Refactor jwt.StandardClaims to RegisteredClaims (#18344)
* Refactor jwt.StandardClaims to RegisteredClaims go-jwt/jwt has deprecated the StandardClaims interface to use RegisteredClaims instead. This PR migrates to use this new format. Signed-off-by: Andrew Thornton <art27@cantab.net> * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <williamzijl7@hotmail.com>
This commit is contained in:
parent
54e9ee37a7
commit
44deae8f3d
5 changed files with 19 additions and 27 deletions
|
@ -253,10 +253,9 @@ func runServ(c *cli.Context) error {
|
||||||
|
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
claims := lfs.Claims{
|
claims := lfs.Claims{
|
||||||
// FIXME: we need to migrate to RegisteredClaims
|
RegisteredClaims: jwt.RegisteredClaims{
|
||||||
StandardClaims: jwt.StandardClaims{ // nolint
|
ExpiresAt: jwt.NewNumericDate(now.Add(setting.LFS.HTTPAuthExpiry)),
|
||||||
ExpiresAt: now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
|
NotBefore: jwt.NewNumericDate(now),
|
||||||
NotBefore: now.Unix(),
|
|
||||||
},
|
},
|
||||||
RepoID: results.RepoID,
|
RepoID: results.RepoID,
|
||||||
Op: lfsVerb,
|
Op: lfsVerb,
|
||||||
|
|
|
@ -149,9 +149,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
|
||||||
accessToken := &oauth2.Token{
|
accessToken := &oauth2.Token{
|
||||||
GrantID: grant.ID,
|
GrantID: grant.ID,
|
||||||
Type: oauth2.TypeAccessToken,
|
Type: oauth2.TypeAccessToken,
|
||||||
// FIXME: Migrate to RegisteredClaims
|
RegisteredClaims: jwt.RegisteredClaims{
|
||||||
StandardClaims: jwt.StandardClaims{ //nolint
|
ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()),
|
||||||
ExpiresAt: expirationDate.AsTime().Unix(),
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
signedAccessToken, err := accessToken.SignToken(serverKey)
|
signedAccessToken, err := accessToken.SignToken(serverKey)
|
||||||
|
@ -163,14 +162,13 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
|
||||||
}
|
}
|
||||||
|
|
||||||
// generate refresh token to request an access token after it expired later
|
// generate refresh token to request an access token after it expired later
|
||||||
refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()
|
refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime()
|
||||||
refreshToken := &oauth2.Token{
|
refreshToken := &oauth2.Token{
|
||||||
GrantID: grant.ID,
|
GrantID: grant.ID,
|
||||||
Counter: grant.Counter,
|
Counter: grant.Counter,
|
||||||
Type: oauth2.TypeRefreshToken,
|
Type: oauth2.TypeRefreshToken,
|
||||||
// FIXME: Migrate to RegisteredClaims
|
RegisteredClaims: jwt.RegisteredClaims{ // nolint
|
||||||
StandardClaims: jwt.StandardClaims{ // nolint
|
ExpiresAt: jwt.NewNumericDate(refreshExpirationDate),
|
||||||
ExpiresAt: refreshExpirationDate,
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
signedRefreshToken, err := refreshToken.SignToken(serverKey)
|
signedRefreshToken, err := refreshToken.SignToken(serverKey)
|
||||||
|
@ -207,11 +205,10 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
|
||||||
}
|
}
|
||||||
|
|
||||||
idToken := &oauth2.OIDCToken{
|
idToken := &oauth2.OIDCToken{
|
||||||
// FIXME: migrate to RegisteredClaims
|
RegisteredClaims: jwt.RegisteredClaims{
|
||||||
StandardClaims: jwt.StandardClaims{ //nolint
|
ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()),
|
||||||
ExpiresAt: expirationDate.AsTime().Unix(),
|
|
||||||
Issuer: setting.AppURL,
|
Issuer: setting.AppURL,
|
||||||
Audience: app.ClientID,
|
Audience: []string{app.ClientID},
|
||||||
Subject: fmt.Sprint(grant.UserID),
|
Subject: fmt.Sprint(grant.UserID),
|
||||||
},
|
},
|
||||||
Nonce: grant.Nonce,
|
Nonce: grant.Nonce,
|
||||||
|
@ -329,8 +326,7 @@ func IntrospectOAuth(ctx *context.Context) {
|
||||||
var response struct {
|
var response struct {
|
||||||
Active bool `json:"active"`
|
Active bool `json:"active"`
|
||||||
Scope string `json:"scope,omitempty"`
|
Scope string `json:"scope,omitempty"`
|
||||||
// FIXME: Migrate to RegisteredClaims
|
jwt.RegisteredClaims
|
||||||
jwt.StandardClaims //nolint
|
|
||||||
}
|
}
|
||||||
|
|
||||||
form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
|
form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
|
||||||
|
@ -344,7 +340,7 @@ func IntrospectOAuth(ctx *context.Context) {
|
||||||
response.Active = true
|
response.Active = true
|
||||||
response.Scope = grant.Scope
|
response.Scope = grant.Scope
|
||||||
response.Issuer = setting.AppURL
|
response.Issuer = setting.AppURL
|
||||||
response.Audience = app.ClientID
|
response.Audience = []string{app.ClientID}
|
||||||
response.Subject = fmt.Sprint(grant.UserID)
|
response.Subject = fmt.Sprint(grant.UserID)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,7 +44,7 @@ func CheckOAuthAccessToken(accessToken string) int64 {
|
||||||
if token.Type != oauth2.TypeAccessToken {
|
if token.Type != oauth2.TypeAccessToken {
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
|
if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
return grant.UserID
|
return grant.UserID
|
||||||
|
|
|
@ -37,8 +37,7 @@ type Token struct {
|
||||||
GrantID int64 `json:"gnt"`
|
GrantID int64 `json:"gnt"`
|
||||||
Type TokenType `json:"tt"`
|
Type TokenType `json:"tt"`
|
||||||
Counter int64 `json:"cnt,omitempty"`
|
Counter int64 `json:"cnt,omitempty"`
|
||||||
// FIXME: Migrate to registered claims
|
jwt.RegisteredClaims
|
||||||
jwt.StandardClaims
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// ParseToken parses a signed jwt string
|
// ParseToken parses a signed jwt string
|
||||||
|
@ -62,7 +61,7 @@ func ParseToken(jwtToken string, signingKey JWTSigningKey) (*Token, error) {
|
||||||
|
|
||||||
// SignToken signs the token with the JWT secret
|
// SignToken signs the token with the JWT secret
|
||||||
func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
|
func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
|
||||||
token.IssuedAt = time.Now().Unix()
|
token.IssuedAt = jwt.NewNumericDate(time.Now())
|
||||||
jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
|
jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
|
||||||
signingKey.PreProcessToken(jwtToken)
|
signingKey.PreProcessToken(jwtToken)
|
||||||
return jwtToken.SignedString(signingKey.SignKey())
|
return jwtToken.SignedString(signingKey.SignKey())
|
||||||
|
@ -70,8 +69,7 @@ func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
|
||||||
|
|
||||||
// OIDCToken represents an OpenID Connect id_token
|
// OIDCToken represents an OpenID Connect id_token
|
||||||
type OIDCToken struct {
|
type OIDCToken struct {
|
||||||
// FIXME: Migrate to RegisteredClaims
|
jwt.RegisteredClaims
|
||||||
jwt.StandardClaims
|
|
||||||
Nonce string `json:"nonce,omitempty"`
|
Nonce string `json:"nonce,omitempty"`
|
||||||
|
|
||||||
// Scope profile
|
// Scope profile
|
||||||
|
@ -93,7 +91,7 @@ type OIDCToken struct {
|
||||||
|
|
||||||
// SignToken signs an id_token with the (symmetric) client secret key
|
// SignToken signs an id_token with the (symmetric) client secret key
|
||||||
func (token *OIDCToken) SignToken(signingKey JWTSigningKey) (string, error) {
|
func (token *OIDCToken) SignToken(signingKey JWTSigningKey) (string, error) {
|
||||||
token.IssuedAt = time.Now().Unix()
|
token.IssuedAt = jwt.NewNumericDate(time.Now())
|
||||||
jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
|
jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
|
||||||
signingKey.PreProcessToken(jwtToken)
|
signingKey.PreProcessToken(jwtToken)
|
||||||
return jwtToken.SignedString(signingKey.SignKey())
|
return jwtToken.SignedString(signingKey.SignKey())
|
||||||
|
|
|
@ -45,8 +45,7 @@ type Claims struct {
|
||||||
RepoID int64
|
RepoID int64
|
||||||
Op string
|
Op string
|
||||||
UserID int64
|
UserID int64
|
||||||
// FIXME: Migrate to RegisteredClaims
|
jwt.RegisteredClaims
|
||||||
jwt.StandardClaims
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// DownloadLink builds a URL to download the object.
|
// DownloadLink builds a URL to download the object.
|
||||||
|
|
Reference in a new issue