Update module github.com/golang-jwt/jwt to v4 (#930)

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/930
Co-authored-by: renovate <renovatebot@kolaente.de>
Co-committed-by: renovate <renovatebot@kolaente.de>

pkg/integrations/integrations.go

@@ -35,7 +35,7 @@ import (
 	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/web"
 	"code.vikunja.io/web/handler"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 	"github.com/stretchr/testify/assert"
 )

pkg/models/link_sharing.go

@@ -26,7 +26,7 @@ import (
 	"code.vikunja.io/api/pkg/utils"
 
 	"code.vikunja.io/web"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"golang.org/x/crypto/bcrypt"
 	"xorm.io/builder"
 	"xorm.io/xorm"

pkg/modules/auth/auth.go

@@ -24,7 +24,7 @@ import (
 	"code.vikunja.io/api/pkg/models"
 	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/web"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 )
 

pkg/routes/api/v1/login.go

@@ -27,7 +27,7 @@ import (
 	user2 "code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/web/handler"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 )
 

pkg/routes/api/v1/token_check.go

@@ -20,7 +20,7 @@ import (
 	"fmt"
 
 	"code.vikunja.io/api/pkg/models"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 )
 

pkg/routes/routes.go

@@ -47,6 +47,8 @@
 package routes
 
 import (
+	"errors"
+	"fmt"
 	"strings"
 	"time"
 
@@ -73,9 +75,11 @@ import (
 	"code.vikunja.io/api/pkg/version"
 	"code.vikunja.io/web"
 	"code.vikunja.io/web/handler"
+
 	"github.com/asaskevich/govalidator"
 	"github.com/getsentry/sentry-go"
 	sentryecho "github.com/getsentry/sentry-go/echo"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 	elog "github.com/labstack/gommon/log"
@@ -257,7 +261,27 @@ func registerAPIRoutes(a *echo.Group) {
 
 	// ===== Routes with Authetication =====
 	// Authetification
-	a.Use(middleware.JWT([]byte(config.ServiceJWTSecret.GetString())))
+	a.Use(middleware.JWTWithConfig(middleware.JWTConfig{
+		// Custom parse function to make the middleware work with the github.com/golang-jwt/jwt/v4 package.
+		// See https://github.com/labstack/echo/pull/1916#issuecomment-878046299
+		ParseTokenFunc: func(auth string, c echo.Context) (interface{}, error) {
+			keyFunc := func(t *jwt.Token) (interface{}, error) {
+				if t.Method.Alg() != "HS256" {
+					return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
+				}
+				return []byte(config.ServiceJWTSecret.GetString()), nil
+			}
+
+			token, err := jwt.Parse(auth, keyFunc)
+			if err != nil {
+				return nil, err
+			}
+			if !token.Valid {
+				return nil, errors.New("invalid token")
+			}
+			return token, nil
+		},
+	}))
 
 	// Rate limit
 	setupRateLimit(a, config.RateLimitKind.GetString())

pkg/user/user.go

@@ -30,7 +30,7 @@ import (
 	"code.vikunja.io/api/pkg/notifications"
 
 	"code.vikunja.io/web"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 	"golang.org/x/crypto/bcrypt"
 	"xorm.io/xorm"