Use alternative library for JWT decoding

_examples/go.sum

@@ -11,13 +11,13 @@ github.com/bradfitz/gomemcache v0.0.0-20190329173943-551aad21a668/go.mod h1:H0wQ
 github.com/bradleypeabody/gorilla-sessions-memcache v0.0.0-20181103040241-659414f458e1/go.mod h1:dkChI7Tbtx7H1Tj7TqGSZMOeGpMP5gLHtjroHd4agiI=
 github.com/centrifugal/protocol v0.3.3 h1:GCNee3RFsjQu6SyKBX0Ir7ByUrp+Gw0MU/PsIc2CM2s=
 github.com/centrifugal/protocol v0.3.3/go.mod h1:2YbBCaDwQHl37ErRdMrKSj18X2yVvpkQYtSX6aVbe5A=
+github.com/cristalhq/jwt/v2 v2.0.0 h1:CxleHxkZQQ5J0siUQ2gwZrhAysmh8Ddh/R06AzCiYao=
+github.com/cristalhq/jwt/v2 v2.0.0/go.mod h1:nQT19GqJbrWubmI+ULE8PYsR1GCbwI5hAg1nG+9AbTg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 h1:RAV05c0xOkJ3dZGS0JFybxFKZ2WMLabgx3uXnd7rpGs=
 github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/gin-contrib/sessions v0.0.3 h1:PoBXki+44XdJdlgDqDrY5nDVe3Wk7wDV/UCOuLP6fBI=
 github.com/gin-contrib/sessions v0.0.3/go.mod h1:8C/J6cad3Il1mWYYgtw0w+hqasmpvy25mPkXdOgeB9I=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=

client_test.go

@@ -9,33 +9,16 @@ import (
 	"time"
 
 	"github.com/centrifugal/protocol"
-	"github.com/dgrijalva/jwt-go"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 
-func getConnToken(user string, exp int64) string {
-	claims := jwt.MapClaims{"sub": user}
-	if exp > 0 {
-		claims["exp"] = exp
-	}
-	t, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte("secret"))
-	if err != nil {
-		panic(err)
-	}
-	return t
+func getConnTokenHS(user string, exp int64) string {
+	return getConnToken(user, exp, nil)
 }
 
-func getSubscribeToken(channel string, client string, exp int64) string {
-	claims := jwt.MapClaims{"channel": channel, "client": client}
-	if exp > 0 {
-		claims["exp"] = exp
-	}
-	t, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte("secret"))
-	if err != nil {
-		panic(err)
-	}
-	return t
+func getSubscribeTokenHS(channel string, client string, exp int64) string {
+	return getSubscribeToken(channel, client, exp, nil)
 }
 
 func testReplyWriter(replies *[]*protocol.Reply) *replyWriter {
@@ -165,7 +148,7 @@ func TestClientConnectWithMalformedToken(t *testing.T) {
 	require.Equal(t, disconnect, DisconnectInvalidToken)
 }
 
-func TestClientConnectWithValidToken(t *testing.T) {
+func TestClientConnectWithValidTokenHMAC(t *testing.T) {
 	node := nodeWithMemoryEngine()
 	defer func() { _ = node.Shutdown(context.Background()) }()
 
@@ -178,7 +161,30 @@ func TestClientConnectWithValidToken(t *testing.T) {
 	var replies []*protocol.Reply
 	rw := testReplyWriter(&replies)
 	disconnect := client.connectCmd(&protocol.ConnectRequest{
-		Token: getConnToken("42", 0),
+		Token: getConnTokenHS("42", 0),
+	}, rw)
+	require.Nil(t, disconnect)
+	result := extractConnectResult(replies, client.Transport().Protocol())
+	require.Equal(t, client.ID(), result.Client)
+	require.Equal(t, false, result.Expires)
+}
+
+func TestClientConnectWithValidTokenRSA(t *testing.T) {
+	privateKey, pubKey := generateTestRSAKeys(t)
+
+	node := nodeWithMemoryEngine()
+	defer func() { _ = node.Shutdown(context.Background()) }()
+
+	config := node.Config()
+	config.TokenRSAPublicKey = pubKey
+	_ = node.Reload(config)
+
+	transport := newTestTransport()
+	client, _ := NewClient(context.Background(), node, transport)
+	var replies []*protocol.Reply
+	rw := testReplyWriter(&replies)
+	disconnect := client.connectCmd(&protocol.ConnectRequest{
+		Token: getConnToken("42", 0, privateKey),
 	}, rw)
 	require.Nil(t, disconnect)
 	result := extractConnectResult(replies, client.Transport().Protocol())
@@ -199,7 +205,7 @@ func TestClientConnectWithExpiringToken(t *testing.T) {
 	var replies []*protocol.Reply
 	rw := testReplyWriter(&replies)
 	disconnect := client.connectCmd(&protocol.ConnectRequest{
-		Token: getConnToken("42", time.Now().Unix()+10),
+		Token: getConnTokenHS("42", time.Now().Unix()+10),
 	}, rw)
 	require.Nil(t, disconnect)
 	result := extractConnectResult(replies, client.Transport().Protocol())
@@ -221,7 +227,7 @@ func TestClientConnectWithExpiredToken(t *testing.T) {
 	var replies []*protocol.Reply
 	rw := testReplyWriter(&replies)
 	disconnect := client.connectCmd(&protocol.ConnectRequest{
-		Token: getConnToken("42", 1525541722),
+		Token: getConnTokenHS("42", 1525541722),
 	}, rw)
 	require.Nil(t, disconnect)
 	require.Equal(t, ErrorTokenExpired.toProto(), replies[0].Error)
@@ -241,13 +247,13 @@ func TestClientTokenRefresh(t *testing.T) {
 	var replies []*protocol.Reply
 	rw := testReplyWriter(&replies)
 	disconnect := client.connectCmd(&protocol.ConnectRequest{
-		Token: getConnToken("42", 1525541722),
+		Token: getConnTokenHS("42", 1525541722),
 	}, rw)
 	require.Nil(t, disconnect)
 	require.Equal(t, ErrorTokenExpired.toProto(), replies[0].Error)
 
