From 90d534db91e633afaf21912baa0958666419d63c Mon Sep 17 00:00:00 2001 From: "tarcisio.nunes" Date: Fri, 13 May 2022 14:27:33 -0300 Subject: [PATCH 1/6] add jwks support --- jwtauth.go | 26 ++++++++++++- jwtauth_test.go | 98 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 123 insertions(+), 1 deletion(-) diff --git a/jwtauth.go b/jwtauth.go index a03731a..1ffe742 100644 --- a/jwtauth.go +++ b/jwtauth.go @@ -2,12 +2,15 @@ package jwtauth import ( "context" + "encoding/json" "errors" + "fmt" "net/http" "strings" "time" "github.com/lestrrat-go/jwx/v2/jwa" + "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" ) @@ -17,6 +20,7 @@ type JWTAuth struct { verifyKey interface{} // public-key, only used by RSA and ECDSA algorithms verifier jwt.ParseOption validateOptions []jwt.ValidateOption + keySet jwk.Set } var ( @@ -50,6 +54,19 @@ func New(alg string, signKey interface{}, verifyKey interface{}, validateOptions return ja } +func NewKeySet(set []byte) (*JWTAuth, error) { + keySet := jwk.NewSet() + err := json.Unmarshal(set, &keySet) + if err != nil { + return nil, err + } + + ja := &JWTAuth{keySet: keySet} + ja.verifier = jwt.WithKeySet(keySet) + + return ja, nil +} + // Verifier http middleware handler will verify a JWT string from a http request. // // Verifier will search for a JWT token in a http request, in the order: @@ -69,7 +86,10 @@ func Verifier(ja *JWTAuth) func(http.Handler) http.Handler { return Verify(ja, TokenFromHeader, TokenFromCookie) } -func Verify(ja *JWTAuth, findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { +func Verify(ja *JWTAuth, findTokenFns ...func(r *http. + Request) string) func( + http. + Handler) http.Handler { return func(next http.Handler) http.Handler { hfn := func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() @@ -120,6 +140,10 @@ func VerifyToken(ja *JWTAuth, tokenString string) (jwt.Token, error) { } func (ja *JWTAuth) Encode(claims map[string]interface{}) (t jwt.Token, tokenString string, err error) { + if ja.keySet != nil { + return nil, "", fmt.Errorf("encode not supported") + } + t = jwt.New() for k, v := range claims { t.Set(k, v) diff --git a/jwtauth_test.go b/jwtauth_test.go index e2580cb..4e95f85 100644 --- a/jwtauth_test.go +++ b/jwtauth_test.go @@ -13,6 +13,9 @@ import ( "testing" "time" + "github.com/lestrrat-go/jwx/v2/jwa" + "github.com/lestrrat-go/jwx/v2/jws" + "github.com/go-chi/chi/v5" "github.com/go-chi/jwtauth/v5" "github.com/lestrrat-go/jwx/v2/jwa" @@ -41,6 +44,27 @@ MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALxo3PCjFw4QjgOX06QCJIJBnXXNiEYw DLxxa5/7QyH6y77nCRQyJ3x3UwF9rUD0RCsp4sNdX5kOQ9PUyHyOtCUCAwEAAQ== -----END PUBLIC KEY----- ` + + KeySet = `{ + "keys": [ + { + "kty": "RSA", + "n": "vGjc8KMXDhCOA5fTpAIkgkGddc2IRjAMvHFrn_tDIfrLvucJFDInfHdTAX2tQPREKyniw11fmQ5D09TIfI60JQ", + "e": "AQAB", + "alg": "RS256", + "kid": "1", + "use": "sig" + }, + { + "kty": "RSA", + "n": "foo", + "e": "AQAB", + "alg": "RS256", + "kid": "2", + "use": "sig" + } + ] +}` ) func init() { @@ -51,6 +75,57 @@ func init() { // Tests // +func TestNewKeySet(t *testing.T) { + _, err := jwtauth.NewKeySet([]byte("not a valid key set")) + if err == nil { + t.Fatal("The error should not be nil") + } + + _, err = jwtauth.NewKeySet([]byte(KeySet)) + if err != nil { + t.Fatalf(err.Error()) + } +} + +func TestKeySetRSA(t *testing.T) { + privateKeyBlock, _ := pem.Decode([]byte(PrivateKeyRS256String)) + + privateKey, err := x509.ParsePKCS1PrivateKey(privateKeyBlock.Bytes) + + if err != nil { + t.Fatalf(err.Error()) + } + + KeySetAuth, _ := jwtauth.NewKeySet([]byte(KeySet)) + claims := map[string]interface{}{ + "key": "val", + "key2": "val2", + "key3": "val3", + } + + signed := newJwtRSAToken(jwa.RS256, privateKey, "1", claims) + + token, err := KeySetAuth.Decode(signed) + + if err != nil { + t.Fatalf("Failed to decode token string %s\n", err.Error()) + } + + tokenClaims, err := token.AsMap(context.Background()) + if err != nil { + t.Fatal(err.Error()) + } + + if !reflect.DeepEqual(claims, tokenClaims) { + t.Fatalf("The decoded claims don't match the original ones\n") + } + + _, _, err = KeySetAuth.Encode(claims) + if err.Error() != "encode not supported" { + t.Fatalf("Expect error to equal %s. Found: %s.", "encode not supported", err.Error()) + } +} + func TestSimple(t *testing.T) { r := chi.NewRouter() @@ -340,6 +415,29 @@ func newJwt512Token(secret []byte, claims ...map[string]interface{}) string { return string(tokenPayload) } +func newJwtRSAToken(alg jwa.SignatureAlgorithm, secret interface{}, kid string, claims ...map[string]interface{}) string { + token := jwt.New() + if len(claims) > 0 { + for k, v := range claims[0] { + token.Set(k, v) + } + } + + headers := jws.NewHeaders() + if kid != "" { + err := headers.Set("kid", kid) + if err != nil { + log.Fatal(err) + } + } + + tokenPayload, err := jwt.Sign(token, jwt.WithKey(alg, secret, jws.WithProtectedHeaders(headers))) + if err != nil { + log.Fatal(err) + } + return string(tokenPayload) +} + func newAuthHeader(claims ...map[string]interface{}) http.Header { h := http.Header{} h.Set("Authorization", "BEARER "+newJwtToken(TokenSecret, claims...)) From 6091a6ee3984f02108ac06225da6c55cfc196f8b Mon Sep 17 00:00:00 2001 From: "tarcisio.nunes" Date: Fri, 13 May 2022 16:06:55 -0300 Subject: [PATCH 2/6] enable use of jwks rotation feature --- _example/main.go | 49 ++++++++++++++++++++++++- jwtauth.go | 42 +++++++++++++++++++--- jwtauth_test.go | 93 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 179 insertions(+), 5 deletions(-) diff --git a/_example/main.go b/_example/main.go index a6d7559..082beb0 100644 --- a/_example/main.go +++ b/_example/main.go @@ -68,6 +68,18 @@ import ( "github.com/lestrrat-go/jwx/v2/jwt" ) +type dynamicTokenAuth struct { + keySet []byte +} + +func (d *dynamicTokenAuth) JWTAuth() (*jwtauth.JWTAuth, error) { + keySet, err := jwtauth.NewKeySet(d.keySet) + if err != nil { + return nil, err + } + return keySet, nil +} + var tokenAuth *jwtauth.JWTAuth func init() { @@ -76,7 +88,8 @@ func init() { // For debugging/example purposes, we generate and print // a sample jwt token with claims `user_id:123` here: _, tokenString, _ := tokenAuth.Encode(map[string]interface{}{"user_id": 123}) - fmt.Printf("DEBUG: a sample jwt is %s\n\n", tokenString) + fmt.Printf("DEBUG: a sample jwt for /admin is %s\n\n", tokenString) + fmt.Printf("DEBUG: a sample jwt for /rotate is %s\n\n", sampleJWTRotate) } func main() { @@ -105,6 +118,23 @@ func router() http.Handler { }) }) + r.Group(func(r chi.Router) { + dynamicTokenAuth := dynamicTokenAuth{keySet: keySet} + // Seek, verify and validate JWT tokens based on keys returned by the callback function + r.Use(jwtauth.VerifierDynamic(dynamicTokenAuth.JWTAuth)) + + // Handle valid / invalid tokens. In this example, we use + // the provided authenticator middleware, but you can write