fix(deps): update module github.com/auth0/go-jwt-middleware/v2 to v3 (#4145)

📹
https://www.loom.com/share/4049912c73734143a8dde39ebf3f4fe6
📹

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/auth0/go-jwt-middleware/v2](https://redirect.github.com/auth0/go-jwt-middleware)
| `v2.3.1` → `v3.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fauth0%2fgo-jwt-middleware%2fv2/v3.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fauth0%2fgo-jwt-middleware%2fv2/v2.3.1/v3.0.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>auth0/go-jwt-middleware
(github.com/auth0/go-jwt-middleware/v2)</summary>

###
[`v3.0.0`](https://redirect.github.com/auth0/go-jwt-middleware/blob/HEAD/CHANGELOG.md#v300-2026-01-19)

[Compare
Source](https://redirect.github.com/auth0/go-jwt-middleware/compare/v2.3.1...v3.0.0)

[Full
Changelog](https://redirect.github.com/auth0/go-jwt-middleware/compare/v2.3.1...v3.0.0)

**BEFORE YOU UPGRADE**

- This is a major release that includes breaking changes. Please see
[MIGRATION\_GUIDE.md](MIGRATION_GUIDE.md) before upgrading. This release
will require changes to your application.

##### Added

- Pure options pattern for validator, middleware, and JWKS provider
([#&#8203;357](https://redirect.github.com/auth0/go-jwt-middleware/pull/357),
[#&#8203;358](https://redirect.github.com/auth0/go-jwt-middleware/pull/358),
[#&#8203;360](https://redirect.github.com/auth0/go-jwt-middleware/pull/360))
- DPoP (Demonstrating Proof-of-Possession) support per RFC 9449
([#&#8203;363](https://redirect.github.com/auth0/go-jwt-middleware/pull/363))
- Framework-agnostic core package for reusable validation logic
([#&#8203;356](https://redirect.github.com/auth0/go-jwt-middleware/pull/356))
- Type-safe claims retrieval with generics (`GetClaims[T]()`,
`MustGetClaims[T]()`, `HasClaims()`)
- Structured logging support compatible with `log/slog`
- Support for 14 signature algorithms (HS256/384/512, RS256/384/512,
PS256/384/512, ES256/384/512, ES256K, EdDSA)
- Enhanced error responses with RFC 6750 compliance
- Trusted proxy configuration for DPoP behind reverse proxies
- Multiple issuer and audience support with new APIs
- Documentation and linting configuration
([#&#8203;361](https://redirect.github.com/auth0/go-jwt-middleware/pull/361))

##### Changed

- Migrated from square/go-jose to lestrrat-go/jwx v3
([#&#8203;358](https://redirect.github.com/auth0/go-jwt-middleware/pull/358))
- Module path updated to `github.com/auth0/go-jwt-middleware/v3`
([#&#8203;355](https://redirect.github.com/auth0/go-jwt-middleware/pull/355))
- Minimum Go version updated to 1.24
([#&#8203;355](https://redirect.github.com/auth0/go-jwt-middleware/pull/355))
- Update examples for v3 module path and new APIs

##### Breaking

- Pure options pattern: All constructors (`New()`) now require
functional options instead of positional parameters
- Context key: `ContextKey{}` is no longer exported - use
`GetClaims[T]()` helper function
- Custom claims now use generics for type safety
- `TokenExtractor` returns `ExtractedToken` (with scheme) instead of
`string`
- Type naming: `ExclusionUrlHandler` renamed to `ExclusionURLHandler`

##### Migration Example

**v2:**

```go
// Validator with positional parameters
jwtValidator, err := validator.New(
    keyFunc,
    validator.RS256,
    "https://issuer.example.com/",
    []string{"my-api"},
)

// Middleware
middleware := jwtmiddleware.New(jwtValidator.ValidateToken)

// Claims access via context key
claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
```

**v3:**

```go
// Validator with pure options
jwtValidator, err := validator.New(
    validator.WithKeyFunc(keyFunc),
    validator.WithAlgorithm(validator.RS256),
    validator.WithIssuer("https://issuer.example.com/"),
    validator.WithAudience("my-api"),
)

// Middleware with options
middleware, err := jwtmiddleware.New(
    jwtmiddleware.WithValidator(jwtValidator),
)

// Type-safe claims with generics
claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context())
```

See [MIGRATION\_GUIDE.md](MIGRATION_GUIDE.md) for complete migration
instructions.

