update third party dependencies

pkg/api/tokens.go

@@ -48,7 +48,7 @@ func (a *TokensApi) TokenListHandler(c *core.Context) (interface{}, *errs.Error)
 			ExpiredAt: token.ExpiredUnixTime,
 		}
 
-		if utils.Int64ToString(token.Uid) == claims.Id && utils.Int64ToString(token.UserTokenId) == claims.UserTokenId && token.CreatedUnixTime == claims.IssuedAt {
+		if token.Uid == claims.Uid && utils.Int64ToString(token.UserTokenId) == claims.UserTokenId && token.CreatedUnixTime == claims.IssuedAt {
 			tokenResp.IsCurrent = true
 		}
 
@@ -68,13 +68,6 @@ func (a *TokensApi) TokenRevokeCurrentHandler(c *core.Context) (interface{}, *er
 		return nil, errs.Or(err, errs.NewIncompleteOrIncorrectSubmissionError(err))
 	}
 
-	uid, err := utils.StringToInt64(claims.Id)
-
-	if err != nil {
-		log.WarnfWithRequestId(c, "[tokens.TokenRevokeCurrentHandler] parse user id failed, because %s", err.Error())
-		return nil, errs.NewIncompleteOrIncorrectSubmissionError(err)
-	}
-
 	userTokenId, err := utils.StringToInt64(claims.UserTokenId)
 
 	if err != nil {
@@ -83,7 +76,7 @@ func (a *TokensApi) TokenRevokeCurrentHandler(c *core.Context) (interface{}, *er
 	}
 
 	tokenRecord := &models.TokenRecord{
-		Uid:             uid,
+		Uid:             claims.Uid,
 		UserTokenId:     userTokenId,
 		CreatedUnixTime: claims.IssuedAt,
 	}
@@ -92,11 +85,11 @@ func (a *TokensApi) TokenRevokeCurrentHandler(c *core.Context) (interface{}, *er
 	err = a.tokens.DeleteToken(tokenRecord)
 
 	if err != nil {
-		log.ErrorfWithRequestId(c, "[token.TokenRevokeCurrentHandler] failed to revoke token \"id:%s\" for user \"uid:%d\", because %s", tokenId, uid, err.Error())
+		log.ErrorfWithRequestId(c, "[token.TokenRevokeCurrentHandler] failed to revoke token \"id:%s\" for user \"uid:%d\", because %s", tokenId, claims.Uid, err.Error())
 		return nil, errs.Or(err, errs.ErrOperationFailed)
 	}
 
-	log.InfofWithRequestId(c, "[token.TokenRevokeCurrentHandler] user \"uid:%d\" has revoked token \"id:%s\"", uid, tokenId)
+	log.InfofWithRequestId(c, "[token.TokenRevokeCurrentHandler] user \"uid:%d\" has revoked token \"id:%s\"", claims.Uid, tokenId)
 	return true, nil
 }
 
@@ -154,7 +147,7 @@ func (a *TokensApi) TokenRevokeAllHandler(c *core.Context) (interface{}, *errs.E
 	for i := 0; i < len(tokens); i++ {
 		token := tokens[i]
 
-		if utils.Int64ToString(token.Uid) == claims.Id && utils.Int64ToString(token.UserTokenId) == claims.UserTokenId && token.CreatedUnixTime == claims.IssuedAt {
+		if token.Uid == claims.Uid && utils.Int64ToString(token.UserTokenId) == claims.UserTokenId && token.CreatedUnixTime == claims.IssuedAt {
 			currentTokenIndex = i
 			break
 		}

pkg/core/context.go

@@ -61,13 +61,7 @@ func (c *Context) GetCurrentUid() int64 {
 		return 0
 	}
 
-	uid, err := strconv.ParseInt(claims.Id, 10, 64)
-
-	if err != nil {
-		return 0
-	}
-
-	return uid
+	return claims.Uid
 }
 
