From 11a7aa34d390b3dd2a06a5264b1d54844492e81c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:23:45 +0000 Subject: [PATCH 1/2] chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.0.0 to 4.5.1 Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.0.0 to 4.5.1. - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md) - [Commits](https://github.com/golang-jwt/jwt/compare/v4.0.0...v4.5.1) --- updated-dependencies: - dependency-name: github.com/golang-jwt/jwt/v4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 401f3d356f..64ecbc43c4 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/NYTimes/gziphandler v1.1.1 github.com/abbot/go-http-auth v0.4.0 github.com/bouk/httprouter v0.0.0-20160817010721-ee8b3818a7f5 - github.com/golang-jwt/jwt/v4 v4.0.0 + github.com/golang-jwt/jwt/v4 v4.5.1 github.com/google/go-cmp v0.5.5 github.com/google/go-github v17.0.0+incompatible github.com/google/uuid v1.1.2 diff --git a/go.sum b/go.sum index 993f0d72da..838f37046f 100644 --- a/go.sum +++ b/go.sum @@ -259,8 +259,8 @@ github.com/gogo/protobuf v1.2.2-0.20190730201129-28a6bbf47e48/go.mod h1:SlYgWuQ5 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0 h1:RAqyYixv1p7uEnocuy8P1nru5wprCh/MH2BIlW5z5/o= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/gddo v0.0.0-20181116215533-9bd4a3295021/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4= github.com/golang/geo v0.0.0-20190916061304-5b978397cfec h1:lJwO/92dFXWeXOZdoGXgptLmNLwynMSHUmU6besqtiw= github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI= From e6961874c3a73c89e8652e6c64c9ed7a85e21cbf Mon Sep 17 00:00:00 2001 From: Jakub Bednar Date: Wed, 20 Nov 2024 05:47:58 +0100 Subject: [PATCH 2/2] fix(tests): `jwt` library change behaviour about ExpiresAt - when indicate presents = invalid This is correct behaviour as it is in alignment with specification. For more info see: - https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 - https://github.com/golang-jwt/jwt/releases/tag/v4.1.0 - https://github.com/golang-jwt/jwt/pull/86 --- oauth2/jwt_test.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/oauth2/jwt_test.go b/oauth2/jwt_test.go index 8c18ee8079..dc666267ae 100644 --- a/oauth2/jwt_test.go +++ b/oauth2/jwt_test.go @@ -83,7 +83,7 @@ func TestAuthenticate(t *testing.T) { { Desc: "Test jwt with empty subject is invalid", Secret: "secret", - Token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOi00NDY3NzQ0MDAsImV4cCI6LTQ0Njc3NDQwMCwibmJmIjotNDQ2Nzc0NDAwfQ.gxsA6_Ei3s0f2I1TAtrrb8FmGiO25OqVlktlF_ylhX4", + Token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOi00NDY3NzQ0MDAsImV4cCI6LTQ0Njc3NDM5OSwibmJmIjotNDQ2Nzc0NDAwfQ.Ik90GX1cLvTQzkFvKgBxDPIi-GZsIqFhqQlCxek9TPg", Duration: time.Second, Principal: oauth2.Principal{ Subject: "", @@ -104,6 +104,18 @@ func TestAuthenticate(t *testing.T) { }, Err: errors.New("claims duration is different from auth lifespan"), }, + { + Desc: "Test expiration time is present", + Secret: "secret", + Token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIvY2hyb25vZ3JhZi92MS91c2Vycy8xIiwibmFtZSI6IkRvYyBCcm93biIsImlhdCI6LTQ0Njc3NDQwMCwiZXhwIjotNDQ2Nzc0NDAwLCJuYmYiOi00NDY3NzQ0MDB9._rZ4gOIei9PizHOABH6kLcJTA3jm8ls0YnDxtz1qeUI", + Duration: time.Second, + Principal: oauth2.Principal{ + Subject: "/chronograf/v1/users/1", + ExpiresAt: history.Add(time.Second), + IssuedAt: history, + }, + Err: errors.New("token is expired by 0s"), + }, } for _, test := range tests { j := oauth2.JWT{