 	refreshResp, disconnect := client.refreshCmd(&protocol.RefreshRequest{
-		Token: getConnToken("42", 2525637058),
+		Token: getConnTokenHS("42", 2525637058),
 	})
 	require.Nil(t, disconnect)
 	require.NotEmpty(t, client.ID())
@@ -746,23 +752,23 @@ func TestClientSubscribePrivateChannelWithToken(t *testing.T) {
 
 	subCtx := client.subscribeCmd(&protocol.SubscribeRequest{
 		Channel: "$test1",
-		Token:   getSubscribeToken("$wrong_channel", "wrong client", 0),
+		Token:   getSubscribeTokenHS("$wrong_channel", "wrong client", 0),
 	}, rw, false)
 	require.Nil(t, subCtx.disconnect)
 	require.Equal(t, ErrorPermissionDenied.toProto(), replies[0].Error)
 
 	replies = nil
 	subCtx = client.subscribeCmd(&protocol.SubscribeRequest{
 		Channel: "$test1",
-		Token:   getSubscribeToken("$wrong_channel", client.ID(), 0),
+		Token:   getSubscribeTokenHS("$wrong_channel", client.ID(), 0),
 	}, rw, false)
 	require.Nil(t, subCtx.disconnect)
 	require.Equal(t, ErrorPermissionDenied.toProto(), replies[0].Error)
 
 	replies = nil
 	subCtx = client.subscribeCmd(&protocol.SubscribeRequest{
 		Channel: "$test1",
-		Token:   getSubscribeToken("$test1", client.ID(), 0),
+		Token:   getSubscribeTokenHS("$test1", client.ID(), 0),
 	}, rw, false)
 	require.Nil(t, subCtx.disconnect)
 	require.Nil(t, replies[0].Error)
@@ -788,15 +794,15 @@ func TestClientSubscribePrivateChannelWithExpiringToken(t *testing.T) {
 
 	subCtx := client.subscribeCmd(&protocol.SubscribeRequest{
 		Channel: "$test1",
-		Token:   getSubscribeToken("$test1", client.ID(), 10),
+		Token:   getSubscribeTokenHS("$test1", client.ID(), 10),
 	}, rw, false)
 	require.Nil(t, subCtx.disconnect)
 	require.Equal(t, ErrorTokenExpired.toProto(), replies[0].Error)
 
 	replies = nil
 	subCtx = client.subscribeCmd(&protocol.SubscribeRequest{
 		Channel: "$test1",
-		Token:   getSubscribeToken("$test1", client.ID(), time.Now().Unix()+10),
+		Token:   getSubscribeTokenHS("$test1", client.ID(), time.Now().Unix()+10),
 	}, rw, false)
 	require.Nil(t, subCtx.disconnect)
 	require.Nil(t, replies[0].Error, "token is valid and not expired yet")

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/FZambia/eagle v0.0.1
 	github.com/FZambia/sentinel v1.1.0
 	github.com/centrifugal/protocol v0.3.3
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/cristalhq/jwt/v2 v2.0.0
 	github.com/gogo/protobuf v1.3.1
 	github.com/golang/protobuf v1.3.3 // indirect
 	github.com/gomodule/redigo v1.8.0

go.sum

@@ -6,11 +6,11 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLM
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/centrifugal/protocol v0.3.3 h1:GCNee3RFsjQu6SyKBX0Ir7ByUrp+Gw0MU/PsIc2CM2s=
 github.com/centrifugal/protocol v0.3.3/go.mod h1:2YbBCaDwQHl37ErRdMrKSj18X2yVvpkQYtSX6aVbe5A=
+github.com/cristalhq/jwt/v2 v2.0.0 h1:CxleHxkZQQ5J0siUQ2gwZrhAysmh8Ddh/R06AzCiYao=
+github.com/cristalhq/jwt/v2 v2.0.0/go.mod h1:nQT19GqJbrWubmI+ULE8PYsR1GCbwI5hAg1nG+9AbTg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=

node.go

@@ -161,8 +161,10 @@ func (n *Node) Reload(c Config) error {
 	}
 	n.mu.Lock()
 	defer n.mu.Unlock()
+	if err := n.tokenVerifier.Reload(c); err != nil {
+		return err
+	}
 	n.config = c
-	n.tokenVerifier.Reload(c)
 	return nil
 }
 

token_verifier.go

@@ -3,7 +3,7 @@ package centrifuge
 type tokenVerifier interface {
 	VerifyConnectToken(token string) (connectToken, error)
 	VerifySubscribeToken(token string) (subscribeToken, error)
-	Reload(config Config)
+	Reload(config Config) error
 }
 
 type connectToken struct {