Upgrade to the v4 release of golang-jwt

[abscondment]

There have been a bunch of improvements to the jwt dependency.

According to the golang-jwt/jwt Releases, "any future /v4 work is intended to be backwards-compatible with existing v3.x.y tags."

This appears to be true; all tests pass for recent versions.

bribera@flask:~/code/foss/echo 👻 $ git status
On branch abscondment/jwt-v4
Your branch is up to date with 'abscondment/abscondment/jwt-v4'.

nothing to commit, working tree clean
bribera@flask:~/code/foss/echo 👻 $ git log -1
commit 130b4572b5bd24e75c8657d2699c04cf858c0bd6 (HEAD -> abscondment/jwt-v4, abscondment/abscondment/jwt-v4)
Author: Brendan Ribera <[email protected]>
Date:   Wed Mar 9 11:16:37 2022 -0800

    Upgrade to the v4 release of golang-jwt
    
    According to the [4.0.0 Version History](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md#400),
    the v4 version is backwards compatible with v3.x
bribera@flask:~/code/foss/echo 👻 $ go version
go version go1.17.6 linux/amd64
bribera@flask:~/code/foss/echo 👻 $ go clean -testcache
bribera@flask:~/code/foss/echo 👻 $ make test
ok  	github.com/labstack/echo/v4	0.206s
ok  	github.com/labstack/echo/v4/middleware	0.093s
bribera@flask:~/code/foss/echo 👻 $ make race
ok  	github.com/labstack/echo/v4	0.484s
ok  	github.com/labstack/echo/v4/middleware	0.610s
bribera@flask:~/code/foss/echo 👻 $ make test_version
Unable to find image 'golang:1.15' locally
1.15: Pulling from library/golang
[... snip ...]
ok  	github.com/labstack/echo/v4	1.928s
ok  	github.com/labstack/echo/v4/middleware	0.672s
bribera@flask:~/code/foss/echo 👻 $ make test_version goversion=1.14
Unable to find image 'golang:1.14' locally
1.14: Pulling from library/golang
[...]
ok  	github.com/labstack/echo/v4	0.451s
ok  	github.com/labstack/echo/v4/middleware	0.740s

I noted that make test_version fail for go1.9.7 and go1.10.3 on the master branch, so I omitted them from my testing:

bribera@flask:~/code/foss/echo 👻 $ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
bribera@flask:~/code/foss/echo 👻 $ git log -1
commit 5ebed440aeec1abf7f08cca41cb02f6aaf0d7f6a (HEAD -> master, tag: v4.7.0, origin/master, origin/HEAD)
Author: Roland Lammel <[email protected]>
Date:   Wed Mar 2 23:16:19 2022 +0100

    Update version to v4.7.0
bribera@flask:~/code/foss/echo 👻 $ make test_version goversion=1.9.7
warning: "github.com/labstack/echo/..." matched no packages
# golang.org/x/tools/internal/typeparams
/go/src/golang.org/x/tools/internal/typeparams/normalize.go:162:17: u.EmbeddedType undefined (type *types.Interface has no field or method EmbeddedType)
Makefile:12: recipe for target 'init' failed
make: *** [init] Error 2
make: *** [Makefile:34: test_version] Error 2
bribera@flask:~/code/foss/echo 👻 $ make test_version goversion=1.10.3
warning: "github.com/labstack/echo/..." matched no packages
# golang.org/x/tools/internal/typeparams
/go/src/golang.org/x/tools/internal/typeparams/normalize.go:162:17: u.EmbeddedType undefined (type *types.Interface has no field or method EmbeddedType)
Makefile:12: recipe for target 'init' failed
make: *** [init] Error 2
make: *** [Makefile:34: test_version] Error 2

[aldas]

This would be breaking change. This will come with v5

Changing to v4 would break casts in handlers that people (unaware of upgrade) are using when getting token value from context store. If golang-jwt/v4 is really needed please see workarounds for it:

• Update JWT library version #1972 (comment)
• In regards `dgrijalva/jwt-go` CVE #1940

import (
"github.com/golang-jwt/jwt/v4"
)

...
...
...

signingKey := []byte("secret")

config := middleware.JWTConfig{
  TokenLookup: "query:token",
  ParseTokenFunc: func(auth string, c echo.Context) (interface{}, error) {
    keyFunc := func(t *jwt.Token) (interface{}, error) {
      if t.Method.Alg() != "HS256" {
        return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
      }
      return signingKey, nil
    }

    // claims are of type `jwt.MapClaims` when token is created with `jwt.Parse`
    token, err := jwt.Parse(auth, keyFunc)
    if err != nil {
      return nil, err
    }
    if !token.Valid {
      return nil, errors.New("invalid token")
    }
    return token, nil
  },
}

e.Use(middleware.JWTWithConfig(config))

[abscondment]

Makes sense, @aldas - thanks for the response. I thought I'd done a thorough search for this change in closed PRs, but I guess I missed it! We can wait for v5 :)

[aldas]

For history sake. Release v4.10.0 marked JWT middleware as deprecated in core and recommends separate repository https://github.com/labstack/echo-jwt that uses newer version of github.com/golang-jwt/jwt