 // GetClientTimezoneOffset returns the client timezone offset

pkg/core/token_claims.go

@@ -1,7 +1,9 @@
 package core
 
 import (
-	"github.com/golang-jwt/jwt/v4"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // TokenType represents token type
@@ -16,7 +18,43 @@ const (
 // UserTokenClaims represents user token
 type UserTokenClaims struct {
 	UserTokenId string    `json:"userTokenId"`
+	Uid         int64     `json:"jti,string"`
 	Username    string    `json:"username,omitempty"`
 	Type        TokenType `json:"type"`
-	jwt.StandardClaims
+	IssuedAt    int64     `json:"iat"`
+	ExpiresAt   int64     `json:"exp"`
+}
+
+// GetExpirationTime returns the expiration time of this token
+func (c *UserTokenClaims) GetExpirationTime() (*jwt.NumericDate, error) {
+	return &jwt.NumericDate{
+		Time: time.Unix(c.ExpiresAt, 0),
+	}, nil
+}
+
+// GetIssuedAt returns the issue time of this token
+func (c *UserTokenClaims) GetIssuedAt() (*jwt.NumericDate, error) {
+	return &jwt.NumericDate{
+		Time: time.Unix(c.IssuedAt, 0),
+	}, nil
+}
+
+// GetNotBefore returns the earliest valid time of this token
+func (c *UserTokenClaims) GetNotBefore() (*jwt.NumericDate, error) {
+	return &jwt.NumericDate{}, nil
+}
+
+// GetIssuer returns the issuer of this token
+func (c *UserTokenClaims) GetIssuer() (string, error) {
+	return "", nil
+}
+
+// GetSubject returns the subject of this token
+func (c *UserTokenClaims) GetSubject() (string, error) {
+	return "", nil
+}
+
+// GetAudience returns the audience of this token
+func (c *UserTokenClaims) GetAudience() (jwt.ClaimStrings, error) {
+	return jwt.ClaimStrings{}, nil
 }

pkg/middlewares/authorization.go

@@ -1,8 +1,6 @@
 package middlewares
 
 import (
-	"time"
-
 	"github.com/mayswind/ezbookkeeping/pkg/core"
 	"github.com/mayswind/ezbookkeeping/pkg/errs"
 	"github.com/mayswind/ezbookkeeping/pkg/log"
@@ -22,13 +20,13 @@ func JWTAuthorization(c *core.Context) {
 	}
 
 	if claims.Type == core.USER_TOKEN_TYPE_REQUIRE_2FA {
-		log.WarnfWithRequestId(c, "[authorization.JWTAuthorization] user \"uid:%s\" token requires 2fa", claims.Id)
+		log.WarnfWithRequestId(c, "[authorization.JWTAuthorization] user \"uid:%d\" token requires 2fa", claims.Uid)
 		utils.PrintJsonErrorResult(c, errs.ErrCurrentTokenRequire2FA)
 		return
 	}
 
 	if claims.Type != core.USER_TOKEN_TYPE_NORMAL {
-		log.WarnfWithRequestId(c, "[authorization.JWTAuthorization] user \"uid:%s\" token type is invalid", claims.Id)
+		log.WarnfWithRequestId(c, "[authorization.JWTAuthorization] user \"uid:%d\" token type is invalid", claims.Uid)
 		utils.PrintJsonErrorResult(c, errs.ErrCurrentInvalidTokenType)
 		return
 	}
@@ -62,7 +60,7 @@ func JWTTwoFactorAuthorization(c *core.Context) {
 	}
 
 	if claims.Type != core.USER_TOKEN_TYPE_REQUIRE_2FA {
-		log.WarnfWithRequestId(c, "[authorization.JWTTwoFactorAuthorization] user \"uid:%s\" token is not need two factor authorization", claims.Id)
+		log.WarnfWithRequestId(c, "[authorization.JWTTwoFactorAuthorization] user \"uid:%d\" token is not need two factor authorization", claims.Uid)
 		utils.PrintJsonErrorResult(c, errs.ErrCurrentTokenNotRequire2FA)
 		return
 	}
@@ -76,7 +74,7 @@ func getTokenClaims(c *core.Context) (*core.UserTokenClaims, *errs.Error) {
 