your + // own very easily, look at the Authenticator method in jwtauth.go + // and tweak it, its not scary. + r.Use(jwtauth.Authenticator) + + r.Get("/rotate", func(w http.ResponseWriter, r *http.Request) { + _, claims, _ := jwtauth.FromContext(r.Context()) + w.Write([]byte(fmt.Sprintf("protected area. hi %v", claims["user_id"]))) + }) + }) + // Public routes r.Group(func(r chi.Router) { r.Get("/", func(w http.ResponseWriter, r *http.Request) { @@ -114,3 +144,20 @@ func router() http.Handler { return r } + +var ( + keySet = []byte(`{ + "keys": [ + { + "kty": "RSA", + "alg": "RS256", + "kid": "kid", + "use": "sig", + "n": "rgzO_v14UXJ33MvccKI8aIw3YpknVJbRB-m1z1X4j3gaTmmzmb7_naEd1TOKhF6Z1BGupvAKhCs8uHtp5e1PCrp52kzrjv7nqQfDpdppPZmKpwf-OD_lVgLLuCljB71mX9w7T5vI_WiVknuNhm48y0TJQNslpDZum4E2e0BLKUDRKKlo25foGoDuQN535_Xso861U8KsA80jX37BJplQ6IHewV_bbe04NYTVqaFcmLaZCAzh2f8L1h4xt76Y0xF_u8FXt2-rgcWlz17CtZzxC8ZXNI_92pX8CY5LY2eQf_B_n5Rhd5TQvEIdoI1GNBrcKUI9pMeEC4pErcOGgKGH7w", + "e": "AQAB" + } + ] +}`) + + sampleJWTRotate = `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtpZCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.APC4bUOmfbcXjBnZnmyiGBpXqlboTB4Qbh_sqJrgSU5AEQlwzjvDJ79eBlty8h6kfq3i5ffy87s-g82ZoRsHqMjwCIvTOVnoEyDgVu68s9lE32uaA0cc2-hbA13DIBsyIUGjehh9c3h93BrUoUr7n0CHgoKgx2OEw1Bq8vm4EqvmFGF-mr_0qi32uudPy3I15SyP1NJfU0ogQEFUdDHww3c8omDmrTPiGlWZAl9AiBMroDu0nq3UOtC4d5Se-361NEGiZ9J_kHcVWGdoMwsi5KEB0Uf3wAfXK3wcXeRu1pTXYKOV3X3g_2ss6mh65bNMsSx-MZUnQv5v6qZMOxMBUA` +) diff --git a/jwtauth.go b/jwtauth.go index 1ffe742..cd5395d 100644 --- a/jwtauth.go +++ b/jwtauth.go @@ -86,10 +86,27 @@ func Verifier(ja *JWTAuth) func(http.Handler) http.Handler { return Verify(ja, TokenFromHeader, TokenFromCookie) } -func Verify(ja *JWTAuth, findTokenFns ...func(r *http. - Request) string) func( - http. - Handler) http.Handler { +// VerifierDynamic http middleware handler will verify a JWT string from a http request. +// +// Verifier will search for a JWT token in a http request, in the order: +// 1. 'jwt' URI query parameter +// 2. 'Authorization: BEARER T' request header +// 3. Cookie 'jwt' value +// +// The first JWT string that is found as a query parameter, authorization header +// or cookie header is then decoded by the `jwt-go` library and a *jwt.Token +// object is set on the request context. In the case of a signature decoding error +// the Verifier will also set the error on the request context. +// +// The Verifier always calls the next http handler in sequence, which can either +// be the generic `jwtauth.Authenticator` middleware or your own custom handler +// which checks the request context jwt token and error to prepare a custom +// http response. +func VerifierDynamic(jaf func() (*JWTAuth, error)) func(http.Handler) http.Handler { + return VerifyDynamic(jaf, TokenFromHeader, TokenFromCookie) +} + +func Verify(ja *JWTAuth, findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { hfn := func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() @@ -101,6 +118,23 @@ func Verify(ja *JWTAuth, findTokenFns ...func(r *http. } } +func VerifyDynamic(jaf func() (*JWTAuth, error), findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + hfn := func(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + ja, err := jaf() + if err != nil { + ctx = NewContext(ctx, nil, err) + next.ServeHTTP(w, r.WithContext(ctx)) + } + token, err := VerifyRequest(ja, r, findTokenFns...) + ctx = NewContext(ctx, token, err) + next.ServeHTTP(w, r.WithContext(ctx)) + } + return http.HandlerFunc(hfn) + } +} + func VerifyRequest(ja *JWTAuth, r *http.Request, findTokenFns ...func(r *http.Request) string) (jwt.Token, error) { var tokenString string diff --git a/jwtauth_test.go b/jwtauth_test.go index 4e95f85..cdd2f77 100644 --- a/jwtauth_test.go +++ b/jwtauth_test.go @@ -354,6 +354,99 @@ func TestMore(t *testing.T) { } } +func TestDynamic(t *testing.T) { + anotherKeySet := `{ + "keys": [ + { + "kty": "RSA", + "n": "vGjc8KMXDhCOA5fTpAIkgkGddc2IRjAMvHFrn_tDIfrLvucJFDInfHdTAX2tQPREKyniw11fmQ5D09TIfI60JQ", + "e": "AQAB", + "alg": "RS256", + "kid": "anotherKID", + "use": "sig" + } + ] +}` + + privateKeyBlock, _ := pem.Decode([]byte(PrivateKeyRS256String)) + privateKey, err := x509.ParsePKCS1PrivateKey(privateKeyBlock.Bytes) + if err != nil { + t.Fatalf(err.Error()) + } + + r := chi.NewRouter() + + keySet := []byte(KeySet) + keySetPtr := &keySet + + dynamicJWTAuthFunc := func() (*jwtauth.JWTAuth, error) { + keySet, err := jwtauth.NewKeySet(*keySetPtr) + if err != nil { + return nil, err + } + return keySet, nil + } + + // Protected routes + r.Group(func(r chi.Router) { + r.Use(jwtauth.VerifierDynamic(dynamicJWTAuthFunc)) + + authenticator := func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + token, _, err := jwtauth.FromContext(r.Context()) + + if err != nil { + http.Error(w, jwtauth.ErrorReason(err).Error(), http.StatusUnauthorized) + return + } + + if err := jwt.Validate(token); err != nil { + http.Error(w, jwtauth.ErrorReason(err).Error(), http.StatusUnauthorized) + return + } + + // Token is authenticated, pass it through + next.ServeHTTP(w, r) + }) + } + r.Use(authenticator) + + r.Get("/admin", func(w http.ResponseWriter, r *http.Request) { + _, claims, err := jwtauth.FromContext(r.Context()) + + if err != nil { + w.Write([]byte(fmt.Sprintf("error! %v", err))) + return + } + + w.Write([]byte(fmt.Sprintf("protected, user:%v", claims["user_id"]))) + }) + }) + + // Public routes + r.Group(func(r chi.Router) { + r.Get("/", func(w http.ResponseWriter, r *http.Request) { + w.Write([]byte("welcome")) + }) + }) + + ts := httptest.NewServer(r) + defer ts.Close() + + h := http.Header{} + h.Set("Authorization", "BEARER "+newJwtToken(jwa.RS256, privateKey, "1", map[string]interface{}{"user_id": 31337, "exp": jwtauth.ExpireIn(5 * time.Minute)})) + if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 200 || resp != "protected, user:31337" { + t.Fatalf(resp) + } + + // dynamically modifying JWTAuth return so kid 1 is no longer supported + *keySetPtr = []byte(anotherKeySet) + h.Set("Authorization", "BEARER "+newJwtToken(jwa.RS256, privateKey, "1", map[string]interface{}{"user_id": 31337, "exp": jwtauth.ExpireIn(5 * time.Minute)})) + if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 401 || resp != "token is unauthorized\n" { + t.Fatalf(resp) + } +} + // // Test helper functions // From fad13b1ac129f4c2bb200d8eed4d091acf28695a Mon Sep 17 00:00:00 2001 From: tarcisioN Date: Fri, 11 Aug 2023 20:35:13 -0300 Subject: [PATCH 3/6] rename func param --- jwtauth.