Closed MattBrittan closed 3 years ago
thanks for the report. I'll solve this one once I can get to it
Hi, sorry about not noticing the issue and what not. I have just released v1.1.6 of github.com/lestrrat-go/jwx. I didn't go as far as checking if github.com/lestrrat-go/jwx was actually free of the above problem, but at least lestrrat-go/iter#1 is definitely fixed and v1.0.1 of github.com/lestrrat-go/iter is now being used in jwx.
Thanks very much @lestrrat; I have verified that the updated jwx package resolves this crash. As it's a point upgrade a go get -u
picks it up so no changes should be required in the jwtauth
package. @pkieltyka - thanks for your response; I figured this needed to be fixed in the upstream project and really only raised it here as it seemed likely someone else would run into it.
Well, I would think it would be safer for the dependency in this project to be upgrade too, no?
This is an issue with
github.com/lestrrat-go
but I'm reporting it here because I suspect others upgrading v1.1.0 and above (and hence moving fromgithub.com/dgrijalva/jwt-go
togithub.com/lestrrat-go/jwx
) may encounter it (and it took me a while to trace the cause). If a token contains a null (e.g."nullValue": null
) then callingjwtauth.Authenticator
will result in a panic.This issue in the upstream project is: https://github.com/lestrrat-go/iter/issues/1 (I have posted my work around there).
The following demonstrates how this can be replicated within github.com/go-chi/jwtauth: