chore: migrate to golang-jwt v5 and update token error handling (#348)

- Upgrade github.com/golang-jwt/jwt dependency from v4 to v5
- Update token expiration error handling to use new v5 error types
- Add logging for tokens with invalid claims
- Adjust test assertions to match updated error messages from jwt v5
- Improve handling of JWT exp claim errors, distinguishing between expired, missing, and invalid type cases
- Ensure ParseOptions always include WithTimeFunc for correct time validation
- Fix typo in exp claim comment
- Add a check for missing exp claim for backwards compatibility
- Update tests to verify correct error messages and status codes for missing or invalid exp claims
- Add new tests for required exp claim and invalid exp format scenarios

fixed: #332

Co-Author: @gblandinkingland

Author: appleboy

auth_jwt.go

@@ -2,15 +2,14 @@ package jwt
 
 import (
 	"crypto/rsa"
-	"encoding/json"
 	"errors"
 	"net/http"
 	"os"
 	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/youmark/pkcs8"
 )
 
@@ -154,10 +153,11 @@ type GinJWTMiddleware struct {
 	// CookieSameSite allow use http.SameSite cookie param
 	CookieSameSite http.SameSite
 
-	// ParseOptions allow to modify jwt's parser methods
+	// ParseOptions allow to modify jwt's parser methods.
+	// WithTimeFunc is always added to ensure the TimeFunc is propagated to the validator
 	ParseOptions []jwt.ParserOption
 
-	// Default vaule is "exp"
+	// Default value is "exp"
 	ExpField string
 }
 
@@ -446,6 +446,11 @@ func (mw *GinJWTMiddleware) MiddlewareInit() error {
 		return ErrMissingSecretKey
 	}
 
+	if len(mw.ParseOptions) == 0 {
+		mw.ParseOptions = []jwt.ParserOption{}
+	}
+	mw.ParseOptions = append(mw.ParseOptions, jwt.WithTimeFunc(mw.TimeFunc))
+
 	return nil
 }
 
@@ -459,31 +464,24 @@ func (mw *GinJWTMiddleware) MiddlewareFunc() gin.HandlerFunc {
 func (mw *GinJWTMiddleware) middlewareImpl(c *gin.Context) {
 	claims, err := mw.GetClaimsFromJWT(c)
 	if err != nil {
-		mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(err, c))
-		return
-	}
-
-	switch v := claims[mw.ExpField].(type) {
-	case nil:
-		mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrMissingExpField, c))
-		return
-	case float64:
-		if int64(v) < mw.TimeFunc().Unix() {
+		if errors.Is(err, jwt.ErrTokenExpired) {
 			mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(ErrExpiredToken, c))
 			return
-		}
-	case json.Number:
-		n, err := v.Int64()
-		if err != nil {
+		} else if errors.Is(err, jwt.ErrInvalidType) && strings.Contains(err.Error(), "exp is invalid") {
 			mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrWrongFormatOfExp, c))
 			return
-		}
-		if n < mw.TimeFunc().Unix() {
-			mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(ErrExpiredToken, c))
+		} else if errors.Is(err, jwt.ErrTokenRequiredClaimMissing) && strings.Contains(err.Error(), "exp claim is required") {
+			mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrMissingExpField, c))
+			return
+		} else {
+			mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(err, c))
 			return
 		}
-	default:
-		mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrWrongFormatOfExp, c))
+	}
+
+	// For backwards compatibility since technically exp is not required in the spec but has been in gin-jwt
+	if claims["exp"] == nil {
+		mw.unauthorized(c, http.StatusBadRequest, mw.HTTPStatusMessageFunc(ErrMissingExpField, c))
 		return
 	}
 
