Is there any plan to upgrade golang-jwt to v4?

[pancpp]

As per the title, is there any plan to upgrade the jwt middleware to use github.com/golang-jwt/jwt/v4?

[aldas]

No at the moment. In v5 are are removing direct dependency from golang-jwt/jwt library from core middleware and have version of JWT middleware in echo-contrib using golang-jwt/jwt

Upgrading JWT to golang-jwt/jwt/v4 is breaking change and it is a quite sneaky change as Echo would start to use v4 structs and insert them into context but your middlewares/handler (whereever you are checking claims) are still importing v3 struct and if you do not have tests your requests will panic when you do the cast. So it would create havoc for unaware users bumping Echo version to latest.

If you really want jwt/v4 then you can create ParseTokenFunc implementation that uses v4 instead of v3:

import (
"github.com/golang-jwt/jwt/v4"
)

...
...
...

signingKey := []byte("secret")

config := middleware.JWTConfig{
  TokenLookup: "query:token",
  ParseTokenFunc: func(auth string, c echo.Context) (interface{}, error) {
    keyFunc := func(t *jwt.Token) (interface{}, error) {
      if t.Method.Alg() != "HS256" {
        return nil, fmt.Errorf("unexpected jwt signing method=%v", t.Header["alg"])
      }
      return signingKey, nil
    }

    // claims are of type `jwt.MapClaims` when token is created with `jwt.Parse`
    token, err := jwt.Parse(auth, keyFunc)
    if err != nil {
      return nil, err
    }
    if !token.Valid {
      return nil, errors.New("invalid token")
    }
    return token, nil
  },
}

e.Use(middleware.JWTWithConfig(config))

[pancpp]

@aldas that explanation makes good sense and I really appreciate your example! Close the issue.