diff --git a/CHANGELOG.md b/CHANGELOG.md index 170958aded..8fecf0e447 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## v1.1.0 [unreleased] +### Release Notes + ### Features - [#7120](https://github.com/influxdata/influxdb/issues/7120): Add additional statistics to query executor. @@ -7,6 +9,7 @@ - [#3634](https://github.com/influxdata/influxdb/issues/3634): Support mixed duration units. - [#7099](https://github.com/influxdata/influxdb/pull/7099): Implement text/csv content encoding for the response writer. - [#6992](https://github.com/influxdata/influxdb/issues/6992): Support tools for running async queries. +- [#7136](https://github.com/influxdata/influxdb/pull/7136): Update jwt-go dependency to version 3. ### Bugfixes diff --git a/Godeps b/Godeps index 733189b017..f560430719 100644 --- a/Godeps +++ b/Godeps @@ -3,7 +3,7 @@ github.com/BurntSushi/toml 99064174e013895bbd9b025c31100bd1d9b590ca github.com/bmizerany/pat c068ca2f0aacee5ac3681d68e4d0a003b7d1fd2c github.com/boltdb/bolt 5cc10bbbc5c141029940133bb33c9e969512a698 github.com/davecgh/go-spew 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d -github.com/dgrijalva/jwt-go 9b486c879bab3fde556ce8c27d9a2bb05d5b2c60 +github.com/dgrijalva/jwt-go 63734eae1ef55eaac06fdc0f312615f2e321e273 github.com/dgryski/go-bits 2ad8d707cc05b1815ce6ff2543bb5e8d8f9298ef github.com/dgryski/go-bitstream 7d46cd22db7004f0cceb6f7975824b560cf0e486 github.com/gogo/protobuf 6abcf94fd4c97dcb423fdafd42fe9f96ca7e421b diff --git a/services/httpd/handler.go b/services/httpd/handler.go index 6315cbf0ec..fe5de82280 100644 --- a/services/httpd/handler.go +++ b/services/httpd/handler.go @@ -933,14 +933,21 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo) return } + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + h.httpError(w, "problem authenticating token", http.StatusInternalServerError) + h.Logger.Print("Could not assert JWT token claims as jwt.MapClaims") + return + } + // Make sure an expiration was set on the token. - if exp, ok := token.Claims["exp"].(float64); !ok || exp <= 0.0 { + if exp, ok := claims["exp"].(float64); !ok || exp <= 0.0 { h.httpError(w, "token expiration required", http.StatusUnauthorized) return } // Get the username from the token. - username, ok := token.Claims["username"].(string) + username, ok := claims["username"].(string) if !ok { h.httpError(w, "username in token must be a string", http.StatusUnauthorized) return diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go index e936f558c8..88ca99cff6 100644 --- a/services/httpd/handler_test.go +++ b/services/httpd/handler_test.go @@ -192,13 +192,13 @@ func TestHandler_Query_Auth(t *testing.T) { h.ServeHTTP(w, req) if w.Code != http.StatusUnauthorized { t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String()) - } else if !strings.Contains(w.Body.String(), `{"error":"token is expired`) { + } else if !strings.Contains(w.Body.String(), `{"error":"Token is expired`) { t.Fatalf("unexpected body: %s", w.Body.String()) } // Test handler with JWT token that has no expiration set. token, _ := MustJWTToken("user1", h.Config.SharedSecret, false) - delete(token.Claims, "exp") + delete(token.Claims.(jwt.MapClaims), "exp") signedToken, err := token.SignedString([]byte(h.Config.SharedSecret)) if err != nil { t.Fatal(err) @@ -639,11 +639,11 @@ func NewResultChan(results ...*influxql.Result) <-chan *influxql.Result { // MustJWTToken returns a new JWT token and signed string or panics trying. func MustJWTToken(username, secret string, expired bool) (*jwt.Token, string) { token := jwt.New(jwt.GetSigningMethod("HS512")) - token.Claims["username"] = username + token.Claims.(jwt.MapClaims)["username"] = username if expired { - token.Claims["exp"] = time.Now().Add(-time.Second).Unix() + token.Claims.(jwt.MapClaims)["exp"] = time.Now().Add(-time.Second).Unix() } else { - token.Claims["exp"] = time.Now().Add(time.Minute * 10).Unix() + token.Claims.(jwt.MapClaims)["exp"] = time.Now().Add(time.Minute * 10).Unix() } signed, err := token.SignedString([]byte(secret)) if err != nil {