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/jwtauth.go b/jwtauth.go index cd5395d..fa2062c 100644 --- a/jwtauth.go +++ b/jwtauth.go @@ -54,15 +54,15 @@ func New(alg string, signKey interface{}, verifyKey interface{}, validateOptions return ja } -func NewKeySet(set []byte) (*JWTAuth, error) { - keySet := jwk.NewSet() - err := json.Unmarshal(set, &keySet) +func NewKeySet(keySet []byte) (*JWTAuth, error) { + ks := jwk.NewSet() + err := json.Unmarshal(keySet, &ks) if err != nil { return nil, err } - ja := &JWTAuth{keySet: keySet} - ja.verifier = jwt.WithKeySet(keySet) + ja := &JWTAuth{keySet: ks} + ja.verifier = jwt.WithKeySet(ks) return ja, nil } From 682521295ed1c7f4c67aa5b7e49ac7c3ba169677 Mon Sep 17 00:00:00 2001 From: "David J. Allen" Date: Wed, 6 Mar 2024 11:38:44 -0700 Subject: [PATCH 4/6] Removed dynamic verifier and changed related test --- jwtauth.go | 37 ++----------------------------------- jwtauth_test.go | 40 ++++++++-------------------------------- 2 files changed, 10 insertions(+), 67 deletions(-) diff --git a/jwtauth.go b/jwtauth.go index fa2062c..31ad80a 100644 --- a/jwtauth.go +++ b/jwtauth.go @@ -86,45 +86,12 @@ func Verifier(ja *JWTAuth) func(http.Handler) http.Handler { return Verify(ja, TokenFromHeader, TokenFromCookie) } -// VerifierDynamic http middleware handler will verify a JWT string from a http request. -// -// Verifier will search for a JWT token in a http request, in the order: -// 1. 'jwt' URI query parameter -// 2. 'Authorization: BEARER T' request header -// 3. Cookie 'jwt' value -// -// The first JWT string that is found as a query parameter, authorization header -// or cookie header is then decoded by the `jwt-go` library and a *jwt.Token -// object is set on the request context. In the case of a signature decoding error -// the Verifier will also set the error on the request context. -// -// The Verifier always calls the next http handler in sequence, which can either -// be the generic `jwtauth.Authenticator` middleware or your own custom handler -// which checks the request context jwt token and error to prepare a custom -// http response. -func VerifierDynamic(jaf func() (*JWTAuth, error)) func(http.Handler) http.Handler { - return VerifyDynamic(jaf, TokenFromHeader, TokenFromCookie) -} - func Verify(ja *JWTAuth, findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { hfn := func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - token, err := VerifyRequest(ja, r, findTokenFns...) - ctx = NewContext(ctx, token, err) - next.ServeHTTP(w, r.WithContext(ctx)) - } - return http.HandlerFunc(hfn) - } -} - -func VerifyDynamic(jaf func() (*JWTAuth, error), findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler { - return func(next http.Handler) http.Handler { - hfn := func(w http.ResponseWriter, r *http.Request) { - ctx := r.Context() - ja, err := jaf() - if err != nil { - ctx = NewContext(ctx, nil, err) + if ja.keySet != nil { + ctx = NewContext(ctx, nil, nil) next.ServeHTTP(w, r.WithContext(ctx)) } token, err := VerifyRequest(ja, r, findTokenFns...) diff --git a/jwtauth_test.go b/jwtauth_test.go index cdd2f77..9b5bb9f 100644 --- a/jwtauth_test.go +++ b/jwtauth_test.go @@ -354,20 +354,7 @@ func TestMore(t *testing.T) { } } -func TestDynamic(t *testing.T) { - anotherKeySet := `{ - "keys": [ - { - "kty": "RSA", - "n": "vGjc8KMXDhCOA5fTpAIkgkGddc2IRjAMvHFrn_tDIfrLvucJFDInfHdTAX2tQPREKyniw11fmQ5D09TIfI60JQ", - "e": "AQAB", - "alg": "RS256", - "kid": "anotherKID", - "use": "sig" - } - ] -}` - +func TestKeySet(t *testing.T) { privateKeyBlock, _ := pem.Decode([]byte(PrivateKeyRS256String)) privateKey, err := x509.ParsePKCS1PrivateKey(privateKeyBlock.Bytes) if err != nil { @@ -376,20 +363,16 @@ func TestDynamic(t *testing.T) { r := chi.NewRouter() - keySet := []byte(KeySet) - keySetPtr := &keySet - - dynamicJWTAuthFunc := func() (*jwtauth.JWTAuth, error) { - keySet, err := jwtauth.NewKeySet(*keySetPtr) - if err != nil { - return nil, err - } - return keySet, nil + keySetBytes := []byte(KeySet) + // keySetPtr := &keySetBytes + keySet, err := jwtauth.NewKeySet(keySetBytes) + if err != nil { + t.Fatalf(err.Error()) } // Protected routes r.Group(func(r chi.Router) { - r.Use(jwtauth.VerifierDynamic(dynamicJWTAuthFunc)) + r.Use(jwtauth.Verifier(keySet)) authenticator := func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -434,17 +417,10 @@ func TestDynamic(t *testing.T) { defer ts.Close() h := http.Header{} - h.Set("Authorization", "BEARER "+newJwtToken(jwa.RS256, privateKey, "1", map[string]interface{}{"user_id": 31337, "exp": jwtauth.ExpireIn(5 * time.Minute)})) + h.Set("Authorization", "BEARER "+newJwtRSAToken(jwa.RS256, privateKey, "1", map[string]interface{}{"user_id": 31337, "exp": jwtauth.ExpireIn(5 * time.Minute)})) if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 200 || resp != "protected, user:31337" { t.Fatalf(resp) } - - // dynamically modifying JWTAuth return so kid 1 is no longer supported - *keySetPtr = []byte(anotherKeySet) - h.Set("Authorization", "BEARER "+newJwtToken(jwa.RS256, privateKey, "1", map[string]interface{}{"user_id": 31337, "exp": jwtauth.ExpireIn(5 * time.Minute)})) - if status, resp := testRequest(t, ts, "GET", "/admin", h, nil); status != 401 || resp != "token is unauthorized\n" { - t.Fatalf(resp) - } } // From fb0ce00b82a2f3174ddb254da3f31e182aa23233 Mon Sep 17 00:00:00 2001 From: "David J. Allen" Date: Wed, 6 Mar 2024 12:49:14 -0700 Subject: [PATCH 5/6] Cleanup and removed comment(s) --- jwtauth_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/jwtauth_test.go b/jwtauth_test.go index 9b5bb9f..2f1e38d 100644 --- a/jwtauth_test.go +++ b/jwtauth_test.go @@ -13,7 +13,6 @@ import ( "testing" "time" - "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jws" "github.com/go-chi/chi/v5" @@ -364,7 +363,6 @@ func TestKeySet(t *testing.T) { r := chi.NewRouter() keySetBytes := []byte(KeySet) - // keySetPtr := &keySetBytes keySet, err := jwtauth.NewKeySet(keySetBytes) if err != nil { t.Fatalf(err.Error()) From b8f198ed9aa6509d1524b7b023bb866f20901d05 Mon Sep 17 00:00:00 2001 From: "David J. Allen" Date: Wed, 6 Mar 2024 13:42:48 -0700 Subject: [PATCH 6/6] Removed check and minor change --- jwtauth.go | 4 ---- jwtauth_test.go | 3 +-- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/jwtauth.go b/jwtauth.go index 31ad80a..4fd6eb2 100644 --- a/jwtauth.go +++ b/jwtauth.go @@ -90,10 +90,6 @@ func Verify(ja *JWTAuth, findTokenFns ...func(r *http.Request) string) func(http return func(next http.Handler) http.Handler { hfn := func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - if ja.keySet != nil { - ctx = NewContext(ctx, nil, nil) - next.ServeHTTP(w, r.WithContext(ctx)) - } token, err := VerifyRequest(ja, r, findTokenFns...) ctx = NewContext(ctx, token, err) next.ServeHTTP(w, r.WithContext(ctx)) diff --git a/jwtauth_test.go b/jwtauth_test.go index 2f1e38d..1f819c8 100644 --- a/jwtauth_test.go +++ b/jwtauth_test.go @@ -362,8 +362,7 @@ func TestKeySet(t *testing.T) { r := chi.NewRouter() - keySetBytes := []byte(KeySet) - keySet, err := jwtauth.NewKeySet(keySetBytes) + keySet, err := jwtauth.NewKeySet([]byte(KeySet)) if err != nil { t.Fatalf(err.Error()) }