labstack / echo-jwt Goto Github PK

Edit the sample below so that NewClaimsFunc returns a value object.
https://echo.labstack.com/docs/cookbook/jwt

NewClaimsFunc: func(c echo.Context) jwt.Claims {
	return jwtCustomClaims{}
},

The following error occurs.

token is malformed: could not JSON decode claim: json: cannot unmarshal object into Go value of type jwt.Claims

I think it would be a good idea to add a check to see if Claims is a pointer.
Below is an example of a json package.
https://cs.opensource.google/go/go/+/refs/tags/go1.22.2:src/encoding/json/decode.go;l=172-175

I also think it would be effective to add this to the NewClaimsFunc documentation.

I copy/pasted CreateExtractors logic from Echo core library here because it was made public in v4.10.0 but this library supports Echo versions v4.7.0+.

Lets wait some time (maybe until 2023 summer) and to reduce code duplication delete CreateExtractors logic in this library and use echo.CreateExtractors instead.

p.s. do not delete public method - make them use core. unforntunately I made them public

jwt/v5 is out: https://github.com/golang-jwt/jwt/releases/tag/v5.0.0

Is there plan to move this middleware to golang-jwt/jwt/v5 ?

At my company, we have our own authorization server which signs tokens using private/public RSA keys. We therefore would like to use tracing when having to fetch public keys for validating tokens on one of our ressource servers.

Therefore, it would be great to get pass the context into the KeyFunc, as this would allow us to use tracing.
Right now, we are just using ParseTokenFunc which gets the context, and then we do our key lookup with tracing.

I can make a PR if you would like this change to be implemented :)

Greetings!
According to go.dev, every go.mod dependency must respect semantic versioning, because many go tools rely on it.
A lib maintainer can NOT ignore the rule just because he wishes to.
I strongly suggest to make echo-jwt follow all common Golang agreements.
Otherwise, I would recommend everyone to avoid this lib and use their own or 3rd-party JWT middleware.

I think we can remove this line:

The net/http/header.go already convert this for us:

// Values returns all values associated with the given key.
// It is case insensitive; textproto.CanonicalMIMEHeaderKey is
// used to canonicalize the provided key. To use non-canonical
// keys, access the map directly.
// The returned slice is not a copy.
func (h Header) Values(key string) []string {
	return textproto.MIMEHeader(h).Values(key)
}

https://pkg.go.dev/net/http#Header.Values

Starting from golang-jwt v5 upgrade this middleware library stopped working.

This is my scenario:

// here the instance of echo-jwt midleware
jwtHeaderMiddleware := echojwt.WithConfig(echojwt.Config{
		Skipper: func(c echo.Context) bool {
			if c.Request().Header.Get("x-token") == "" {
				return true
			}
			return false
		},
		ContextKey:  "token",
		SigningKey:  []byte(conf.Auth.Key),
		TokenLookup: "header:x-token",
		ErrorHandler: func(c echo.Context, err error) error {
			log.Println("jwt query decode error", err.Error())
			return rest.SendError(c, http.StatusUnauthorized, errs.ErrInvalidSession)
		},
		NewClaimsFunc: func(c echo.Context) jwt.Claims {
			return new(jwt.RegisteredClaims)
		},
})

// here the extraction of the token from the echo context
func extractClaim(c echo.Context) *jwt.RegisteredClaims {

	i := c.Get("token")
	if i == nil {
                // THIS IS ALWAYS NULL!
		log.Println("token key is null")
		return nil
	}

	token := i.(*jwt.Token)

	if token == nil {
		log.Println("cannot cast token key to jwt.Token")
		return nil
	}
	...
}

// middleware to extract the token
func extractTokenMiddleware (next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		claims := extractClaim(c)

		if claims == nil {
			return next(c)
		}
		userId := claims.Subject

		if userId == "" {
			return next(c)
		}

		user, err := db.Users.Get(userId)
		if err != nil {
			return rest.SendError(c, http.StatusInternalServerError, errs.ErrGeneric)
		}

		c.Set("userData", user)
		return next(c)
	}
}

...
service := echo.New()
...
apiGroup := service.Group("/api", jwtHeaderMiddleware, extractTokenMiddleware )
...

The problems seems to be the missing of synchronization between the middleware functions.

I was expecting that extractTokenMiddleware is called after jwtHeaderMiddleware but, in your library, the call of

c.Set(config.ContextKey, token)

is done after the extractTokenMiddleware (so far is what i've seen from debugging).