♻️ fix!: context key collisions

jwt/config.go

@@ -42,10 +42,6 @@ type Config struct {
 	// The order of precedence is: KeyFunc, JWKSetURLs, SigningKeys, SigningKey.
 	SigningKeys map[string]SigningKey
 
-	// Context key to store user information from the token into context.
-	// Optional. Default: "user".
-	ContextKey string
-
 	// Claims are extendable claims data defining token content.
 	// Optional. Default value jwt.MapClaims
 	Claims jwt.Claims
@@ -122,9 +118,6 @@ func makeCfg(config []Config) (cfg Config) {
 	if cfg.SigningKey.Key == nil && len(cfg.SigningKeys) == 0 && len(cfg.JWKSetURLs) == 0 && cfg.KeyFunc == nil {
 		panic("Fiber: JWT middleware configuration: At least one of the following is required: KeyFunc, JWKSetURLs, SigningKeys, or SigningKey.")
 	}
-	if cfg.ContextKey == "" {
-		cfg.ContextKey = "user"
-	}
 	if cfg.Claims == nil {
 		cfg.Claims = jwt.MapClaims{}
 	}

jwt/config_test.go

@@ -40,9 +40,6 @@ func TestDefaultConfiguration(t *testing.T) {
 	cfg := makeCfg(config)
 
 	// Assert
-	if cfg.ContextKey != "user" {
-		t.Fatalf("Default context key should be 'user'")
-	}
 	if cfg.Claims == nil {
 		t.Fatalf("Default claims should not be 'nil'")
 	}

jwt/jwt.go

@@ -12,6 +12,15 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 )
 
+// The contextKey type is unexported to prevent collisions with context keys defined in
+// other packages.
+type contextKey int
+
+// The following contextKey values are defined to store values in context.
+const (
+	tokenKey contextKey = 0
+)
+
 var (
 	defaultTokenLookup = "header:" + fiber.HeaderAuthorization
 )
@@ -51,9 +60,15 @@ func New(config ...Config) fiber.Handler {
 		}
 		if err == nil && token.Valid {
 			// Store user information from token into context.
-			c.Locals(cfg.ContextKey, token)
+			c.Locals(tokenKey, token)
 			return cfg.SuccessHandler(c)
 		}
 		return cfg.ErrorHandler(c, err)
 	}
 }
+
+// FromContext returns the token from the context.
+// If there is no token, nil is returned.
+func FromContext(c *fiber.Ctx) *jwt.Token {
+	return c.Locals(tokenKey).(*jwt.Token)
+}

jwt/jwt_test.go

@@ -401,3 +401,44 @@ func customKeyfunc() jwt.Keyfunc {
 		return []byte(defaultSigningKey), nil
 	}
 }
+
+func TestFromContext(t *testing.T) {
+	t.Parallel()
+
+	defer func() {
+		// Assert
+		if err := recover(); err != nil {
+			t.Fatalf("Middleware should not panic")
+		}
+	}()
+
+	for _, test := range hamac {
+		// Arrange
+		app := fiber.New()
+
+		app.Use(jwtware.New(jwtware.Config{
+			SigningKey: jwtware.SigningKey{
+				JWTAlg: test.SigningMethod,
+				Key:    []byte(defaultSigningKey),
+			},
+		}))
+
+		app.Get("/ok", func(c *fiber.Ctx) error {
+			token := jwtware.FromContext(c)
+			if token == nil {
+				return c.SendStatus(fiber.StatusUnauthorized)
+			}
+			return c.SendString("OK")
+		})
+
+		req := httptest.NewRequest("GET", "/ok", nil)
+		req.Header.Add("Authorization", "Bearer "+test.Token)
+
+		// Act
+		resp, err := app.Test(req)
+
+		// Assert
+		utils.AssertEqual(t, nil, err)
+		utils.AssertEqual(t, 200, resp.StatusCode)
+	}
+}

paseto/README.md

@@ -45,7 +45,6 @@ pasetoware.New(config ...pasetoware.Config) func(*fiber.Ctx) error
 | SymmetricKey   | `[]byte`                        | Secret key to encrypt token. If present the middleware will generate local tokens.                                                                                                                      | `nil`                           |
 | PrivateKey     | `ed25519.PrivateKey`            | Secret key to sign the tokens. If present (along with its `PublicKey`) the middleware will generate public tokens.                                                                                      | `nil`                           
 | PublicKey      | `crypto.PublicKey`              | Public key to verify the tokens. If present (along with `PrivateKey`) the middleware will generate public tokens.                                                                                       | `nil`                           
-| ContextKey     | `string`                        | Context key to store user information from the token into context.                                                                                                                                      | `"auth-token"`                  |
 | TokenLookup    | `[2]string`                     | TokenLookup is a string slice with size 2, that is used to extract token from the request                                                                                                               | `["header","Authorization"]`    |
 