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 10am on friday" in timezone
Europe/London, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19-->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **High Risk**
> Upgrades a major authentication dependency and rewrites JWT
validation/claim extraction paths, so mistakes could break auth
enforcement or token parsing across the API server.
>
> **Overview**
> Migrates the codebase from `github.com/auth0/go-jwt-middleware/v2` to
`v3`, updating JWKS provider/validator/middleware construction to the
new options-based APIs and adjusting token extraction/claims retrieval.
>
> Because `v3` no longer exposes `ContextKey{}`, the auth middleware now
stores `*validator.ValidatedClaims` under a new
`auth.ValidatedClaimsContextKey{}` and updates downstream callers (e.g.
token expiry in `ManagementServiceHandler.CreateToken`) accordingly. The
API server init path now skips validator setup when
`AllowUnauthenticated` is enabled and tightens startup validation/error
logging for missing Auth0 config; related tests set
`AllowUnauthenticated: true` to accommodate `v3` rejecting empty
audience/domain values.
>
> Also updates `go.mod`/`go.sum` for new transitive deps pulled in by
`v3` (e.g. `lestrrat-go/jwx/v3`) and adds
`github.com/resend/resend-go/v3` to the main require block.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
e8a54151abc72beb9973302047684ad983aa5b8e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: f8185846b5c05bebfd88c56b76c4d1bb95a592db

Author: DavidS-ovm

go.mod

@@ -66,7 +66,7 @@ require (
 	github.com/anthropics/anthropic-sdk-go v0.2.0-alpha.4
 	github.com/antihax/optional v1.0.0
 	github.com/auth0/go-auth0/v2 v2.6.0
-	github.com/auth0/go-jwt-middleware/v2 v2.3.1
+	github.com/auth0/go-jwt-middleware/v3 v3.0.0
 	github.com/aws/aws-sdk-go-v2 v1.41.3
 	github.com/aws/aws-sdk-go-v2/config v1.32.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.11
@@ -150,6 +150,7 @@ require (
 	github.com/posthog/posthog-go v1.10.0
 	github.com/projectdiscovery/subfinder/v2 v2.12.0
 	github.com/qhenkart/anthropic-tokenizer-go v0.0.0-20231011194518-5519949e0faf
+	github.com/resend/resend-go/v3 v3.1.1
 	github.com/riverqueue/river v0.31.0
 	github.com/riverqueue/river/riverdriver/riverpgxv5 v0.31.0
 	github.com/riverqueue/river/rivertype v0.31.0
@@ -367,12 +368,17 @@ require (
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.3 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc v1.0.6 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.3 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/jwx/v2 v2.1.6 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
@@ -437,7 +443,7 @@ require (
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
 	github.com/samber/lo v1.52.0 // indirect
 	github.com/samber/slog-common v0.20.0 // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/segmentio/encoding v0.5.3 // indirect
 	github.com/shirou/gopsutil/v3 v3.23.7 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
@@ -466,6 +472,7 @@ require (
 	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 // indirect
+	github.com/valyala/fastjson v1.6.7 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
@@ -511,7 +518,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
 	gopkg.in/djherbis/times.v1 v1.3.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/apiextensions-apiserver v0.35.0 // indirect
 	k8s.io/apiserver v0.35.0 // indirect
@@ -527,5 +533,3 @@ require (
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
-
-require github.com/resend/resend-go/v3 v3.1.1

go.sum

@@ -234,8 +234,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
 github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkUiF/RuIk=
 github.com/auth0/go-auth0/v2 v2.6.0 h1:KCoLxTcH8qXPYbwKZxxFrL/6P+P+Zc58BQPL6w0Kt30=
 github.com/auth0/go-auth0/v2 v2.6.0/go.mod h1:XVRck9fw1EIw1z4guYcbKFGmElnexb+xOvQ/0U1hHd0=
-github.com/auth0/go-jwt-middleware/v2 v2.3.1 h1:lbDyWE9aLydb3zrank+Gufb9qGJN9u//7EbJK07pRrw=
-github.com/auth0/go-jwt-middleware/v2 v2.3.1/go.mod h1:mqVr0gdB5zuaFyQFWMJH/c/2hehNjbYUD4i8Dpyf+Hc=
+github.com/auth0/go-jwt-middleware/v3 v3.0.0 h1:+rvUPCT+VbAuK4tpS13fWfZrMyqTwLopt3VoY0Y7kvA=
+github.com/auth0/go-jwt-middleware/v3 v3.0.0/go.mod h1:iU42jqjRyeKbf9YYSnRnolr836gk6Ty/jnUNuVq2b0o=
 github.com/aws/aws-sdk-go-v2 v1.41.3 h1:4kQ/fa22KjDt13QCy1+bYADvdgcxpfH18f0zP542kZA=
 github.com/aws/aws-sdk-go-v2 v1.41.3/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 h1:N4lRUXZpZ1KVEUn6hxtco/1d2lgYhNn1fHkkl8WhlyQ=
@@ -770,18 +770,28 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs=
-github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
+github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
+github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
 github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
 github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/httprc/v3 v3.0.3 h1:WjLHWkDkgWXeIUrKi/7lS/sGq2DjkSAwdTbH5RHXAKs=
+github.com/lestrrat-go/httprc/v3 v3.0.3/go.mod h1:mSMtkZW92Z98M5YoNNztbRGxbXHql7tSitCvaxvo9l0=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
 github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA=
 github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU=
+github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
+github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
+github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
@@ -1026,8 +1036,8 @@ github.com/samber/slog-logrus/v2 v2.5.3 h1:N6YGgQ9CQjUQXe75/iWKtE55EENjG67HYUsJQ
 github.com/samber/slog-logrus/v2 v2.5.3/go.mod h1:W3njRsspuMRCd33S0ibPyK1ohRaMhuXKZ1BK8pNiM+c=
 github.com/sashabaranov/go-openai v1.41.2 h1:vfPRBZNMpnqu8ELsclWcAvF19lDNgh1t6TVfFFOPiSM=
 github.com/sashabaranov/go-openai v1.41.2/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
-github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
-github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w=
 github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
@@ -1146,6 +1156,8 @@ github.com/uptrace/opentelemetry-go-extra/otellogrus v0.3.2 h1:H8wwQwTe5sL6x30z7
 github.com/uptrace/opentelemetry-go-extra/otellogrus v0.3.2/go.mod h1:/kR4beFhlz2g+V5ik8jW+3PMiMQAPt29y6K64NNY53c=
 github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2 h1:3/aHKUq7qaFMWxyQV0W2ryNgg8x8rVeKVA20KJUkfS0=
 github.com/uptrace/opentelemetry-go-extra/otelutil v0.3.2/go.mod h1:Zit4b8AQXaXvA68+nzmbyDzqiyFRISyw1JiD5JqUBjw=
+github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM=
+github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
@@ -1544,8 +1556,6 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
 gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
-gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k=

go/auth/middleware.go

@@ -11,9 +11,9 @@ import (
 	"strings"
 	"time"
 
-	jwtmiddleware "github.com/auth0/go-jwt-middleware/v2"
-	"github.com/auth0/go-jwt-middleware/v2/jwks"
-	"github.com/auth0/go-jwt-middleware/v2/validator"
+	jwtmiddleware "github.com/auth0/go-jwt-middleware/v3"
+	"github.com/auth0/go-jwt-middleware/v3/jwks"
+	"github.com/auth0/go-jwt-middleware/v3/validator"
 	"github.com/getsentry/sentry-go"
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/attribute"
@@ -42,6 +42,11 @@ type UserTokenContextKey struct{}
 // This will be the auth0 `user_id` from the tokens `sub` claim.
 type CurrentSubjectContextKey struct{}
 