@@ -645,8 +643,7 @@ func (mw *GinJWTMiddleware) CheckIfTokenExpire(c *gin.Context) (jwt.MapClaims, e
 		// If the error is just ValidationErrorExpired, we want to continue, as we can still
 		// refresh the token if it's within the MaxRefresh time.
 		// (see https://github.com/appleboy/gin-jwt/issues/176)
-		validationErr, ok := err.(*jwt.ValidationError)
-		if !ok || validationErr.Errors != jwt.ValidationErrorExpired {
+		if !errors.Is(err, jwt.ErrTokenExpired) {
 			return nil, err
 		}
 	}

auth_jwt_test.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/appleboy/gofight/v2"
 	"github.com/gin-gonic/gin"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/tidwall/gjson"
 )
@@ -1233,7 +1233,7 @@ func TestExpiredField(t *testing.T) {
 		})
 
 	// wrong format
-	claims["exp"] = "wrongFormatForExpiryIgnoredByJwtLibrary"
+	claims["exp"] = "wrongFormatForExpiry"
 	tokenString, _ = token.SignedString(key)
 
 	r.GET("/auth/hello").
@@ -1243,8 +1243,55 @@ func TestExpiredField(t *testing.T) {
 		Run(handler, func(r gofight.HTTPResponse, rq gofight.HTTPRequest) {
 			message := gjson.Get(r.Body.String(), "message")
 
-			assert.Equal(t, ErrExpiredToken.Error(), strings.ToLower(message.String()))
-			assert.Equal(t, http.StatusUnauthorized, r.Code)
+			assert.Equal(t, ErrWrongFormatOfExp.Error(), strings.ToLower(message.String()))
+			assert.Equal(t, http.StatusBadRequest, r.Code)
+		})
+}
+
+func TestExpiredFieldRequiredParserOption(t *testing.T) {
+	// the middleware to test
+	authMiddleware, _ := New(&GinJWTMiddleware{
+		Realm:         "test zone",
+		Key:           key,
+		Timeout:       time.Hour,
+		Authenticator: defaultAuthenticator,
+		ParseOptions:  []jwt.ParserOption{jwt.WithExpirationRequired()},
+	})
+
+	handler := ginHandler(authMiddleware)
+
+	r := gofight.New()
+
+	token := jwt.New(jwt.GetSigningMethod("HS256"))
+	claims := token.Claims.(jwt.MapClaims)
+	claims["identity"] = "admin"
+	claims["orig_iat"] = 0
+	tokenString, _ := token.SignedString(key)
+
+	r.GET("/auth/hello").
+		SetHeader(gofight.H{
+			"Authorization": "Bearer " + tokenString,
+		}).
+		Run(handler, func(r gofight.HTTPResponse, rq gofight.HTTPRequest) {
+			message := gjson.Get(r.Body.String(), "message")
+
+			assert.Equal(t, ErrMissingExpField.Error(), message.String())
+			assert.Equal(t, http.StatusBadRequest, r.Code)
+		})
+
+	// wrong format
+	claims["exp"] = "wrongFormatForExpiry"
+	tokenString, _ = token.SignedString(key)
+
+	r.GET("/auth/hello").
+		SetHeader(gofight.H{
+			"Authorization": "Bearer " + tokenString,
+		}).
+		Run(handler, func(r gofight.HTTPResponse, rq gofight.HTTPRequest) {
+			message := gjson.Get(r.Body.String(), "message")
+
+			assert.Equal(t, ErrWrongFormatOfExp.Error(), strings.ToLower(message.String()))
+			assert.Equal(t, http.StatusBadRequest, r.Code)
 		})
 }
 

go.mod

@@ -5,7 +5,7 @@ go 1.23.0
 require (
 	github.com/appleboy/gofight/v2 v2.1.2
 	github.com/gin-gonic/gin v1.10.1
-	github.com/golang-jwt/jwt/v4 v4.5.2
+	github.com/golang-jwt/jwt/v5 v5.2.3
 	github.com/stretchr/testify v1.10.0
 	github.com/tidwall/gjson v1.17.1
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78

go.sum

@@ -28,8 +28,8 @@ github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHO
 github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
+github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=