 ## Instructions
@@ -128,7 +127,7 @@ func accessible(c *fiber.Ctx) error {
 }
 
 func restricted(c *fiber.Ctx) error {
-	payload := c.Locals(pasetoware.DefaultContextKey).(string)
+	payload := pasetoware.FromContext(c).(string)
 	return c.SendString("Welcome " + payload)
 }
 
@@ -242,7 +241,7 @@ func accessible(c *fiber.Ctx) error {
 }
 
 func restricted(c *fiber.Ctx) error {
-	payload := c.Locals(pasetoware.DefaultContextKey).(customPayloadStruct)
+	payload := pasetoware.FromContext(c).(customPayloadStruct)
 	return c.SendString("Welcome " + payload.Name)
 }
 
@@ -350,7 +349,7 @@ func accessible(c *fiber.Ctx) error {
 }
 
 func restricted(c *fiber.Ctx) error {
-	payload := c.Locals(pasetoware.DefaultContextKey).(string)
+	payload := pasetoware.FromContext(c).(string)
 	return c.SendString("Welcome " + payload)
 }
 

paseto/config.go

@@ -51,10 +51,6 @@ type Config struct {
 	// Required if SymmetricKey is not set
 	PublicKey crypto.PublicKey
 
-	// ContextKey to store user information from the token into context.
-	// Optional. Default: DefaultContextKey.
-	ContextKey string
-
 	// TokenLookup is a string slice with size 2, that is used to extract token from the request.
 	// Optional. Default value ["header","Authorization"].
 	// Possible values:
@@ -79,7 +75,6 @@ var ConfigDefault = Config{
 	ErrorHandler:   nil,
 	Validate:       nil,
 	SymmetricKey:   nil,
-	ContextKey:     DefaultContextKey,
 	TokenLookup:    [2]string{LookupHeader, fiber.HeaderAuthorization},
 }
 
@@ -140,10 +135,6 @@ func configDefault(authConfigs ...Config) Config {
 		config.Validate = defaultValidateFunc
 	}
 
-	if config.ContextKey == "" {
-		config.ContextKey = ConfigDefault.ContextKey
-	}
-
 	if config.TokenLookup[0] == "" {
 		config.TokenLookup[0] = ConfigDefault.TokenLookup[0]
 	}

paseto/config_test.go

@@ -34,7 +34,6 @@ func Test_ConfigDefault(t *testing.T) {
 	utils.AssertEqual(t, LookupHeader, config.TokenLookup[0])
 	utils.AssertEqual(t, fiber.HeaderAuthorization, config.TokenLookup[1])
 
-	utils.AssertEqual(t, DefaultContextKey, config.ContextKey)
 	utils.AssertEqual(t, true, config.Validate != nil)
 }
 

paseto/paseto.go

@@ -6,6 +6,15 @@ import (
 	"github.com/gofiber/fiber/v2"
 )
 
+// The contextKey type is unexported to prevent collisions with context keys defined in
+// other packages.
+type contextKey int
+
+// The following contextKey values are defined to store values in context.
+const (
+	payloadKey contextKey = 0
+)
+
 // New PASETO middleware, returns a handler that takes a token in selected lookup param and in case token is valid
 // it saves the decrypted token on ctx.Locals, take a look on Config to know more configuration options
 func New(authConfigs ...Config) fiber.Handler {
@@ -47,11 +56,16 @@ func New(authConfigs ...Config) fiber.Handler {
 		payload, err := config.Validate(outData)
 		if err == nil {
 			// Store user information from token into context.
-			c.Locals(config.ContextKey, payload)
+			c.Locals(payloadKey, payload)
 
 			return config.SuccessHandler(c)
 		}
 
 		return config.ErrorHandler(c, err)
 	}
 }
+
+// FromContext returns the payload from the context.
+func FromContext(c *fiber.Ctx) interface{} {
+	return c.Locals(payloadKey)
+}

paseto/paseto_test.go

@@ -84,7 +84,6 @@ func Test_PASETO_LocalToken_MissingToken(t *testing.T) {
 	app := fiber.New()
 	app.Use(New(Config{
 		SymmetricKey: []byte(symmetricKey),
-		ContextKey:   DefaultContextKey,
 		ErrorHandler: assertErrorHandler(t, ErrMissingToken),
 	}))
 	request := httptest.NewRequest("GET", "/", nil)
@@ -101,7 +100,6 @@ func Test_PASETO_PublicToken_MissingToken(t *testing.T) {
 	app.Use(New(Config{
 		PrivateKey:   privateKey,
 		PublicKey:    privateKey.Public(),
-		ContextKey:   DefaultContextKey,
 		ErrorHandler: assertErrorHandler(t, ErrMissingToken),
 	}))
 
