Fix sec vuln with list of claims

[Waterdrips]

This PR adds a fix for #422

Tests were added for failing and passing states then the code was updated for the case in the JWT Spec that allows a list of "aud" as well as a single string "aud"

Signed-off-by: Alistair Hey alistair@heyal.co.uk

[sev3ryn]

Why are this changes needed in example_test.go?
Functions should be named as Example - to have examples in godoc.
Also some external jwt-go is imported

[sev3ryn]

nit: if should be before aud = append(aud, strAud)

[Waterdrips]

oh sorry - we decided to fork and fix in our company org and I left this PR open

[sev3ryn]

but why closing it? :)

I would be great to have vulnerability fix merged into upstream

[camin-mccluskey]

@Waterdrips Echoing @sev3ryn's comment - it would be ideal to have this fix live in the latest version. This is now categorised as a high severity vulnerability https://snyk.io/vuln/golang:github.com%2Fdgrijalva%2Fjwt-go and means we can no longer use the library in an enterprise environment

[Waterdrips]

but why closing it? :)

I would be great to have vulnerability fix merged into upstream

theres an open PR addressing this from Match #385 which has not been addressed.

We have taken the decision to fix this on our oss fork rather than wait for some activity here.

[alexellis]

@dgrijalva if you have time to merge a fix like this, then we can all dump our forks to /dev/null. What are your thoughts?

[aleksandrzhiliaev]

Are we going to fix and bump the new version of the library?
It is still an issue and a lot of projects rely on it:
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26160

[brianmay]

See #286