jwt-go | The easiest JWT library to GO | Authentication library

The Scanner/Valuer interface is not implemented for slice types ie []string. So you can use the pq.StringArray type from https://pkg.go.dev/github.com/lib/pq instead of the []string type in the jwt.RegisteredClaims struct. You can use a custom struct that have the same fields but with the pq.StringArray type instead of []string.

The CVE-2020-26160 vulnerability is due to the fact that dgrijalva/jwt-go incorrectly models the JWT aud field as a string, when based on the JWT specs it should be a slice of strings.

In the general case, the "aud" value is an array of case-sensitive strings

You can't bypass it yourself, because it's a bug in the library: https://github.com/dgrijalva/jwt-go/issues/428

Switch to the official community fork golang-jwt/jwt, its v3.2.1 fixes the vulnerability: https://github.com/golang-jwt/jwt/releases/tag/v3.2.1

• Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
• Fixed type confusion issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160

maybe need to add this before download command:

The standard way of doing this while avoiding globals would be to define a struct that represents your server, and its methods would be the handlers. Then the methods share the struct's data, and you place things like your mongo client in there.

Something like this (in your admin package):

The RSA family algorithms expect a key of type *rsa.PrivateKey. The library dgrijalva/jwt-go has a helper function jwt.ParseRSAPrivateKeyFromPEM(keyData) where keyData is a []byte slice.

The repo has some handy examples in rsa_test.go file.

_{Also the examples are outdated because as of Go 1.16 the ioutil package is deprecated...}

Please be aware that github.com/dgrijalva/jwt-go has been unmaintained for a long time and has critical unfixed bugs. And doesn't support Go modules, before the version 4 (which is just a preview anyway). I strongly recommend to choose an different library for dealing with JWT.

jwt.ParseRSAPublicKeyFromPEM() internally calls the x509.ParsePKIXPublicKey() method which imports a PEM encoded key in X.509/SPKI format.

A PEM encoded key in X.509/SPKI format can be derived from the private key with ssh-keygen using the option -e -m pkcs8. Currently, the option -e -m pem is applied, which generates the public key in PKCS#1 format, which cannot be processed by jwt.ParseRSAPublicKeyFromPEM().

The public key import works if a PEM encoded key in X.509/SPKI format is used:

If you want to use SHA256 algorithm for jwt signing, then you should generate and store long random secret in your .env file.

The secret should be static, don't too much worry about security, It is almost impossible for anyone to bruteforce and find your secret.

You need not to change your secret :)

😭 Coping self certificates (.crt) helped

1️⃣ add .crt to required dir

You are probably using Go 1.13 to develop your application.

In this case, whenever you run a Go command, like go build, go list, go test, go mod tidy and others, the go.mod file will be modified to have some formatting included, and add missing directives, like the Go version that's compatible with that module.

So, go 1.13 is added to the file automatically, not by the IDE. You can reproduce this by running any of the commands that I listed above.