+// ValidatedClaimsContextKey stores the full *validator.ValidatedClaims in
+// context. In v3 the middleware's context key is unexported, so we use our own
+// for code that needs the full validated claims (e.g. token expiry lookup).
+type ValidatedClaimsContextKey struct{}
+
 // MiddlewareConfig Configuration for the auth middleware
 type MiddlewareConfig struct {
 	Auth0Domain   string
@@ -214,7 +219,7 @@ func WithAccount(account string) OverrideAuthOptionFunc {
 }
 
 // Sets the auth info in the context directly from the validated claims produced
-// by the `github.com/auth0/go-jwt-middleware/v2/validator` package. This is
+// by the `github.com/auth0/go-jwt-middleware/v3/validator` package. This is
 // essentially what the middleware already does when receiving a request, and
 // therefore should only be used in exceptional circumstances, like testing, when the
 // middleware is not being used.
@@ -224,7 +229,7 @@ func WithAccount(account string) OverrideAuthOptionFunc {
 func WithValidatedClaims(claims *validator.ValidatedClaims) OverrideAuthOptionFunc {
 	return func(ctx context.Context) context.Context {
 		customClaims := claims.CustomClaims.(*CustomClaims)
-		ctx = context.WithValue(ctx, jwtmiddleware.ContextKey{}, claims)
+		ctx = context.WithValue(ctx, ValidatedClaimsContextKey{}, claims)
 		ctx = context.WithValue(ctx, CustomClaimsContextKey{}, customClaims)
 		ctx = context.WithValue(ctx, CurrentSubjectContextKey{}, claims.RegisteredClaims.Subject)
 		ctx = context.WithValue(ctx, AccountNameContextKey{}, customClaims.AccountName)
@@ -282,9 +287,23 @@ func withCustomClaims(modify func(*CustomClaims)) OverrideAuthOptionFunc {
 //
 // This middleware also extract custom claims form the token and stores them in
 // CustomClaimsContextKey
+//
+// NOTE: This function uses log.Fatalf for startup-time configuration errors
+// because its signature returns http.Handler, not (http.Handler, error).
+// Propagating errors would require changing every caller of NewAuthMiddleware.
 func ensureValidTokenHandler(config MiddlewareConfig, next http.Handler) http.Handler {
-	if config.Auth0Domain == "" && config.IssuerURL == "" && config.Auth0Audience == "" {
-		log.Fatalf("Auth0 configuration is missing")
+	if config.BypassAuth {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			span := trace.SpanFromContext(r.Context())
+			span.SetAttributes(attribute.Bool("ovm.auth.bypass", true))
+			ctx := OverrideAuth(r.Context(), WithBypassScopeCheck())
+			next.ServeHTTP(w, r.Clone(ctx))
+		})
+	}
+
+	if config.Auth0Audience == "" || (config.Auth0Domain == "" && config.IssuerURL == "") {
+		log.Fatalf("Auth0 configuration is incomplete: audience=%q, domain=%q, issuerURL=%q",
+			config.Auth0Audience, config.Auth0Domain, config.IssuerURL)
 	}
 
 	var issuerURL *url.URL
@@ -299,22 +318,26 @@ func ensureValidTokenHandler(config MiddlewareConfig, next http.Handler) http.Ha
 		log.Fatalf("Failed to parse the issuer url: %v", err)
 	}
 
