Use a single library for JWTs

Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

.golangci.yml

@@ -121,9 +121,14 @@ linters-settings:
     packages-with-error-message:
       - "github.com/Sirupsen/logrus": "must use github.com/dapr/kit/logger"
       - "github.com/agrea/ptr": "must use github.com/dapr/kit/ptr"
-      - "github.com/cenkalti/backoff": "must use github.com/cenkalti/backoff/v4"
+      - "github.com/cenkalti/backoff$": "must use github.com/cenkalti/backoff/v4"
       - "github.com/cenkalti/backoff/v2": "must use github.com/cenkalti/backoff/v4"
       - "github.com/cenkalti/backoff/v3": "must use github.com/cenkalti/backoff/v4"
+      - "github.com/dgrijalva/jwt-go": "must use github.com/lestrrat-go/jwx/v2"
+      - "github.com/golang-jwt/jwt$": "must use github.com/lestrrat-go/jwx/v2"
+      - "github.com/golang-jwt/jwt/v4": "must use github.com/lestrrat-go/jwx/v2"
+      - "github.com/lestrrat-go/jwx/jwa": "must use github.com/lestrrat-go/jwx/v2"
+      - "github.com/lestrrat-go/jwx/jwt": "must use github.com/lestrrat-go/jwx/v2"
   misspell:
     # Correct spellings using locale preferences for US or UK.
     # Default is to use a neutral variety of English.

bindings/apns/authorization_builder.go

@@ -14,10 +14,15 @@ limitations under the License.
 package apns
 
 import (
+	"crypto"
+	"errors"
+	"fmt"
 	"sync"
 	"time"
 
-	jwt "github.com/golang-jwt/jwt/v4"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 
 	"github.com/dapr/kit/logger"
 )
@@ -35,7 +40,26 @@ type authorizationBuilder struct {
 	tokenExpiresAt      time.Time
 	keyID               string
 	teamID              string
-	privateKey          interface{}
+	privateKey          crypto.PrivateKey
+	pk                  jwk.Key
+}
+
+func (a *authorizationBuilder) setPK() error {
+	if a.privateKey == nil {
+		return errors.New("privateKey property is nil")
+	}
+	if a.keyID == "" {
+		return errors.New("keyID property is nil")
+	}
+
+	pk, err := jwk.FromRaw(a.privateKey)
+	if err != nil {
+		return fmt.Errorf("failed to parse private key: %w", err)
+	}
+	pk.Set("kid", a.keyID)
+
+	a.pk = pk
+	return nil
 }
 
 func (a *authorizationBuilder) getAuthorizationHeader() (string, error) {
@@ -64,20 +88,28 @@ func (a *authorizationBuilder) generateAuthorizationHeader() (string, error) {
 
 	a.logger.Debug("Authorization token expired; generating new token")
 
-	now := time.Now()
-	// TODO: Use jwt.RegisteredClaims instead of jwt.StandardClaims.
-	claims := jwt.StandardClaims{ //nolint:staticcheck
-		IssuedAt: time.Now().Unix(),
-		Issuer:   a.teamID,
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)
-	token.Header["kid"] = a.keyID
-	signedToken, err := token.SignedString(a.privateKey)
-	if err != nil {
-		return "", err
+	var err error
+	if a.pk == nil {
+		err = a.setPK()
+		if err != nil {
+			return "", err
+		}
 	}
 
-	a.authorizationHeader = "bearer " + signedToken
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Issuer(a.teamID).
+		IssuedAt(now).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build token: %w", err)
+	}
+	signed, err := jwt.Sign(token, jwt.WithKey(jwa.ES256, a.pk))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	a.authorizationHeader = "bearer " + string(signed)
 	a.tokenExpiresAt = now.Add(expirationMinutes)
 
 	return a.authorizationHeader, nil

bindings/azure/signalr/signalr.go

@@ -24,7 +24,8 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	jwt "github.com/golang-jwt/jwt/v4"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/pkg/errors"
 
 	"github.com/dapr/components-contrib/bindings"
@@ -251,7 +252,9 @@ func (s *SignalR) Invoke(ctx context.Context, req *bindings.InvokeRequest) (*bin
 }
 
 // Returns an access token for a request to the given URL
-func (s *SignalR) getToken(ctx context.Context, url string) (token string, err error) {
+func (s *SignalR) getToken(ctx context.Context, url string) (string, error) {
+	var err error
+
 	// If we have an Azure AD token provider, use that first
 	if s.aadToken != nil {
 		var at azcore.AccessToken
@@ -261,24 +264,21 @@ func (s *SignalR) getToken(ctx context.Context, url string) (token string, err e
 		if err != nil {
 			return "", err
 		}
-		token = at.Token
-	} else {
-		// TODO: Use jwt.RegisteredClaims instead
-		claims := &jwt.StandardClaims{ //nolint:staticcheck
-			ExpiresAt: time.Now().Add(15 * time.Minute).Unix(),
-			Audience:  url,
-		}
-		err = claims.Valid()
-		if err != nil {
-			return "", err
-		}
-
-		jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-		token, err = jwtToken.SignedString([]byte(s.accessKey))
-		if err != nil {
-			return "", err
-		}
+		return at.Token, nil
 	}
 
-	return token, nil
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Audience([]string{url}).
+		Expiration(now.Add(15 * time.Minute)).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build token: %w", err)
+	}
+	signed, err := jwt.Sign(token, jwt.WithKey(jwa.HS256, s.accessKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return string(signed), nil
 }

go.mod

@@ -61,7 +61,6 @@ require (
 	github.com/go-redis/redis/v9 v9.0.0-rc.2
 	github.com/go-sql-driver/mysql v1.7.0
 	github.com/gocql/gocql v1.3.1
-	github.com/golang-jwt/jwt/v4 v4.4.3
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.3.0
 	github.com/googleapis/gax-go/v2 v2.7.0
@@ -225,6 +224,7 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gogo/status v1.1.1 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
 	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect