deps: migrate jwt/xsync/errors libraries + add jwtutil helper

auth/accesstoken.go

@@ -17,12 +17,18 @@ package auth
 import (
 	"time"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/livekit/protocol/livekit"
 )
 
+// tokenClaims combines the JWT registered claims with LiveKit grants for
+// signing and verification.
+type tokenClaims struct {
+	jwt.RegisteredClaims
+	ClaimGrants
+}
+
 const (
 	defaultValidDuration = 6 * time.Hour
 )
@@ -174,22 +180,21 @@ func (t *AccessToken) ToJWT() (string, error) {
 		}
 	}
 
-	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: []byte(t.secret)},
-		(&jose.SignerOptions{}).WithType("JWT"))
-	if err != nil {
-		return "", err
-	}
-
 	validFor := defaultValidDuration
 	if t.validFor > 0 {
 		validFor = t.validFor
 	}
 
-	cl := jwt.Claims{
-		Issuer:    t.apiKey,
-		NotBefore: jwt.NewNumericDate(time.Now()),
-		Expiry:    jwt.NewNumericDate(time.Now().Add(validFor)),
-		Subject:   t.grant.Identity,
+	now := time.Now()
+	claims := tokenClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    t.apiKey,
+			Subject:   t.grant.Identity,
+			IssuedAt:  jwt.NewNumericDate(now),
+			NotBefore: jwt.NewNumericDate(now),
+			ExpiresAt: jwt.NewNumericDate(now.Add(validFor)),
+		},
+		ClaimGrants: t.grant,
 	}
-	return jwt.Signed(sig).Claims(cl).Claims(&t.grant).CompactSerialize()
+	return jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte(t.secret))
 }

auth/accesstoken_test.go

@@ -21,7 +21,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/stretchr/testify/require"
 
 	"github.com/livekit/protocol/livekit"
@@ -59,12 +58,10 @@ func TestAccessToken(t *testing.T) {
 		require.Len(t, strings.Split(value, "."), 3)
 
 		// ensure it's a valid JWT
-		token, err := jwt.ParseSigned(value)
-		require.NoError(t, err)
-
-		decodedGrant := ClaimGrants{}
-		err = token.UnsafeClaimsWithoutVerification(&decodedGrant)
+		decoded := tokenClaims{}
+		_, _, err = unverifiedParser.ParseUnverified(value, &decoded)
 		require.NoError(t, err)
+		decodedGrant := decoded.ClaimGrants
 
 		require.EqualValues(t, livekit.ParticipantInfo_AGENT, decodedGrant.GetParticipantKind())
 		require.EqualValues(t, videoGrant, decodedGrant.Video)
@@ -79,15 +76,12 @@ func TestAccessToken(t *testing.T) {
 			SetVideoGrant(&VideoGrant{RoomJoin: true, Room: "myroom"}).
 			ToJWT()
 		require.NoError(t, err)
-		token, err := jwt.ParseSigned(value)
-		require.NoError(t, err)
-
-		decodedGrant := ClaimGrants{}
-		err = token.UnsafeClaimsWithoutVerification(&decodedGrant)
+		decoded := tokenClaims{}
+		_, _, err = unverifiedParser.ParseUnverified(value, &decoded)
 		require.NoError(t, err)
 
 		// default validity
-		require.EqualValues(t, livekit.ParticipantInfo_STANDARD, decodedGrant.GetParticipantKind())
+		require.EqualValues(t, livekit.ParticipantInfo_STANDARD, decoded.GetParticipantKind())
 	})
 
 	t.Run("default validity should be more than a minute", func(t *testing.T) {
@@ -97,17 +91,13 @@ func TestAccessToken(t *testing.T) {
 			SetVideoGrant(videoGrant)
 		value, err := at.ToJWT()
 		require.NoError(t, err)
-		token, err := jwt.ParseSigned(value)
+		decoded := tokenClaims{}
+		_, _, err = unverifiedParser.ParseUnverified(value, &decoded)
 		require.NoError(t, err)
-
-		claim := jwt.Claims{}
-		decodedGrant := ClaimGrants{}
-		err = token.UnsafeClaimsWithoutVerification(&claim, &decodedGrant)
-		require.NoError(t, err)
-		require.EqualValues(t, videoGrant, decodedGrant.Video)
+		require.EqualValues(t, videoGrant, decoded.Video)
 
 		// default validity
-		require.True(t, claim.Expiry.Time().Sub(claim.IssuedAt.Time()) > time.Minute)
+		require.True(t, decoded.ExpiresAt.Sub(decoded.IssuedAt.Time) > time.Minute)
 	})
 
 	t.Run("room configuration serialization and deserialization", func(t *testing.T) {
@@ -135,15 +125,12 @@ func TestAccessToken(t *testing.T) {
 		require.NoError(t, err)
 
 		// Parse and verify the token
-		token, err := jwt.ParseSigned(value)
-		require.NoError(t, err)
-
-		decodedGrant := ClaimGrants{}
-		err = token.UnsafeClaimsWithoutVerification(&decodedGrant)
+		decoded := tokenClaims{}
+		_, _, err = unverifiedParser.ParseUnverified(value, &decoded)
 		require.NoError(t, err)
 
