build(deps): update several deps

[james-d-elliott]

Summary by CodeRabbit

• Refactor
  • Updated the import paths for the go-jose and jwt packages from version 3 to version 4 to leverage new features and improvements.

[coderabbitai]

Walkthrough

The changes predominantly revolve around updating the import paths for the go-jose and jwt packages from version 3 to version 4 across various files. This update likely aims to leverage new features or improvements offered by the newer versions of these packages. The modifications span across a range of files, including those responsible for client authentication, JWT handling, and integration testing.

Changes

Files	Change Summary
README.md, client.go, client_authentication.go, client_authentication_jwks_strategy.go, client_authentication_test.go, handler/rfc7523/..., integration/clients/jwt_bearer.go, integration/helper_setup_test.go, internal/oauth2_auth_jwt_storage.go, storage/memory.go, token/jwt/jwt.go, token/jwt/token.go	Updated go-jose package import paths from version 3 to version 4.
authorize_request_handler.go, authorize_request_handler_oidc_request_test.go	Updated go-jose package import statements from version 3 to version 4.
handler/rfc7523/..., integration/..., token/jwt/jwt_test.go, token/jwt/token_test.go	Updated jwt package import paths from version 3 to version 4.

🐇✨
In the land of code, where the bits roam free,
A rabbit hopped forth, changing versions with glee.
From three to four, the numbers did climb,
In hopes that the code, would run more sublime.
🚀🌟
"To the future!" it squeaked, with a bounce and a leap,
Ensuring the software, its greatness would keep.
🐾🌱

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 2c1d3f2 and d14ed1a.

Files ignored due to path filters (2)

• go.mod is excluded by: !**/*.mod
• go.sum is excluded by: !**/*.sum

Files selected for processing (24)

• README.md (1 hunks)
• authorize_request_handler.go (1 hunks)
• authorize_request_handler_oidc_request_test.go (1 hunks)
• client.go (1 hunks)
• client_authentication.go (1 hunks)
• client_authentication_jwks_strategy.go (1 hunks)
• client_authentication_jwks_strategy_test.go (1 hunks)
• client_authentication_test.go (1 hunks)
• handler/rfc7523/handler.go (2 hunks)
• handler/rfc7523/handler_test.go (2 hunks)
• handler/rfc7523/storage.go (1 hunks)
• integration/authorize_jwt_bearer_required_iat_test.go (1 hunks)
• integration/authorize_jwt_bearer_required_jti_test.go (1 hunks)
• integration/authorize_jwt_bearer_test.go (1 hunks)
• integration/clients/jwt_bearer.go (2 hunks)
• integration/helper_setup_test.go (1 hunks)
• integration/introspect_jwt_bearer_token_test.go (1 hunks)
• internal/oauth2_auth_jwt_storage.go (1 hunks)
• storage/memory.go (1 hunks)
• token/jwt/claims_map.go (1 hunks)
• token/jwt/jwt.go (1 hunks)
• token/jwt/jwt_test.go (1 hunks)
• token/jwt/token.go (4 hunks)
• token/jwt/token_test.go (3 hunks)

Additional comments: 38

handler/rfc7523/storage.go (1)

• 10-10: The update of the import path from github.com/go-jose/go-jose/v3 to github.com/go-jose/go-jose/v4 aligns with the PR's objective to leverage the latest version of the go-jose package. Ensure that the new version's features and any breaking changes have been accounted for in the usage of the go-jose package throughout the project.

integration/clients/jwt_bearer.go (2)

• 15-16: The update of the import path from github.com/go-jose/go-jose/v3 to github.com/go-jose/go-jose/v4 is consistent with the PR's goal. This change is crucial for ensuring compatibility with the latest version of the go-jose package.
• 72-72: Replacing CompactSerialize with Serialize in the GetToken method is a significant change that aligns with the updated go-jose package's API. Verify that this change correctly implements the serialization of JWTs as intended and that it does not affect the functionality negatively.

integration/authorize_jwt_bearer_required_jti_test.go (1)

• 12-12: The update of the import path for the jwt package to github.com/go-jose/go-jose/v4/jwt is correctly applied, ensuring the test suite uses the latest version of the package. This change is essential for maintaining compatibility and leveraging new features or security improvements in the jwt package.

integration/authorize_jwt_bearer_required_iat_test.go (1)

• 12-12: Updating the import path to github.com/go-jose/go-jose/v4/jwt ensures that the test suite benefits from the latest improvements and features of the jwt package. This change is in line with the PR's objectives and helps maintain the project's dependency health.

internal/oauth2_auth_jwt_storage.go (1)

• 17-17: The update of the import path to github.com/go-jose/go-jose/v4 in the mock generation file is correctly applied. This ensures that the mocked interface is compatible with the latest version of the go-jose package, which is crucial for testing components that interact with JWTs.