@@ -117,7 +115,6 @@ func Test_PASETO_LocalToken_ErrDataUnmarshal(t *testing.T) {
 	app := fiber.New()
 	app.Use(New(Config{
 		SymmetricKey: []byte(symmetricKey),
-		ContextKey:   DefaultContextKey,
 		ErrorHandler: assertErrorHandler(t, ErrDataUnmarshal),
 	}))
 	request, err := generateTokenRequest("/", createCustomToken, durationTest, PurposeLocal)
@@ -136,7 +133,6 @@ func Test_PASETO_PublicToken_ErrDataUnmarshal(t *testing.T) {
 	app.Use(New(Config{
 		PrivateKey: privateKey,
 		PublicKey:  privateKey.Public(),
-		ContextKey: DefaultContextKey,
 	}))
 
 	request, err := generateTokenRequest("/", createCustomToken, durationTest, PurposePublic)
@@ -153,7 +149,6 @@ func Test_PASETO_LocalToken_ErrTokenExpired(t *testing.T) {
 	app := fiber.New()
 	app.Use(New(Config{
 		SymmetricKey: []byte(symmetricKey),
-		ContextKey:   DefaultContextKey,
 		ErrorHandler: assertErrorHandler(t, ErrExpiredToken),
 	}))
 	request, err := generateTokenRequest("/", CreateToken, time.Nanosecond*-10, PurposeLocal)
@@ -172,7 +167,6 @@ func Test_PASETO_PublicToken_ErrTokenExpired(t *testing.T) {
 	app.Use(New(Config{
 		PrivateKey:   privateKey,
 		PublicKey:    privateKey.Public(),
-		ContextKey:   DefaultContextKey,
 		ErrorHandler: assertErrorHandler(t, ErrExpiredToken),
 	}))
 
@@ -226,10 +220,9 @@ func Test_PASETO_LocalTokenDecrypt(t *testing.T) {
 	app := fiber.New()
 	app.Use(New(Config{
 		SymmetricKey: []byte(symmetricKey),
-		ContextKey:   DefaultContextKey,
 	}))
 	app.Get("/", func(ctx *fiber.Ctx) error {
-		utils.AssertEqual(t, testMessage, ctx.Locals(DefaultContextKey))
+		utils.AssertEqual(t, testMessage, FromContext(ctx))
 		return nil
 	})
 	request, err := generateTokenRequest("/", CreateToken, durationTest, PurposeLocal)
@@ -249,10 +242,9 @@ func Test_PASETO_PublicTokenVerify(t *testing.T) {
 	app.Use(New(Config{
 		PrivateKey: privateKey,
 		PublicKey:  privateKey.Public(),
-		ContextKey: DefaultContextKey,
 	}))
 	app.Get("/", func(ctx *fiber.Ctx) error {
-		utils.AssertEqual(t, testMessage, ctx.Locals(DefaultContextKey))
+		utils.AssertEqual(t, testMessage, FromContext(ctx))
 		return nil
 	})
 	request, err := generateTokenRequest("/", CreateToken, durationTest, PurposePublic)
@@ -268,7 +260,6 @@ func Test_PASETO_LocalToken_IncorrectBearerToken(t *testing.T) {
 	app := fiber.New()
 	app.Use(New(Config{
 		SymmetricKey: []byte(symmetricKey),
-		ContextKey:   DefaultContextKey,
 		TokenPrefix:  "Gopher",
 		ErrorHandler: func(ctx *fiber.Ctx, err error) error {
 			if errors.Is(err, ErrIncorrectTokenPrefix) {
@@ -312,7 +303,6 @@ func Test_PASETO_LocalToken_InvalidToken(t *testing.T) {
 	app := fiber.New()
 	app.Use(New(Config{
 		SymmetricKey: []byte(symmetricKey),
-		ContextKey:   DefaultContextKey,
 	}))
 	request := httptest.NewRequest("GET", "/", nil)
 	request.Header.Set(fiber.HeaderAuthorization, invalidToken)
@@ -328,7 +318,6 @@ func Test_PASETO_PublicToken_InvalidToken(t *testing.T) {
 	app.Use(New(Config{
 		PrivateKey: privateKey,
 		PublicKey:  privateKey.Public(),
-		ContextKey: DefaultContextKey,
 	}))
 
 	request := httptest.NewRequest("GET", "/", nil)
@@ -357,7 +346,7 @@ func Test_PASETO_LocalToken_CustomValidate(t *testing.T) {
 	}))
 
 	app.Get("/", func(ctx *fiber.Ctx) error {
-		utils.AssertEqual(t, testMessage, ctx.Locals(DefaultContextKey))
+		utils.AssertEqual(t, testMessage, FromContext(ctx))
 		return nil
 	})
 
@@ -394,7 +383,7 @@ func Test_PASETO_PublicToken_CustomValidate(t *testing.T) {
 	}))
 
 	app.Get("/", func(ctx *fiber.Ctx) error {
-		utils.AssertEqual(t, testMessage, ctx.Locals(DefaultContextKey))
+		utils.AssertEqual(t, testMessage, FromContext(ctx))
 		return nil
 	})