Upgrade to go-chi 5

core/auth/auth.go

@@ -2,12 +2,11 @@ package auth
 
 import (
 	"context"
-	"fmt"
 	"sync"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
-	"github.com/go-chi/jwtauth"
+	"github.com/go-chi/jwtauth/v5"
+	"github.com/lestrrat-go/jwx/jwt"
 	"github.com/navidrome/navidrome/conf"
 	"github.com/navidrome/navidrome/consts"
 	"github.com/navidrome/navidrome/log"
@@ -33,12 +32,16 @@ func InitTokenAuth(ds model.DataStore) {
 }
 
 func CreateToken(u *model.User) (string, error) {
-	token := jwt.New(jwt.SigningMethodHS256)
-	claims := token.Claims.(jwt.MapClaims)
-	claims["iss"] = consts.JWTIssuer
-	claims["sub"] = u.UserName
+	claims := map[string]interface{}{}
+	claims[jwt.IssuerKey] = consts.JWTIssuer
+	claims[jwt.IssuedAtKey] = time.Now().UTC().Unix()
+	claims[jwt.SubjectKey] = u.UserName
 	claims["uid"] = u.ID
 	claims["adm"] = u.IsAdmin
+	token, _, err := TokenAuth.Encode(claims)
+	if err != nil {
+		return "", err
+	}
 
 	return TouchToken(token)
 }
@@ -51,29 +54,23 @@ func getSessionTimeOut() time.Duration {
 	return sessionTimeOut
 }
 
-func TouchToken(token *jwt.Token) (string, error) {
-	timeout := getSessionTimeOut()
-	expireIn := time.Now().Add(timeout).Unix()
-	claims := token.Claims.(jwt.MapClaims)
-	claims["exp"] = expireIn
-
-	return token.SignedString(Secret)
-}
-
-func keyFunc(token *jwt.Token) (interface{}, error) {
-	// Don't forget to validate the alg is what you expect:
-	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-		return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+func TouchToken(token jwt.Token) (string, error) {
+	claims, err := token.AsMap(context.Background())
+	if err != nil {
+		return "", err
 	}
 
-	// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
-	return Secret, nil
+	timeout := getSessionTimeOut()
+	claims[jwt.ExpirationKey] = time.Now().UTC().Add(timeout).Unix()
+	_, newToken, err := TokenAuth.Encode(claims)
+
+	return newToken, err
 }
 
-func Validate(tokenStr string) (jwt.MapClaims, error) {
-	token, err := jwt.Parse(tokenStr, keyFunc)
+func Validate(tokenStr string) (map[string]interface{}, error) {
+	token, err := jwtauth.VerifyToken(TokenAuth, tokenStr)
 	if err != nil {
 		return nil, err
 	}
-	return token.Claims.(jwt.MapClaims), err
+	return token.AsMap(context.Background())
 }

core/auth/auth_test.go

@@ -4,14 +4,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-chi/jwtauth/v5"
 	"github.com/navidrome/navidrome/conf"
-
 	"github.com/navidrome/navidrome/consts"
-	"github.com/navidrome/navidrome/model"
-
-	"github.com/dgrijalva/jwt-go"
 	"github.com/navidrome/navidrome/core/auth"
 	"github.com/navidrome/navidrome/log"
+	"github.com/navidrome/navidrome/model"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@@ -34,35 +32,37 @@ var _ = Describe("Auth", func() {
 
 	BeforeEach(func() {
 		auth.Secret = []byte(testJWTSecret)
+		auth.TokenAuth = jwtauth.New("HS256", auth.Secret, nil)
 	})
 
 	Describe("Validate", func() {
 		It("returns error with an invalid JWT token", func() {
 			_, err := auth.Validate("invalid.token")
-			Expect(err).To(Not(BeNil()))
+			Expect(err).To(HaveOccurred())
 		})
 
 		It("returns the claims from a valid JWT token", func() {
-			token := jwt.New(jwt.SigningMethodHS256)
-			claims := token.Claims.(jwt.MapClaims)
+			claims := map[string]interface{}{}
 			claims["iss"] = "issuer"
+			claims["iat"] = time.Now().Unix()
 			claims["exp"] = time.Now().Add(1 * time.Minute).Unix()
-			tokenStr, _ := token.SignedString(auth.Secret)
+			_, tokenStr, err := auth.TokenAuth.Encode(claims)
+			Expect(err).NotTo(HaveOccurred())
 
 			decodedClaims, err := auth.Validate(tokenStr)
-			Expect(err).To(BeNil())
+			Expect(err).NotTo(HaveOccurred())
 			Expect(decodedClaims["iss"]).To(Equal("issuer"))
 		})
 
 		It("returns ErrExpired if the `exp` field is in the past", func() {
-			token := jwt.New(jwt.SigningMethodHS256)
-			claims := token.Claims.(jwt.MapClaims)
+			claims := map[string]interface{}{}
 			claims["iss"] = "issuer"
 			claims["exp"] = time.Now().Add(-1 * time.Minute).Unix()
-			tokenStr, _ := token.SignedString(auth.Secret)
+			_, tokenStr, err := auth.TokenAuth.Encode(claims)
+			Expect(err).NotTo(HaveOccurred())
 
-			_, err := auth.Validate(tokenStr)
-			Expect(err).To(MatchError("Token is expired"))
+			_, err = auth.Validate(tokenStr)
+			Expect(err).To(MatchError("token is expired"))
 		})
 	})
 
@@ -74,36 +74,35 @@ var _ = Describe("Auth", func() {
 				IsAdmin:  true,
 			}
 			tokenStr, err := auth.CreateToken(u)
-			Expect(err).To(BeNil())
+			Expect(err).NotTo(HaveOccurred())
 
 			claims, err := auth.Validate(tokenStr)
-			Expect(err).To(BeNil())
+			Expect(err).NotTo(HaveOccurred())
 
 			Expect(claims["iss"]).To(Equal(consts.JWTIssuer))
 			Expect(claims["sub"]).To(Equal("johndoe"))
 			Expect(claims["uid"]).To(Equal("123"))
 			Expect(claims["adm"]).To(Equal(true))
-
-			exp := time.Unix(int64(claims["exp"].(float64)), 0)
-			Expect(exp).To(BeTemporally(">", time.Now()))
+			Expect(claims["exp"]).To(BeTemporally(">", time.Now()))
 		})
 	})
 
 	Describe("TouchToken", func() {
 		It("updates the expiration time", func() {
 			yesterday := time.Now().Add(-oneDay)
-			token := jwt.New(jwt.SigningMethodHS256)
-			claims := token.Claims.(jwt.MapClaims)
+			claims := map[string]interface{}{}
 			claims["iss"] = "issuer"
 			claims["exp"] = yesterday.Unix()
+			token, _, err := auth.TokenAuth.Encode(claims)
+			Expect(err).NotTo(HaveOccurred())
 
 			touched, err := auth.TouchToken(token)
-			Expect(err).To(BeNil())
+			Expect(err).NotTo(HaveOccurred())
 
 			decodedClaims, err := auth.Validate(touched)
-			Expect(err).To(BeNil())
-			expiration := time.Unix(int64(decodedClaims["exp"].(float64)), 0)
-			Expect(expiration.Sub(yesterday)).To(BeNumerically(">=", oneDay))
+			Expect(err).NotTo(HaveOccurred())
+			exp := decodedClaims["exp"].(time.Time)
+			Expect(exp.Sub(yesterday)).To(BeNumerically(">=", oneDay))
 		})
 	})
 })