-	provider := jwks.NewCachingProvider(issuerURL, 5*time.Minute)
+	provider, err := jwks.NewCachingProvider(
+		jwks.WithIssuerURL(issuerURL),
+		jwks.WithCacheTTL(5*time.Minute),
+	)
+	if err != nil {
+		log.Fatalf("Failed to set up the jwks provider: %v", err)
+	}
 
 	jwtValidator, err := validator.New(
-		provider.KeyFunc,
-		validator.RS256,
-		issuerURL.String(),
-		[]string{config.Auth0Audience},
-		validator.WithCustomClaims(
-			func() validator.CustomClaims {
-				return &CustomClaims{}
-			},
-		),
+		validator.WithKeyFunc(provider.KeyFunc),
+		validator.WithAlgorithm(validator.RS256),
+		validator.WithIssuer(issuerURL.String()),
+		validator.WithAudience(config.Auth0Audience),
+		validator.WithCustomClaims(func() *CustomClaims {
+			return &CustomClaims{}
+		}),
 		validator.WithAllowedClockSkew(time.Minute),
 	)
 	if err != nil {
-		log.Fatalf("Failed to set up the jwt validator")
+		log.Fatalf("Failed to set up the jwt validator: %v", err)
 	}
 
 	errorHandler := func(w http.ResponseWriter, r *http.Request, err error) {
@@ -382,17 +405,24 @@ func ensureValidTokenHandler(config MiddlewareConfig, next http.Handler) http.Ha
 
 	tokenExtractor := jwtmiddleware.MultiTokenExtractor(extractors...)
 
-	middleware := jwtmiddleware.New(
-		jwtValidator.ValidateToken,
+	middleware, err := jwtmiddleware.New(
+		jwtmiddleware.WithValidator(jwtValidator),
 		jwtmiddleware.WithErrorHandler(errorHandler),
 		jwtmiddleware.WithTokenExtractor(tokenExtractor),
 	)
+	if err != nil {
+		log.Fatalf("Failed to set up the jwt middleware: %v", err)
+	}
 
 	jwtValidationMiddleware := middleware.CheckJWT(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// extract account name and setup otel attributes after the JWT was validated, but before the actual handler runs
-		claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
+		claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context())
+		if err != nil {
+			errorHandler(w, r, fmt.Errorf("error getting validated claims: %w", err))
+			return
+		}
 
-		token, err := tokenExtractor(r)
+		extractedToken, err := tokenExtractor(r)
 		// we should never hit this as the middleware wouldn't call the handler
 		if err != nil {
 			// This is not ErrJWTMissing because an error here means that the
@@ -412,7 +442,8 @@ func ensureValidTokenHandler(config MiddlewareConfig, next http.Handler) http.Ha
 		// note that the values are looked up in last-in-first-out order, so
 		// there is an absolutely minor perf optimisation to have the context
 		// values set in ascending order of access frequency.
-		ctx = context.WithValue(ctx, UserTokenContextKey{}, token)
+		ctx = context.WithValue(ctx, UserTokenContextKey{}, extractedToken.Token)
+		ctx = context.WithValue(ctx, ValidatedClaimsContextKey{}, claims)
 		ctx = context.WithValue(ctx, CustomClaimsContextKey{}, customClaims)
 		ctx = context.WithValue(ctx, CurrentSubjectContextKey{}, claims.RegisteredClaims.Subject)
 		ctx = context.WithValue(ctx, AccountNameContextKey{}, customClaims.AccountName)
@@ -445,14 +476,8 @@ func ensureValidTokenHandler(config MiddlewareConfig, next http.Handler) http.Ha
 
 		var shouldBypass bool
 
-		// If config.BypassAuth is true then bypass
-		if config.BypassAuth {
-			shouldBypass = true
-		}
-
-		// If we aren't bypassing always and we have a regex then check if we
-		// should bypass
-		if !shouldBypass && config.BypassAuthForPaths != nil {
+		// Check if the request path matches the bypass regex
+		if config.BypassAuthForPaths != nil {
 			shouldBypass = config.BypassAuthForPaths.MatchString(r.URL.Path)
 			if shouldBypass {
 				span.SetAttributes(attribute.String("ovm.auth.bypassedPath", r.URL.Path))

go/auth/middleware_test.go

@@ -12,7 +12,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/auth0/go-jwt-middleware/v2/validator"
+	"github.com/auth0/go-jwt-middleware/v3/validator"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/go-jose/go-jose/v4/jwt"
 	log "github.com/sirupsen/logrus"