Merge pull request #78 from iExecBlockchainComputing/feature/upgrade-jjwt-dependency

Feature/upgrade jjwt dependency

Author: jbern0rd

CHANGELOG.md

@@ -18,7 +18,8 @@ All notable changes to this project will be documented in this file.
 * Upgrade to Spring Boot 2.6.14.
 * Upgrade to Gradle 7.6.
 * Upgrade OkHttp to 4.9.0.
-* Upgrade java-http-ipfs-client to 1.4.0 for latest IPFS Kubo support (v0.18.1).
+* Upgrade `java-http-ipfs-client` to 1.4.0 for latest IPFS Kubo support (v0.18.1).
+* Upgrade `jjwt` to `jjwt-api` 0.11.5.
 
 ## [[7.3.0]](https://github.com/iExecBlockchainComputing/iexec-result-proxy/releases/tag/v7.3.0) 2023-01-18
 

build.gradle

@@ -10,6 +10,7 @@ plugins {
 
 ext {
     springCloudVersion = '2021.0.5'
+    jjwtVersion = '0.11.5'
 }
 
 if (!project.hasProperty('gitBranch')) {
@@ -76,7 +77,9 @@ dependencies {
     implementation 'com.github.ipfs:java-ipfs-http-client:1.4.0'
 
     // json web token
-    implementation 'io.jsonwebtoken:jjwt:0.7.0'
+    implementation "io.jsonwebtoken:jjwt-api:$jjwtVersion"
+    runtimeOnly "io.jsonwebtoken:jjwt-impl:$jjwtVersion"
+    runtimeOnly "io.jsonwebtoken:jjwt-jackson:$jjwtVersion"
 
     // expiring map
     implementation 'net.jodah:expiringmap:0.5.8'

src/main/java/com/iexec/resultproxy/jwt/JwtService.java

@@ -22,6 +22,7 @@
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
@@ -112,7 +113,7 @@ String createJwt(String walletAddress) {
                 .setAudience(walletAddress)
                 .setIssuedAt(new Date())
                 .setSubject(UUID.randomUUID().toString())
-                .signWith(SignatureAlgorithm.HS256, jwtKey)
+                .signWith(Keys.hmacShaKeyFor(jwtKey), SignatureAlgorithm.HS256)
                 .compact();
     }
 
@@ -138,8 +139,9 @@ public boolean isValidJwt(String jwtString) {
      * @return Wallet address extracted from the 'audience' claim
      */
     public String getWalletAddressFromJwtString(String jwtString) {
-        return Jwts.parser()
+        return Jwts.parserBuilder()
                 .setSigningKey(jwtKey)
+                .build()
                 .parseClaimsJws(jwtString)
                 .getBody()
                 .getAudience();

src/test/java/com/iexec/resultproxy/jwt/JwtServiceTests.java

@@ -20,8 +20,8 @@
 import com.iexec.common.utils.FileHelper;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
-import io.jsonwebtoken.SignatureException;
 import io.jsonwebtoken.UnsupportedJwtException;
+import io.jsonwebtoken.security.SignatureException;
 import lombok.SneakyThrows;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -42,6 +42,7 @@
 import java.util.UUID;
 
 import static com.iexec.resultproxy.jwt.JwtService.KEY_SIZE;
+import static io.jsonwebtoken.security.Keys.hmacShaKeyFor;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
@@ -122,7 +123,7 @@ void failToReadWalletAddressOnWronglySignedToken() {
                 .setAudience(walletAddress)
                 .setIssuedAt(new Date())
                 .setSubject(UUID.randomUUID().toString())
-                .signWith(SignatureAlgorithm.HS256, badJwtKey)
+                .signWith(hmacShaKeyFor(badJwtKey), SignatureAlgorithm.HS256)
                 .compact();
         assertAll(
                 () -> verifyNoInteractions(jwtRepository),
@@ -223,7 +224,7 @@ void wronglySignedTokenIsNotValid() {
                 .setAudience(walletAddress)
                 .setIssuedAt(new Date())
                 .setSubject(UUID.randomUUID().toString())
-                .signWith(SignatureAlgorithm.HS256, badJwtKey)
+                .signWith(hmacShaKeyFor(badJwtKey), SignatureAlgorithm.HS256)
                 .compact();
         boolean isValid = jwtService.isValidJwt(badToken);
         assertAll (