token/jwt/jwt_test.go (1)

• 13-13: The update of the import path to github.com/go-jose/go-jose/v4 in the test file ensures that the JWT token generation and validation tests are run against the latest version of the go-jose package. This is important for ensuring that the token management logic remains compatible and secure with the updated dependency.

token/jwt/claims_map.go (1)

• 13-13: Updating the import path to github.com/go-jose/go-jose/v4/json is a necessary change to ensure that JSON operations within the JWT claims map logic use the correct version of the go-jose package. This update is crucial for maintaining compatibility and leveraging any JSON-related improvements or fixes in the latest version.

client_authentication_jwks_strategy.go (1)

• 13-13: The update of the import path to github.com/go-jose/go-jose/v4 in the JWKS fetcher strategy implementation file is correctly applied. This change ensures that the strategy uses the latest version of the go-jose package for handling JSON Web Key Sets, which is essential for secure client authentication processes.

client_authentication_jwks_strategy_test.go (1)

• 15-15: The update of the import path to github.com/go-jose/go-jose/v4 in the test file for the JWKS fetcher strategy ensures that the tests are aligned with the latest version of the go-jose package. This is crucial for verifying the functionality and compatibility of the JWKS fetching logic with the updated dependency.

token/jwt/jwt.go (2)

• 17-17: The import path for go-jose has been updated from version 3 to version 4. This change is in line with the PR's objective to update dependencies. Ensure that all functionalities provided by go-jose used in this file are compatible with version 4. It's also important to verify if any new features or breaking changes introduced in version 4 could impact the current implementation.
• 17-17: Given the update to go-jose version 4, it's crucial to conduct thorough testing, including unit and integration tests, to ensure that all functionalities related to JWT handling continue to work as expected. This is especially important for critical features such as token generation, validation, and decoding. Consider adding or updating tests if necessary to cover any new features or changes introduced in version 4 of go-jose.

README.md (1)

• 111-113: The migration of dependencies from older versions to newer ones, specifically for go-jose and jwt packages, is correctly documented. This change is crucial for leveraging the latest features and security enhancements of these libraries. Ensure that all references to these packages elsewhere in the project have been updated to reflect these new versions.

integration/helper_setup_test.go (1)

• 15-15: The update of the go-jose package import path from version 3 to version 4 is correctly applied. This change is part of the broader effort to migrate dependencies to their newer versions across the project. Ensure that the updated package's features and functionalities are correctly utilized in the integration tests.

client.go (1)

• 9-9: The update of the go-jose package import path from version 3 to version 4 is correctly applied here as well. This change ensures that the client-related functionalities leverage the latest cryptographic standards and functionalities provided by the updated library.

integration/introspect_jwt_bearer_token_test.go (1)

• 13-13: The update of the jwt package import path from version 3 to version 4 is correctly applied here. This change is part of the broader effort to migrate dependencies to their newer versions across the project. Ensure that the updated package's features and functionalities are correctly utilized in the JWT bearer token introspection tests.

token/jwt/token.go (3)

• 13-14: The import paths for the go-jose library have been updated to version 4, which is in line with the PR objectives to update dependencies. This change is crucial for ensuring compatibility with the latest version of the library.
• 113-113: The SignedString method now uses Serialize instead of CompactSerialize. This change is necessary due to the update to go-jose version 4, which might have deprecated or altered the behavior of CompactSerialize. It's important to verify that this change does not affect the expected format of the signed JWTs, especially if other parts of the system or external systems rely on a specific token format.
• 162-185: New parsing methods like ParseCustom and ParseCustomWithClaims have been introduced, accepting additional signature algorithms for token validation. This enhancement allows for more flexibility in token validation, accommodating various cryptographic standards. It's essential to ensure that these methods are correctly implemented and do not introduce security vulnerabilities, such as accepting weak signature algorithms or improperly validating tokens.

authorize_request_handler_oidc_request_test.go (1)

• 17-17: The import path for the go-jose package has been updated to version 4. This change is consistent with the PR's objective to update dependencies and ensures that the test suite uses the latest version of the library. It's important to run the test suite to verify that the update does not introduce any regressions or compatibility issues.

handler/rfc7523/handler.go (2)

• 10-11: The import paths for the go-jose library have been updated to version 4. This change aligns with the PR's objective to update dependencies and ensures that the handler uses the latest version of the library. It's crucial to verify that this update does not affect the functionality or security of the handler.
• 56-56: The jwt.ParseSigned function now takes an additional argument specifying signature algorithms. This change enhances security by explicitly defining which algorithms are acceptable for token verification, reducing the risk of algorithm substitution attacks. It's important to ensure that the specified algorithms are secure and meet the project's cryptographic standards.