 		// Check if the room configuration was correctly serialized and deserialized
-		roomDecoded := (*livekit.RoomConfiguration)(decodedGrant.RoomConfig)
+		roomDecoded := (*livekit.RoomConfiguration)(decoded.RoomConfig)
 		require.NotNil(t, roomDecoded)
 		agents := roomDecoded.Agents
 		require.NotNil(t, agents)

auth/verifier.go

@@ -17,34 +17,38 @@ package auth
 import (
 	"time"
 
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// matches go-jose's previous DefaultLeeway for validation tolerance.
+const tokenLeeway = time.Minute
+
+var (
+	allowedSigningMethods = []string{jwt.SigningMethodHS256.Alg()}
+	unverifiedParser      = jwt.NewParser(jwt.WithValidMethods(allowedSigningMethods))
 )
 
 type APIKeyTokenVerifier struct {
-	token    *jwt.JSONWebToken
+	raw      string
 	identity string
 	apiKey   string
 }
 
-// ParseAPIToken parses an encoded JWT token and
+// ParseAPIToken parses an encoded JWT token without verifying its signature.
+// The signature is verified later by Verify, which requires the API secret.
 func ParseAPIToken(raw string) (*APIKeyTokenVerifier, error) {
-	tok, err := jwt.ParseSigned(raw)
-	if err != nil {
-		return nil, err
-	}
-
-	out := jwt.Claims{}
-	if err := tok.UnsafeClaimsWithoutVerification(&out); err != nil {
+	claims := &jwt.RegisteredClaims{}
+	if _, _, err := unverifiedParser.ParseUnverified(raw, claims); err != nil {
 		return nil, err
 	}
 
 	v := &APIKeyTokenVerifier{
-		token:    tok,
-		apiKey:   out.Issuer,
-		identity: out.Subject,
+		raw:      raw,
+		apiKey:   claims.Issuer,
+		identity: claims.Subject,
 	}
 	if v.identity == "" {
-		v.identity = out.ID
+		v.identity = claims.ID
 	}
 	return v, nil
 }
@@ -58,23 +62,26 @@ func (v *APIKeyTokenVerifier) Identity() string {
 	return v.identity
 }
 
-func (v *APIKeyTokenVerifier) Verify(key interface{}) (*jwt.Claims, *ClaimGrants, error) {
+func (v *APIKeyTokenVerifier) Verify(key interface{}) (*jwt.RegisteredClaims, *ClaimGrants, error) {
 	if key == nil || key == "" {
 		return nil, nil, ErrKeysMissing
 	}
 	if s, ok := key.(string); ok {
 		key = []byte(s)
 	}
-	out := jwt.Claims{}
-	claims := ClaimGrants{}
-	if err := v.token.Claims(key, &out, &claims); err != nil {
-		return nil, nil, err
-	}
-	if err := out.Validate(jwt.Expected{Issuer: v.apiKey, Time: time.Now()}); err != nil {
+
+	claims := &tokenClaims{}
+	_, err := jwt.ParseWithClaims(v.raw, claims, func(*jwt.Token) (interface{}, error) {
+		return key, nil
+	},
+		jwt.WithValidMethods(allowedSigningMethods),
+		jwt.WithIssuer(v.apiKey),
+		jwt.WithLeeway(tokenLeeway),
+	)
+	if err != nil {
 		return nil, nil, err
 	}
 
-	// copy over identity
-	claims.Identity = v.identity
-	return &out, &claims, nil
+	claims.ClaimGrants.Identity = v.identity
+	return &claims.RegisteredClaims, &claims.ClaimGrants, nil
 }

auth/verifier_test.go

@@ -15,12 +15,11 @@
 package auth_test
 
 import (
+	"encoding/json"
 	"testing"
 	"time"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/json"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/require"
 
 	"github.com/livekit/protocol/auth"
@@ -102,32 +101,26 @@ func TestVerifier(t *testing.T) {
 		// this server does not yet know about. The server should still accept the
 		// token rather than failing with `unknown field`. This guards against
 		// requiring server upgrades before client upgrades can roll out.
-		sig, err := jose.NewSigner(
-			jose.SigningKey{Algorithm: jose.HS256, Key: []byte(secret)},
-			(&jose.SignerOptions{}).WithType("JWT"),
-		)
-		require.NoError(t, err)
-
-		claims := map[string]interface{}{
+		claims := jwt.MapClaims{
 			"iss": apiKey,
 			"sub": "me",
 			"nbf": jwt.NewNumericDate(time.Now()),
 			"exp": jwt.NewNumericDate(time.Now().Add(time.Minute)),
 			// unknown top-level claim grants field
-			"someFutureGrant": map[string]interface{}{"enabled": true},
-			"video": map[string]interface{}{
+			"someFutureGrant": map[string]any{"enabled": true},
+			"video": map[string]any{
 				"roomJoin": true,
 				"room":     "myroom",
 				// unknown field inside a known grant
 				"someFutureVideoField": "future-value",
 			},
-			"roomConfig": map[string]interface{}{
+			"roomConfig": map[string]any{
 				"name": "myroom",
 				// unknown field inside a protojson-decoded message
 				"someFutureRoomConfigField": "future-value",
 			},
 		}
-		token, err := jwt.Signed(sig).Claims(claims).CompactSerialize()
+		token, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte(secret))
 		require.NoError(t, err)
 
 		v, err := auth.ParseAPIToken(token)