mirror of
				https://github.com/openimsdk/open-im-server.git
				synced 2025-10-26 05:02:11 +08:00 
			
		
		
		
	fix update jwt-token version to avoid attackers to bypass intended access restrictions in situations with []string{} for m["aud"]
This commit is contained in:
		
							parent
							
								
									a1e9332606
								
							
						
					
					
						commit
						869ab9ac89
					
				
							
								
								
									
										2
									
								
								go.mod
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								go.mod
									
									
									
									
									
								
							| @ -7,7 +7,6 @@ require ( | |||||||
| 	github.com/Shopify/toxiproxy v2.1.4+incompatible // indirect | 	github.com/Shopify/toxiproxy v2.1.4+incompatible // indirect | ||||||
| 	github.com/antonfisher/nested-logrus-formatter v1.3.0 | 	github.com/antonfisher/nested-logrus-formatter v1.3.0 | ||||||
| 	github.com/coreos/go-semver v0.3.0 // indirect | 	github.com/coreos/go-semver v0.3.0 // indirect | ||||||
| 	github.com/dgrijalva/jwt-go v3.2.0+incompatible |  | ||||||
| 	github.com/dustin/go-humanize v1.0.0 // indirect | 	github.com/dustin/go-humanize v1.0.0 // indirect | ||||||
| 	github.com/eapache/go-resiliency v1.2.0 // indirect | 	github.com/eapache/go-resiliency v1.2.0 // indirect | ||||||
| 	github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect | 	github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect | ||||||
| @ -16,6 +15,7 @@ require ( | |||||||
| 	github.com/garyburd/redigo v1.6.2 | 	github.com/garyburd/redigo v1.6.2 | ||||||
| 	github.com/gin-gonic/gin v1.7.0 | 	github.com/gin-gonic/gin v1.7.0 | ||||||
| 	github.com/go-playground/validator/v10 v10.4.1 | 	github.com/go-playground/validator/v10 v10.4.1 | ||||||
|  | 	github.com/golang-jwt/jwt/v4 v4.1.0 // indirect | ||||||
| 	github.com/golang/protobuf v1.5.2 | 	github.com/golang/protobuf v1.5.2 | ||||||
| 	github.com/golang/snappy v0.0.3 // indirect | 	github.com/golang/snappy v0.0.3 // indirect | ||||||
| 	github.com/gorilla/websocket v1.4.2 | 	github.com/gorilla/websocket v1.4.2 | ||||||
|  | |||||||
							
								
								
									
										2
									
								
								go.sum
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								go.sum
									
									
									
									
									
								
							| @ -74,6 +74,8 @@ github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x | |||||||
| github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= | github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= | ||||||
| github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= | github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= | ||||||
| github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= | github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= | ||||||
|  | github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0= | ||||||
|  | github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= | ||||||
| github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= | github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= | ||||||
| github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= | github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= | ||||||
| github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= | ||||||
|  | |||||||
| @ -4,7 +4,7 @@ import ( | |||||||
| 	"Open_IM/src/common/config" | 	"Open_IM/src/common/config" | ||||||
| 	"Open_IM/src/common/db" | 	"Open_IM/src/common/db" | ||||||
| 	"errors" | 	"errors" | ||||||
| 	"github.com/dgrijalva/jwt-go" | 	"github.com/golang-jwt/jwt/v4" | ||||||
| 	"time" | 	"time" | ||||||
| ) | ) | ||||||
| 
 | 
 | ||||||
| @ -22,7 +22,7 @@ type Claims struct { | |||||||
| 	jwt.StandardClaims | 	jwt.StandardClaims | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func BuildClaims(uid, accountAddr, platform string, ttl int64) Claims { | func BuildClaims(uid, platform string, ttl int64) Claims { | ||||||
| 	now := time.Now().Unix() | 	now := time.Now().Unix() | ||||||
| 	//if ttl=-1 Permanent token | 	//if ttl=-1 Permanent token | ||||||
| 	if ttl == -1 { | 	if ttl == -1 { | ||||||
| @ -45,8 +45,8 @@ func BuildClaims(uid, accountAddr, platform string, ttl int64) Claims { | |||||||
| 		}} | 		}} | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func CreateToken(userID, accountAddr string, platform int32) (string, int64, error) { | func CreateToken(userID string, platform int32) (string, int64, error) { | ||||||
| 	claims := BuildClaims(userID, accountAddr, PlatformIDToName(platform), config.Config.TokenPolicy.AccessExpire) | 	claims := BuildClaims(userID, PlatformIDToName(platform), config.Config.TokenPolicy.AccessExpire) | ||||||
| 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) | 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) | ||||||
| 	tokenString, err := token.SignedString([]byte(config.Config.TokenPolicy.AccessSecret)) | 	tokenString, err := token.SignedString([]byte(config.Config.TokenPolicy.AccessSecret)) | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user