Migrate to github.com/golang-jwt/jwt/v4 to address CVE-2020-26160
JorritSalverda opened this issue · 0 comments
JorritSalverda commented
github.com/golang-jwt/jwt
is a drop-in replacement for github.com/dgrijalva/jwt-go
.
Version 4 - see https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md - fixes vulnerability CVE-2020-26160 and does away with checking the issued at time, which is not supposed to be checked according to the JWT spec but can lead to Token used before issued
errors.