integration/authorize_jwt_bearer_test.go (1)

• 12-12: The update of the jwt package from version 3 to version 4 is correctly reflected in the import path. Ensure that all methods and types from the jwt package used in this file are compatible with version 4 and that no deprecated or altered functionalities affect the tests.

client_authentication.go (1)

• 18-18: The update of the go-jose package from version 3 to version 4 is correctly reflected in the import path. Ensure that all methods and types from the go-jose package used in this file are compatible with version 4. Pay special attention to cryptographic operations, key handling, and any potential changes in the API that could affect the authentication logic.

authorize_request_handler.go (3)

• 13-13: The import path for go-jose has been updated to version 4, which aligns with the PR's objectives. Ensure that all usages of go-jose in this file are compatible with the new version.
• 10-16: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [113-113]

Ensure compatibility of the jwt package version 4 with the existing JWT parsing and validation logic used in this file.

• 10-16: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [163-163]

Verify that the updated go-jose version 4 supports the used signing algorithms (RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512) and that there are no changes affecting the JWT validation logic.

token/jwt/token_test.go (3)

• 16-17: The update of the import paths from github.com/go-jose/go-jose/v3 to github.com/go-jose/go-jose/v4 aligns with the PR's objective to transition to version 4 of the go-jose package. This change is correctly implemented and ensures compatibility with the latest version of the library.
• 58-58: The addition of a list of signature algorithms as an argument to the jwt.ParseSigned function call is a significant change. This modification is necessary due to the API changes in version 4 of the go-jose package. It's important to ensure that the list of algorithms provided matches the expected use cases and security requirements of the application. The inclusion of a wide range of algorithms ("none", various HS*, RS*, PS*, and ES* algorithms) seems comprehensive, but it's crucial to verify that each algorithm is intentionally supported and aligns with the security posture of the application.

Consider reviewing the security implications of supporting each of these algorithms, especially the "none" algorithm, which should be used with caution.

• 86-86: Similar to the previous comment, the addition of a list of signature algorithms to the jwt.ParseSigned function call here is correctly implemented to comply with the updated API in version 4 of the go-jose package. Again, it's essential to ensure that the supported algorithms align with the application's security requirements. Given that this test case specifically uses jose.RS256, the inclusion of other algorithms in the list should be carefully considered based on the application's needs.

Review the necessity and security implications of each algorithm listed in the context of this specific test case and the application as a whole.

storage/memory.go (2)

• 12-12: The update of the go-jose package from version 3 to version 4 is correctly reflected in the import path. Ensure compatibility with the rest of the codebase, especially with regard to any new features or breaking changes introduced in version 4.
• 9-15: > 📝 NOTE

This review was outside the diff hunks, and no overlapping diff hunk was found. Original lines [114-135]

Detected bcrypt hashes in the example store setup. While it's understood that these are for demonstration or testing purposes, it's crucial to ensure such hardcoded secrets are not used in production code. Consider adding a comment to clarify the intended use case and caution against potential misuse in a production environment.

client_authentication_test.go (4)

• 19-19: The import path for go-jose has been updated from version 3 to version 4. This is in line with the PR's objective to update dependencies. Ensure that all usages of go-jose in this file (and across the project) are compatible with version 4, as major version updates can introduce breaking changes.
• 19-19: Given the update to go-jose v4, it's crucial to ensure that the internal jwt package and any other packages that depend on go-jose are also compatible with this new version. This includes checking for any changes in function signatures, deprecated methods, or new best practices introduced in go-jose v4.
• 19-19: The test suite provides extensive coverage of various authentication methods and scenarios. It's important to ensure that the tests remain effective after the dependency update. This includes verifying that the assertions still hold true and that any new functionality or fixes introduced in go-jose v4 are adequately tested if they affect this project's use cases.
• 19-19: The error handling within the test cases is well-implemented, ensuring that specific error conditions are correctly identified and tested. It's important to review any new error conditions or changes in error handling introduced by go-jose v4 to ensure that the tests accurately reflect these changes.

handler/rfc7523/handler_test.go (2)

• 18-19: The import paths for go-jose and jwt have been updated to version 4. This change aligns with the PR's objective to update dependencies to leverage new features, improvements, or security patches. Ensure that all functionalities provided by these libraries in version 3 are compatible or appropriately adapted for version 4.
• 762-762: The removal of CompactSerialize method call and replacement with Serialize suggests an adaptation to changes in the jwt package's API in version 4. It's crucial to verify that this change correctly serializes JWT claims as expected without losing any functionality or introducing serialization issues. Given the context, this seems like a necessary update, but thorough testing is recommended to ensure the serialized JWTs are correctly formed and compatible with the rest of the system.