Refactor jwt.StandardClaims to RegisteredClaims (#18344)

* Refactor jwt.StandardClaims to RegisteredClaims

go-jwt/jwt has deprecated the StandardClaims interface to use RegisteredClaims
instead. This PR migrates to use this new format.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Apply suggestions from code review

Co-authored-by: Gusted <williamzijl7@hotmail.com>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Gusted <williamzijl7@hotmail.com>
This commit is contained in:
zeripath 2022-01-20 21:52:56 +00:00 committed by GitHub
parent 54e9ee37a7
commit 44deae8f3d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 19 additions and 27 deletions

View file

@ -253,10 +253,9 @@ func runServ(c *cli.Context) error {
now := time.Now() now := time.Now()
claims := lfs.Claims{ claims := lfs.Claims{
// FIXME: we need to migrate to RegisteredClaims RegisteredClaims: jwt.RegisteredClaims{
StandardClaims: jwt.StandardClaims{ // nolint ExpiresAt: jwt.NewNumericDate(now.Add(setting.LFS.HTTPAuthExpiry)),
ExpiresAt: now.Add(setting.LFS.HTTPAuthExpiry).Unix(), NotBefore: jwt.NewNumericDate(now),
NotBefore: now.Unix(),
}, },
RepoID: results.RepoID, RepoID: results.RepoID,
Op: lfsVerb, Op: lfsVerb,

View file

@ -149,9 +149,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
accessToken := &oauth2.Token{ accessToken := &oauth2.Token{
GrantID: grant.ID, GrantID: grant.ID,
Type: oauth2.TypeAccessToken, Type: oauth2.TypeAccessToken,
// FIXME: Migrate to RegisteredClaims RegisteredClaims: jwt.RegisteredClaims{
StandardClaims: jwt.StandardClaims{ //nolint ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()),
ExpiresAt: expirationDate.AsTime().Unix(),
}, },
} }
signedAccessToken, err := accessToken.SignToken(serverKey) signedAccessToken, err := accessToken.SignToken(serverKey)
@ -163,14 +162,13 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
} }
// generate refresh token to request an access token after it expired later // generate refresh token to request an access token after it expired later
refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix() refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime()
refreshToken := &oauth2.Token{ refreshToken := &oauth2.Token{
GrantID: grant.ID, GrantID: grant.ID,
Counter: grant.Counter, Counter: grant.Counter,
Type: oauth2.TypeRefreshToken, Type: oauth2.TypeRefreshToken,
// FIXME: Migrate to RegisteredClaims RegisteredClaims: jwt.RegisteredClaims{ // nolint
StandardClaims: jwt.StandardClaims{ // nolint ExpiresAt: jwt.NewNumericDate(refreshExpirationDate),
ExpiresAt: refreshExpirationDate,
}, },
} }
signedRefreshToken, err := refreshToken.SignToken(serverKey) signedRefreshToken, err := refreshToken.SignToken(serverKey)
@ -207,11 +205,10 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
} }
idToken := &oauth2.OIDCToken{ idToken := &oauth2.OIDCToken{
// FIXME: migrate to RegisteredClaims RegisteredClaims: jwt.RegisteredClaims{
StandardClaims: jwt.StandardClaims{ //nolint ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()),
ExpiresAt: expirationDate.AsTime().Unix(),
Issuer: setting.AppURL, Issuer: setting.AppURL,
Audience: app.ClientID, Audience: []string{app.ClientID},
Subject: fmt.Sprint(grant.UserID), Subject: fmt.Sprint(grant.UserID),
}, },
Nonce: grant.Nonce, Nonce: grant.Nonce,
@ -329,8 +326,7 @@ func IntrospectOAuth(ctx *context.Context) {
var response struct { var response struct {
Active bool `json:"active"` Active bool `json:"active"`
Scope string `json:"scope,omitempty"` Scope string `json:"scope,omitempty"`
// FIXME: Migrate to RegisteredClaims jwt.RegisteredClaims
jwt.StandardClaims //nolint
} }
form := web.GetForm(ctx).(*forms.IntrospectTokenForm) form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
@ -344,7 +340,7 @@ func IntrospectOAuth(ctx *context.Context) {
response.Active = true response.Active = true
response.Scope = grant.Scope response.Scope = grant.Scope
response.Issuer = setting.AppURL response.Issuer = setting.AppURL
response.Audience = app.ClientID response.Audience = []string{app.ClientID}
response.Subject = fmt.Sprint(grant.UserID) response.Subject = fmt.Sprint(grant.UserID)
} }
} }

View file

@ -44,7 +44,7 @@ func CheckOAuthAccessToken(accessToken string) int64 {
if token.Type != oauth2.TypeAccessToken { if token.Type != oauth2.TypeAccessToken {
return 0 return 0
} }
if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() { if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
return 0 return 0
} }
return grant.UserID return grant.UserID

View file

@ -37,8 +37,7 @@ type Token struct {
GrantID int64 `json:"gnt"` GrantID int64 `json:"gnt"`
Type TokenType `json:"tt"` Type TokenType `json:"tt"`
Counter int64 `json:"cnt,omitempty"` Counter int64 `json:"cnt,omitempty"`
// FIXME: Migrate to registered claims jwt.RegisteredClaims
jwt.StandardClaims
} }
// ParseToken parses a signed jwt string // ParseToken parses a signed jwt string
@ -62,7 +61,7 @@ func ParseToken(jwtToken string, signingKey JWTSigningKey) (*Token, error) {
// SignToken signs the token with the JWT secret // SignToken signs the token with the JWT secret
func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) { func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
token.IssuedAt = time.Now().Unix() token.IssuedAt = jwt.NewNumericDate(time.Now())
jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token) jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
signingKey.PreProcessToken(jwtToken) signingKey.PreProcessToken(jwtToken)
return jwtToken.SignedString(signingKey.SignKey()) return jwtToken.SignedString(signingKey.SignKey())
@ -70,8 +69,7 @@ func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
// OIDCToken represents an OpenID Connect id_token // OIDCToken represents an OpenID Connect id_token
type OIDCToken struct { type OIDCToken struct {
// FIXME: Migrate to RegisteredClaims jwt.RegisteredClaims
jwt.StandardClaims
Nonce string `json:"nonce,omitempty"` Nonce string `json:"nonce,omitempty"`
// Scope profile // Scope profile
@ -93,7 +91,7 @@ type OIDCToken struct {
// SignToken signs an id_token with the (symmetric) client secret key // SignToken signs an id_token with the (symmetric) client secret key
func (token *OIDCToken) SignToken(signingKey JWTSigningKey) (string, error) { func (token *OIDCToken) SignToken(signingKey JWTSigningKey) (string, error) {
token.IssuedAt = time.Now().Unix() token.IssuedAt = jwt.NewNumericDate(time.Now())
jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token) jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
signingKey.PreProcessToken(jwtToken) signingKey.PreProcessToken(jwtToken)
return jwtToken.SignedString(signingKey.SignKey()) return jwtToken.SignedString(signingKey.SignKey())

View file

@ -45,8 +45,7 @@ type Claims struct {
RepoID int64 RepoID int64
Op string Op string
UserID int64 UserID int64
// FIXME: Migrate to RegisteredClaims jwt.RegisteredClaims
jwt.StandardClaims
} }
// DownloadLink builds a URL to download the object. // DownloadLink builds a URL to download the object.