Upgrade go-jose from v2 to v4 #107
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
ipmb
commented
Nov 10, 2025
ipmb
commented
- Update import from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v4
- Add required signature algorithm specification for jwt.ParseSigned
- Allow RS256 (Auth0 default), HS256, and ES256 algorithms
- All three are secure, standardized algorithms per RFC 7518
- Addresses security vulnerabilities: algorithm confusion, billion hash attack
- Update import from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v4 - Add required signature algorithm specification for jwt.ParseSigned - Allow RS256 (Auth0 default), HS256, and ES256 algorithms - All three are secure, standardized algorithms per RFC 7518 - Addresses security vulnerabilities: algorithm confusion, billion hash attack
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades the go-jose library from v2 (archived at gopkg.in/square/go-jose.v2) to v4 (maintained at github.com/go-jose/go-jose/v4) to address security vulnerabilities and use the actively maintained version.
Key Changes:
- Updated import paths from
gopkg.in/square/go-jose.v2togithub.com/go-jose/go-jose/v4 - Added required signature algorithm allowlist (RS256, HS256, ES256) for
jwt.ParseSignedto comply with v4 API requirements - Updated go.mod and go.sum dependencies accordingly
Reviewed Changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| go.mod | Replaced deprecated go-jose v2 dependency with go-jose v4.1.1 |
| go.sum | Updated checksums for new go-jose v4.1.1 dependency and removed old v2 entries |
| auth/tokens.go | Updated imports and added algorithm allowlist to IsExpired() function for JWT parsing |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+78
to
+82
| allowedAlgorithms := []jose.SignatureAlgorithm{ | ||
| jose.RS256, // RSA with SHA-256 (most common for Auth0) | ||
| jose.HS256, // HMAC with SHA-256 | ||
| jose.ES256, // ECDSA with P-256 and SHA-256 | ||
| } |
There was a problem hiding this comment.
The allowedAlgorithms slice is recreated on every call to IsExpired(). Consider moving this to a package-level variable to avoid unnecessary allocations:
var allowedJWTAlgorithms = []jose.SignatureAlgorithm{
jose.RS256, // RSA with SHA-256 (most common for Auth0)
jose.HS256, // HMAC with SHA-256
jose.ES256, // ECDSA with P-256 and SHA-256
}Then use it in the function:
parsedToken, err := jwt.ParseSigned(t.AccessToken, allowedJWTAlgorithms)
Member
Author
There was a problem hiding this comment.
It's a CLI and only gets called once per run.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.