.T) {
-	type fields struct {
-		leeway             time.Duration
-		timeFunc           func() time.Time
-		verifyIat          bool
-		expectedAud        string
-		expectedIss        string
-		expectedSubPattern PatternFunc
-	}
-	type args struct {
-		claims Claims
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		args    args
-		wantErr bool
-	}{
-		{
-			name: "with subject pattern",
-			fields: fields{
-				expectedSubPattern: HasPrefix("My"),
-			},
-			args: args{
-				claims: RegisteredClaims{Subject: "MyUser"},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			v := &Validator{
-				leeway:             tt.fields.leeway,
-				timeFunc:           tt.fields.timeFunc,
-				verifyIat:          tt.fields.verifyIat,
-				expectedAud:        tt.fields.expectedAud,
-				expectedIss:        tt.fields.expectedIss,
-				expectedSubPattern: tt.fields.expectedSubPattern,
-			}
-			if err := v.Validate(tt.args.claims); (err != nil) != tt.wantErr {
-				t.Errorf("Validator.Validate() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}