fix(deps): update module github.com/golang-jwt/jwt/v4 to v5

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/apex/log v1.9.0
 	github.com/auth0/go-jwt-middleware/v2 v2.2.1
 	github.com/getsentry/sentry-go v0.27.0
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/jmoiron/sqlx v1.3.5
 	github.com/pkg/errors v0.9.1
 	github.com/pressly/goose/v3 v3.18.0

go.sum

@@ -92,6 +92,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

middleware/auth.go

@@ -6,7 +6,7 @@ import (
 	"net/http"
 
 	"github.com/99designs/gqlgen/graphql"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"gitlab.com/unboundsoftware/schemas/domain"
 	"gitlab.com/unboundsoftware/schemas/hash"

middleware/auth0.go

@@ -11,7 +11,7 @@ import (
 	"time"
 
 	mw "github.com/auth0/go-jwt-middleware/v2"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 )
 
@@ -56,20 +56,8 @@ type JSONWebKeys struct {
 }
 
 func (a *Auth0) ValidationKeyGetter() func(token *jwt.Token) (interface{}, error) {
-	issuer := fmt.Sprintf("https://%s/", a.domain)
 	return func(token *jwt.Token) (interface{}, error) {
 		// Verify 'aud' claim
-		aud := a.audience
-		checkAud := token.Claims.(jwt.MapClaims).VerifyAudience(aud, false)
-		if !checkAud {
-			return token, errors.New("Invalid audience.")
-		}
-		// Verify 'iss' claim
-		iss := issuer
-		checkIss := token.Claims.(jwt.MapClaims).VerifyIssuer(iss, false)
-		if !checkIss {
-			return token, errors.New("Invalid issuer.")
-		}
 
 		cert, err := a.getPemCert(token)
 		if err != nil {
@@ -82,18 +70,15 @@ func (a *Auth0) ValidationKeyGetter() func(token *jwt.Token) (interface{}, error
 }
 
 func (a *Auth0) Middleware() *mw.JWTMiddleware {
+	issuer := fmt.Sprintf("https://%s/", a.domain)
 	jwtMiddleware := mw.New(func(ctx context.Context, token string) (interface{}, error) {
-		jwtToken, err := jwt.Parse(token, a.ValidationKeyGetter())
+		jwtToken, err := jwt.Parse(token, a.ValidationKeyGetter(), jwt.WithAudience(a.audience), jwt.WithIssuer(issuer))
 		if err != nil {
 			return nil, err
 		}
 		if _, ok := jwtToken.Method.(*jwt.SigningMethodRSA); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", jwtToken.Header["alg"])
 		}
-		err = jwtToken.Claims.Valid()
-		if err != nil {
-			return nil, err
-		}
 		return jwtToken, nil
 	},
 		mw.WithTokenExtractor(func(r *http.Request) (string, error) {