chore: replace github.com/go-jose/go-jose/v3 with v4 (#16031)

Juneezee · web-flow · commit d78822368861 · 2025-01-03T11:21:49.000-06:00
Codebase currently uses both v3 and v4 versions of the `go-jose`
dependency. To maintain consistency, we should standardize on using only
the latest v4 version.

Signed-off-by: Eng Zer Jun &lt;engzerjun@gmail.com&gt;
diff --git a/coderd/coderdtest/oidctest/idp.go b/coderd/coderdtest/oidctest/idp.go
@@ -25,7 +25,7 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/go-chi/chi/v5"
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
diff --git a/coderd/jwtutils/jws.go b/coderd/jwtutils/jws.go
@@ -38,7 +38,7 @@ type Claims interface {
 }
 
 const (
-	signingAlgo = jose.HS512
+	SigningAlgo = jose.HS512
 )
 
 type SigningKeyManager interface {
@@ -62,7 +62,7 @@ func Sign(ctx context.Context, s SigningKeyProvider, claims Claims) (string, err
 	}
 
 	signer, err := jose.NewSigner(jose.SigningKey{
-		Algorithm: signingAlgo,
+		Algorithm: SigningAlgo,
 		Key:       key,
 	}, &jose.SignerOptions{
 		ExtraHeaders: map[jose.HeaderKey]interface{}{
@@ -109,7 +109,7 @@ func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claim
 		RegisteredClaims: jwt.Expected{
 			Time: time.Now(),
 		},
-		SignatureAlgorithm: signingAlgo,
+		SignatureAlgorithm: SigningAlgo,
 	}
 
 	for _, opt := range opts {
@@ -127,8 +127,8 @@ func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claim
 
 	signature := object.Signatures[0]
 
-	if signature.Header.Algorithm != string(signingAlgo) {
-		return xerrors.Errorf("expected JWS algorithm to be %q, got %q", signingAlgo, object.Signatures[0].Header.Algorithm)
+	if signature.Header.Algorithm != string(SigningAlgo) {
+		return xerrors.Errorf("expected JWS algorithm to be %q, got %q", SigningAlgo, object.Signatures[0].Header.Algorithm)
 	}
 
 	kid := signature.Header.KeyID
diff --git a/coderd/workspaceapps/apptest/apptest.go b/coderd/workspaceapps/apptest/apptest.go
@@ -20,14 +20,15 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/workspaceapps"
 	"github.com/coder/coder/v2/codersdk"
@@ -430,7 +431,7 @@ func Run(t *testing.T, appHostIsPrimary bool, factory DeploymentFactory) {
 			require.NotNil(t, appTokenCookie, "no signed app token cookie in response")
 			require.Equal(t, appTokenCookie.Path, u.Path, "incorrect path on app token cookie")
 
-			object, err := jose.ParseSigned(appTokenCookie.Value)
+			object, err := jose.ParseSigned(appTokenCookie.Value, []jose.SignatureAlgorithm{jwtutils.SigningAlgo})
 			require.NoError(t, err)
 			require.Len(t, object.Signatures, 1)
 
@@ -712,7 +713,7 @@ func Run(t *testing.T, appHostIsPrimary bool, factory DeploymentFactory) {
 
 		// Parse the JWT without verifying it (since we can't access the key
 		// from this test).
-		object, err := jose.ParseSigned(appTokenCookie.Value)
+		object, err := jose.ParseSigned(appTokenCookie.Value, []jose.SignatureAlgorithm{jwtutils.SigningAlgo})
 		require.NoError(t, err)
 		require.Len(t, object.Signatures, 1)
 
@@ -1192,7 +1193,7 @@ func Run(t *testing.T, appHostIsPrimary bool, factory DeploymentFactory) {
 			require.NotNil(t, appTokenCookie, "no signed token cookie in response")
 			require.Equal(t, appTokenCookie.Path, "/", "incorrect path on signed token cookie")
 
-			object, err := jose.ParseSigned(appTokenCookie.Value)
+			object, err := jose.ParseSigned(appTokenCookie.Value, []jose.SignatureAlgorithm{jwtutils.SigningAlgo})
 			require.NoError(t, err)
 			require.Len(t, object.Signatures, 1)
 
diff --git a/go.mod b/go.mod
@@ -122,7 +122,6 @@ require (
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/httprate v0.14.1
 	github.com/go-chi/render v1.0.1
-	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/go-jose/go-jose/v4 v4.0.2
 	github.com/go-logr/logr v1.4.2
 	github.com/go-playground/validator/v10 v10.23.0
diff --git a/go.sum b/go.sum
@@ -348,8 +348,6 @@ github.com/go-chi/render v1.0.1 h1:4/5tis2cKaNdnv9zFLfXzcquC9HbeZgCnxGnKrltBS8=
 github.com/go-chi/render v1.0.1/go.mod h1:pq4Rr7HbnsdaeHagklXub+p6Wd16Af5l9koip1OvJns=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
 github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -998,7 +996,6 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI=
@@ -1074,7 +1071,6 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
@@ -1084,7 +1080,6 @@ golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1096,7 +1091,6 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ type Claims interface {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`const (`
`41`		`- signingAlgo = jose.HS512`
	`41`	`+ SigningAlgo = jose.HS512`
`42`	`42`	`)`
`43`	`43`
`44`	`44`	`type SigningKeyManager interface {`
`@@ -62,7 +62,7 @@ func Sign(ctx context.Context, s SigningKeyProvider, claims Claims) (string, err`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`signer, err := jose.NewSigner(jose.SigningKey{`
`65`		`- Algorithm: signingAlgo,`
	`65`	`+ Algorithm: SigningAlgo,`
`66`	`66`	`Key: key,`
`67`	`67`	`}, &jose.SignerOptions{`
`68`	`68`	`ExtraHeaders: map[jose.HeaderKey]interface{}{`
`@@ -109,7 +109,7 @@ func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claim`
`109`	`109`	`RegisteredClaims: jwt.Expected{`
`110`	`110`	`Time: time.Now(),`
`111`	`111`	`},`
`112`		`- SignatureAlgorithm: signingAlgo,`
	`112`	`+ SignatureAlgorithm: SigningAlgo,`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`for _, opt := range opts {`
`@@ -127,8 +127,8 @@ func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claim`
`127`	`127`
`128`	`128`	`signature := object.Signatures[0]`
`129`	`129`
`130`		`- if signature.Header.Algorithm != string(signingAlgo) {`
`131`		`- return xerrors.Errorf("expected JWS algorithm to be %q, got %q", signingAlgo, object.Signatures[0].Header.Algorithm)`
	`130`	`+ if signature.Header.Algorithm != string(SigningAlgo) {`
	`131`	`+ return xerrors.Errorf("expected JWS algorithm to be %q, got %q", SigningAlgo, object.Signatures[0].Header.Algorithm)`
`132`	`132`	`}`
`133`	`133`
`134`	`134`	`kid := signature.Header.KeyID`