Merge pull request #7136 from influxdata/er-jwt-dep

Update jwt-go to v3

CHANGELOG.md

@@ -1,12 +1,15 @@
 ## v1.1.0 [unreleased]
 
+### Release Notes
+
 ### Features
 
 - [#7120](https://github.com/influxdata/influxdb/issues/7120): Add additional statistics to query executor.
 - [#7135](https://github.com/influxdata/influxdb/pull/7135): Support enable HTTP service over unix domain socket. Thanks @oiooj
 - [#3634](https://github.com/influxdata/influxdb/issues/3634): Support mixed duration units.
 - [#7099](https://github.com/influxdata/influxdb/pull/7099): Implement text/csv content encoding for the response writer.
 - [#6992](https://github.com/influxdata/influxdb/issues/6992): Support tools for running async queries.
+- [#7136](https://github.com/influxdata/influxdb/pull/7136): Update jwt-go dependency to version 3.
 
 ### Bugfixes
 

Godeps

@@ -3,7 +3,7 @@ github.com/BurntSushi/toml 99064174e013895bbd9b025c31100bd1d9b590ca
 github.com/bmizerany/pat c068ca2f0aacee5ac3681d68e4d0a003b7d1fd2c
 github.com/boltdb/bolt 5cc10bbbc5c141029940133bb33c9e969512a698
 github.com/davecgh/go-spew 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d
-github.com/dgrijalva/jwt-go 9b486c879bab3fde556ce8c27d9a2bb05d5b2c60
+github.com/dgrijalva/jwt-go 63734eae1ef55eaac06fdc0f312615f2e321e273
 github.com/dgryski/go-bits 2ad8d707cc05b1815ce6ff2543bb5e8d8f9298ef
 github.com/dgryski/go-bitstream 7d46cd22db7004f0cceb6f7975824b560cf0e486
 github.com/gogo/protobuf 6abcf94fd4c97dcb423fdafd42fe9f96ca7e421b

services/httpd/handler.go

@@ -933,14 +933,21 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo)
 					return
 				}
 
+				claims, ok := token.Claims.(jwt.MapClaims)
+				if !ok {
+					h.httpError(w, "problem authenticating token", http.StatusInternalServerError)
+					h.Logger.Print("Could not assert JWT token claims as jwt.MapClaims")
+					return
+				}
+
 				// Make sure an expiration was set on the token.
-				if exp, ok := token.Claims["exp"].(float64); !ok || exp <= 0.0 {
+				if exp, ok := claims["exp"].(float64); !ok || exp <= 0.0 {
 					h.httpError(w, "token expiration required", http.StatusUnauthorized)
 					return
 				}
 
 				// Get the username from the token.
-				username, ok := token.Claims["username"].(string)
+				username, ok := claims["username"].(string)
 				if !ok {
 					h.httpError(w, "username in token must be a string", http.StatusUnauthorized)
 					return

services/httpd/handler_test.go

@@ -192,13 +192,13 @@ func TestHandler_Query_Auth(t *testing.T) {
 	h.ServeHTTP(w, req)
 	if w.Code != http.StatusUnauthorized {
 		t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String())
-	} else if !strings.Contains(w.Body.String(), `{"error":"token is expired`) {
+	} else if !strings.Contains(w.Body.String(), `{"error":"Token is expired`) {
 		t.Fatalf("unexpected body: %s", w.Body.String())
 	}
 
 	// Test handler with JWT token that has no expiration set.
 	token, _ := MustJWTToken("user1", h.Config.SharedSecret, false)
-	delete(token.Claims, "exp")
+	delete(token.Claims.(jwt.MapClaims), "exp")
 	signedToken, err := token.SignedString([]byte(h.Config.SharedSecret))
 	if err != nil {
 		t.Fatal(err)
@@ -639,11 +639,11 @@ func NewResultChan(results ...*influxql.Result) <-chan *influxql.Result {
 // MustJWTToken returns a new JWT token and signed string or panics trying.
 func MustJWTToken(username, secret string, expired bool) (*jwt.Token, string) {
 	token := jwt.New(jwt.GetSigningMethod("HS512"))
-	token.Claims["username"] = username
+	token.Claims.(jwt.MapClaims)["username"] = username
 	if expired {
-		token.Claims["exp"] = time.Now().Add(-time.Second).Unix()
+		token.Claims.(jwt.MapClaims)["exp"] = time.Now().Add(-time.Second).Unix()
 	} else {
-		token.Claims["exp"] = time.Now().Add(time.Minute * 10).Unix()
+		token.Claims.(jwt.MapClaims)["exp"] = time.Now().Add(time.Minute * 10).Unix()
 	}
 	signed, err := token.SignedString([]byte(secret))
 	if err != nil {