 	if err != nil {
 		log.WarnfWithRequestId(c, "[authorization.getTokenClaims] failed to parse token, because %s", err.Error())
-		return nil, errs.ErrUnauthorizedAccess
+		return nil, errs.Or(err, errs.ErrUnauthorizedAccess)
 	}
 
 	if !token.Valid {
@@ -84,13 +82,8 @@ func getTokenClaims(c *core.Context) (*core.UserTokenClaims, *errs.Error) {
 		return nil, errs.ErrCurrentInvalidToken
 	}
 
-	if !claims.VerifyExpiresAt(time.Now().Unix(), true) {
-		log.WarnfWithRequestId(c, "[authorization.getTokenClaims] token is expired")
-		return nil, errs.ErrCurrentTokenExpired
-	}
-
-	if claims.Id == "" {
-		log.WarnfWithRequestId(c, "[authorization.getTokenClaims] user id in token is empty")
+	if claims.Uid <= 0 {
+		log.WarnfWithRequestId(c, "[authorization.getTokenClaims] user id in token is invalid")
 		return nil, errs.ErrCurrentInvalidToken
 	}
 

pkg/middlewares/request_log.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/mayswind/ezbookkeeping/pkg/core"
 	"github.com/mayswind/ezbookkeeping/pkg/log"
+	"github.com/mayswind/ezbookkeeping/pkg/utils"
 )
 
 // RequestLog logs the http request log
@@ -28,7 +29,7 @@ func RequestLog(c *core.Context) {
 	method := c.Request.Method
 
 	if claims != nil {
-		userId = claims.Id
+		userId = utils.Int64ToString(claims.Uid)
 	}
 
 	if err != nil {

pkg/services/tokens.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
-	"github.com/golang-jwt/jwt/v4/request"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v5/request"
 	"xorm.io/xorm"
 
 	"github.com/mayswind/ezbookkeeping/pkg/core"
@@ -69,41 +69,51 @@ func (s *TokenService) ParseToken(c *core.Context) (*jwt.Token, *core.UserTokenC
 
 	token, err := request.ParseFromRequest(c.Request, request.AuthorizationHeaderExtractor,
 		func(token *jwt.Token) (interface{}, error) {
-			uid, err := utils.StringToInt64(claims.Id)
 			now := time.Now().Unix()
-
-			if err != nil {
-				log.WarnfWithRequestId(c, "[tokens.ParseToken] user \"uid:%s\" in token is invalid, because %s", claims.Id, err.Error())
-				return nil, errs.ErrInvalidToken
-			}
-
 			userTokenId, err := utils.StringToInt64(claims.UserTokenId)
 
 			if err != nil {
-				log.WarnfWithRequestId(c, "[tokens.ParseToken] token \"utid:%s\" in token of user \"uid:%s\" is invalid, because %s", claims.UserTokenId, claims.Id, err.Error())
+				log.WarnfWithRequestId(c, "[tokens.ParseToken] token \"utid:%s\" in token of user \"uid:%d\" is invalid, because %s", claims.UserTokenId, claims.Uid, err.Error())
 				return nil, errs.ErrInvalidUserTokenId
 			}
 
