Merge pull request #282 from matthiasthomas/jwt-v5

LyricTian · web-flow · commit fb61132b3764 · 2025-04-01T16:09:31.000+08:00
chore: update to JWT v5 to fix vulnerability GO-2025-3553
diff --git a/generates/jwt_access.go b/generates/jwt_access.go
@@ -8,18 +8,18 @@ import (
 
 	"github.com/go-oauth2/oauth2/v4"
 	"github.com/go-oauth2/oauth2/v4/errors"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 )
 
 // JWTAccessClaims jwt claims
 type JWTAccessClaims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 }
 
 // Valid claims verification
 func (a *JWTAccessClaims) Valid() error {
-	if time.Unix(a.ExpiresAt, 0).Before(time.Now()) {
+	if a.ExpiresAt != nil && time.Unix(a.ExpiresAt.Unix(), 0).Before(time.Now()) {
 		return errors.ErrInvalidAccessToken
 	}
 	return nil
@@ -44,10 +44,10 @@ type JWTAccessGenerate struct {
 // Token based on the UUID generated token
 func (a *JWTAccessGenerate) Token(ctx context.Context, data *oauth2.GenerateBasic, isGenRefresh bool) (string, string, error) {
 	claims := &JWTAccessClaims{
-		StandardClaims: jwt.StandardClaims{
-			Audience:  data.Client.GetID(),
+		RegisteredClaims: jwt.RegisteredClaims{
+			Audience:  jwt.ClaimStrings{data.Client.GetID()},
 			Subject:   data.UserID,
-			ExpiresAt: data.TokenInfo.GetAccessCreateAt().Add(data.TokenInfo.GetAccessExpiresIn()).Unix(),
+			ExpiresAt: jwt.NewNumericDate(data.TokenInfo.GetAccessCreateAt().Add(data.TokenInfo.GetAccessExpiresIn())),
 		},
 	}
 
diff --git a/generates/jwt_access_test.go b/generates/jwt_access_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/go-oauth2/oauth2/v4"
 	"github.com/go-oauth2/oauth2/v4/generates"
 	"github.com/go-oauth2/oauth2/v4/models"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	. "github.com/smartystreets/goconvey/convey"
 )
@@ -45,7 +45,10 @@ func TestJWTAccess(t *testing.T) {
 		claims, ok := token.Claims.(*generates.JWTAccessClaims)
 		So(ok, ShouldBeTrue)
 		So(token.Valid, ShouldBeTrue)
-		So(claims.Audience, ShouldEqual, "123456")
+		aud, err := claims.GetAudience()
+		So(err, ShouldBeNil)
+		So(len(aud), ShouldEqual, 1)
+		So(aud[0], ShouldEqual, "123456")
 		So(claims.Subject, ShouldEqual, "000000")
 	})
 }
