JWT Middleware Removed
BREAKING CHANGE: JWT Middleware Removed from Core
The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository or see alternative implementation
Important: Direct assignments like token := c.Get("user").(*jwt.Token)
will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt"
in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5"
.
Background:
The version of golang-jwt/jwt
(v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #1946.
JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.
We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.
Enhancements
- remove jwt middleware by @stevenwhitehead in #2701
- optimization: struct alignment by @behnambm in #2636
- bind: Maintain backwards compatibility for map[string]interface{} binding by @thesaltree in #2656
- Add Go 1.23 to CI by @aldas in #2675
- improve
MultipartForm
test by @martinyonatann in #2682 bind
: add support of multipart multi files by @martinyonatann in #2684- Add TemplateRenderer struct to ease creating renderers for
html/template
andtext/template
packages. by @aldas in #2690 - Refactor TestBasicAuth to utilize table-driven test format by @ErikOlson in #2688
- Remove broken header by @aldas in #2705
- fix(bind body): content-length can be -1 by @phamvinhdat in #2710
- CORS middleware should compile allowOrigin regexp at creation by @aldas in #2709
- Shorten Github issue template and add test example by @aldas in #2711
New Contributors
- @behnambm made their first contribution in #2636
- @thesaltree made their first contribution in #2656
- @martinyonatann made their first contribution in #2682
- @ErikOlson made their first contribution in #2688
- @phamvinhdat made their first contribution in #2710
- @stevenwhitehead made their first contribution in #2701
Full Changelog: v4.12.0...v4.13.0