Use github.com/lestrrat-go/jwx/jwt for JWT

LICENSE

@@ -563,11 +563,6 @@ This product bundles lestrrat-go/jwx, which is available under an MIT license.
 ./vendor/github.com/lestrrat-go/jwx/LICENSE
 Refer to the above license for the full text.
 
-This product bundles dgrijalva/jwt-go, which is available under an MIT license.
-@vendor/github.com/dgrijalva/jwt-go/*
-./vendor/github.com/dgrijalva/jwt-go/LICENSE
-Refer to the above license for the full text.
-
 This product bundles errors, which is available under a BSD-2-Clause license.
 @vendor/github.com/pkg/errors/*
 ./vendor/github.com/pkg/errors/LICENSE
@@ -716,4 +711,4 @@ Refer to the above license for the full text.
 This product bundles jcmturner/rpc.v1, which is available under an Apache-2.0 license.
 @vendor/gopkg.in/jcmturner/rpc.v1/*
 ./vendor/gopkg.in/jcmturner/rpc.v1/LICENSE
-Refer to the above license for the full text.
+Refer to the above license for the full text.

experimental/traffic_ops_auth/traffic_ops_auth.go

@@ -138,7 +138,7 @@ func getTokenData(jwtSigningKey string, r *http.Request) (*TokenData, error) {
 
 	token, err := jwt.Parse(
 		[]byte(encToken.Value),
-		jwt.WithVerify(jwa.HS256, jwtSigningKey),
+		jwt.WithVerify(jwa.HS256, []byte(jwtSigningKey)),
 	)
 	if err != nil {
 		return nil, err

experimental/webfront/webfront.go

@@ -148,7 +148,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		token, err := jwt.ParseHeader(
 			r.Header,
 			`Authorization`,
-			jwt.WithVerify(jwa.HS256, os.Args[2]),
+			jwt.WithVerify(jwa.HS256, []byte(os.Args[2])),
 		)
 		if err != nil {
 			Logger.Println("Token Error:", err.Error())

go.mod

@@ -81,7 +81,6 @@ require (
 )
 
 require (
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
 	golang.org/x/net v0.0.0-20211013171255-e13a2654a71e
 	golang.org/x/sys v0.0.0-20211013075003-97ac67df715c

go.sum

@@ -388,7 +388,6 @@ github.com/deepmap/oapi-codegen v1.6.0/go.mod h1:ryDa9AgbELGeB+YEXE1dR53yAjHwFvE
 github.com/denisenkom/go-mssqldb v0.10.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
 github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-bitstream v0.0.0-20180413035011-3522498ce2c8/go.mod h1:VMaSuZ+SZcx/wljOQKvp5srsbCiKDEb6K2wC4+PiBmQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=

traffic_ops/traffic_ops_golang/api/api.go

@@ -48,9 +48,10 @@ import (
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/trafficvault"
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/trafficvault/backends/disabled"
 
-	"github.com/dgrijalva/jwt-go"
 	influx "github.com/influxdata/influxdb/client/v2"
 	"github.com/jmoiron/sqlx"
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jwt"
 	"github.com/lib/pq"
 )
 
@@ -1118,21 +1119,15 @@ func GetUserFromReq(w http.ResponseWriter, r *http.Request, secret string) (auth
 
 func getCookieFromAccessToken(bearerToken string, secret string) (*http.Cookie, error) {
 	var cookie *http.Cookie
-	claims := jwt.MapClaims{}
-	token, err := jwt.ParseWithClaims(bearerToken, claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(secret), nil
-	})
+	token, err := jwt.Parse([]byte(bearerToken), jwt.WithVerify(jwa.HS256, []byte(secret)))
 	if err != nil {
-		return nil, fmt.Errorf("parsing claims: %w", err)
+		return nil, fmt.Errorf("invalid token: %w", err)
 	}
 	if token == nil {
 		return nil, errors.New("parsing claims: parsed nil token")
 	}
-	if !token.Valid {
-		return nil, errors.New("invalid token")
-	}
 
-	for key, val := range claims {
+	for key, val := range token.PrivateClaims() {
 		switch key {
 		case MojoCookie:
 			mojoVal, ok := val.(string)

traffic_ops/traffic_ops_golang/cdni/shared.go

@@ -33,7 +33,9 @@ import (
 	"github.com/apache/trafficcontrol/lib/go-rfc"
 	"github.com/apache/trafficcontrol/lib/go-tc"
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/api"
-	"github.com/dgrijalva/jwt-go"
+
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jwt"
 	"github.com/lib/pq"
 )
 
@@ -496,49 +498,25 @@ func checkBearerToken(bearerToken string, inf *api.APIInfo) (string, error) {
 		return "", errors.New("bearer token is required")
 	}
 
-	claims := jwt.MapClaims{}
-	token, err := jwt.ParseWithClaims(bearerToken, claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(inf.Config.Secrets[0]), nil
-	})
+	token, err := jwt.Parse([]byte(bearerToken),
+		jwt.WithVerify(jwa.HS256, []byte(inf.Config.Secrets[0])),
+	)
 	if err != nil {
-		return "", fmt.Errorf("parsing claims: %w", err)
-	}
-	if !token.Valid {
-		return "", errors.New("invalid token")
+		return "", fmt.Errorf("invalid token: %w", err)
 	}
 
-	var expirationFloat float64
-	var ucdn string
-	var dcdn string
-	for key, val := range claims {
-		switch key {
-		case "iss":
-			if _, ok := val.(string); !ok {
-				return "", errors.New("invalid token - iss (Issuer) must be a string")
-			}
-			ucdn = val.(string)
-		case "aud":
-			if _, ok := val.(string); !ok {
-				return "", errors.New("invalid token - aud (Audience) must be a string")
-			}
-			dcdn = val.(string)
-		case "exp":
-			if _, ok := val.(float64); !ok {
-				return "", errors.New("invalid token - exp (Expiration) must be a float64")
-			}
-			expirationFloat = val.(float64)
-		}
+	if token.Expiration().Unix() < time.Now().Unix() {
+		return "", errors.New("token is expired")
 	}
 
-	expiration := int64(expirationFloat)
-
-	if expiration < time.Now().Unix() {
-		return "", errors.New("token is expired")
+	if token.Audience() == nil || len(token.Audience()) == 0 {
+		return "", errors.New("invalid token - ucdn must be defined in audience claim")
 	}
-	if dcdn != inf.Config.Cdni.DCdnId {
+	if token.Audience()[0] != inf.Config.Cdni.DCdnId {
 		return "", errors.New("invalid token - incorrect dcdn")
 	}
 
+	ucdn := token.Issuer()
 	if ucdn != inf.User.UCDN {
 		return "", errors.New("user ucdn did not match token ucdn")
 	}

traffic_ops/traffic_ops_golang/login/login.go

@@ -42,10 +42,10 @@ import (
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config"
 	"github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/tocookie"
 
-	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/jmoiron/sqlx"
+	"github.com/lestrrat-go/jwx/jwa"
 	"github.com/lestrrat-go/jwx/jwk"
-	ljwt "github.com/lestrrat-go/jwx/jwt"
+	"github.com/lestrrat-go/jwx/jwt"
 )
 
 type emailFormatter struct {
@@ -156,9 +156,9 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 				httpCookie := tocookie.GetCookie(form.Username, defaultCookieDuration, cfg.Secrets[0])
 				http.SetCookie(w, httpCookie)
 
-				var jwtToken *jwt.Token
-				var jwtSigned string
-				claims := jwt.MapClaims{}
+				var jwtToken jwt.Token
+				var jwtSigned []byte
+				jwtBuilder := jwt.NewBuilder()
 
 				emptyConf := config.CdniConf{}
 				if cfg.Cdni != nil && *cfg.Cdni != emptyConf {
@@ -167,23 +167,27 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 						// log but do not error out since this is optional in the JWT for CDNi integration
 						log.Errorf("getting ucdn for user %s: %v", form.Username, err)
 					}
-					claims["iss"] = ucdn
-					claims["aud"] = cfg.Cdni.DCdnId
+					jwtBuilder.Claim("iss", ucdn)
+					jwtBuilder.Claim("aud", cfg.Cdni.DCdnId)
 				}
 
-				claims["exp"] = httpCookie.Expires.Unix()
-				claims[api.MojoCookie] = httpCookie.Value
-				jwtToken = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+				jwtBuilder.Claim("exp", httpCookie.Expires.Unix())
+				jwtBuilder.Claim(api.MojoCookie, httpCookie.Value)
+				jwtToken, err = jwtBuilder.Build()
+				if err != nil {
+					api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, fmt.Errorf("building token: %s", err))
+					return
+				}
 
-				jwtSigned, err = jwtToken.SignedString([]byte(cfg.Secrets[0]))
+				jwtSigned, err = jwt.Sign(jwtToken, jwa.HS256, []byte(cfg.Secrets[0]))
 				if err != nil {
 					api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, err)
 					return
 				}
 
 				http.SetCookie(w, &http.Cookie{
 					Name:     api.AccessToken,
-					Value:    jwtSigned,
+					Value:    string(jwtSigned),
 					Path:     "/",
 					MaxAge:   httpCookie.MaxAge,
 					HttpOnly: true, // prevents the cookie being accessed by Javascript. DO NOT remove, security vulnerability
@@ -425,10 +429,10 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 			return
 		}
 
-		decodedToken, err := ljwt.Parse(
+		decodedToken, err := jwt.Parse(
 			[]byte(encodedToken),
-			ljwt.WithVerifyAuto(true),
-			ljwt.WithJWKSetFetcher(jwksFetcher),
+			jwt.WithVerifyAuto(true),
+			jwt.WithJWKSetFetcher(jwksFetcher),
 		)
 		if err != nil {
 			api.HandleErr(w, r, nil, http.StatusInternalServerError, nil, fmt.Errorf("Error decoding token with message: %w", err))