-			tokenRecord, err := s.getTokenRecord(uid, userTokenId, claims.IssuedAt)
+			tokenRecord, err := s.getTokenRecord(claims.Uid, userTokenId, claims.IssuedAt)
 
 			if err != nil {
-				log.WarnfWithRequestId(c, "[tokens.ParseToken] token \"utid:%s\" of user \"uid:%s\" record not found, because %s", claims.UserTokenId, claims.Id, err.Error())
+				log.WarnfWithRequestId(c, "[tokens.ParseToken] token \"utid:%s\" of user \"uid:%d\" record not found, because %s", claims.UserTokenId, claims.Uid, err.Error())
 				return nil, errs.ErrTokenRecordNotFound
 			}
 
 			if tokenRecord.ExpiredUnixTime < now {
-				log.WarnfWithRequestId(c, "[tokens.ParseToken] token \"utid:%s\" of user \"uid:%s\" record is expired", claims.UserTokenId, claims.Id)
+				log.WarnfWithRequestId(c, "[tokens.ParseToken] token \"utid:%s\" of user \"uid:%d\" record is expired", claims.UserTokenId, claims.Uid)
 				return nil, errs.ErrTokenExpired
 			}
 
 			return []byte(tokenRecord.Secret), nil
-		}, request.WithClaims(claims))
+		},
+		request.WithClaims(claims),
+		request.WithParser(jwt.NewParser(jwt.WithIssuedAt())),
+	)
 
 	if err != nil {
 		if err == request.ErrNoTokenInRequest {
 			return nil, nil, errs.ErrTokenIsEmpty
 		}
 
+		if err == jwt.ErrTokenMalformed || err == jwt.ErrTokenUnverifiable || err == jwt.ErrTokenSignatureInvalid {
+			log.WarnfWithRequestId(c, "[tokens.ParseToken] token is invalid, because %s", err.Error())
+			return nil, nil, errs.ErrCurrentInvalidToken
+		}
+
+		if err == jwt.ErrTokenExpired {
+			return nil, nil, errs.ErrCurrentTokenExpired
+		}
+
+		if err == jwt.ErrTokenUsedBeforeIssued {
+			log.WarnfWithRequestId(c, "[tokens.ParseToken] token is invalid, because issue time is later than now")
+			return nil, nil, errs.ErrCurrentInvalidToken
+		}
+
 		return nil, nil, err
 	}
 
@@ -167,19 +177,17 @@ func (s *TokenService) DeleteTokens(uid int64, tokenRecords []*models.TokenRecor
 
 // DeleteTokenByClaims deletes given token from database
 func (s *TokenService) DeleteTokenByClaims(claims *core.UserTokenClaims) error {
-	uid, err := utils.StringToInt64(claims.Id)
-
-	if err != nil {
-		return errs.ErrUserIdInvalid
-	}
-
 	userTokenId, err := utils.StringToInt64(claims.UserTokenId)
 
 	if err != nil {
 		return errs.ErrInvalidUserTokenId
 	}
 
-	return s.DeleteToken(&models.TokenRecord{Uid: uid, UserTokenId: userTokenId, CreatedUnixTime: claims.IssuedAt})
+	return s.DeleteToken(&models.TokenRecord{
+		Uid:             claims.Uid,
+		UserTokenId:     userTokenId,
+		CreatedUnixTime: claims.IssuedAt,
+	})
 }
 
 // DeleteTokensBeforeTime deletes tokens that is created before specific tim
@@ -253,13 +261,11 @@ func (s *TokenService) createToken(user *models.User, tokenType core.TokenType,
 
 	claims := &core.UserTokenClaims{
 		UserTokenId: utils.Int64ToString(tokenRecord.UserTokenId),
+		Uid:         tokenRecord.Uid,
 		Username:    user.Username,
 		Type:        tokenRecord.TokenType,
-		StandardClaims: jwt.StandardClaims{
-			Id:        utils.Int64ToString(tokenRecord.Uid),
-			IssuedAt:  tokenRecord.CreatedUnixTime,
-			ExpiresAt: tokenRecord.ExpiredUnixTime,
-		},
+		IssuedAt:    tokenRecord.CreatedUnixTime,
+		ExpiresAt:   tokenRecord.ExpiredUnixTime,
 	}
 
 	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)