jwt-go Access Restriction Bypass Vuln

[freewil]

Issue Description

For echo's JWT middleware, the version of jwt-go being used is vulnerable to an Access Restriction Bypass. I'm not sure if the vulnerable affects echo, it appears it may not, with the way the lib is currently used. The library appears to be unmaintained and so longer-term, it should be considered moving to an alternative or using a patched version of the library in case implementation changes.

See: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

Checklist

• Dependencies installed
• No typos
• Searched existing issues and docs

[WhileLoop]

For reference this is tracked in dgrijalva/jwt-go#422.

[orishoshan]

Consider using https://github.com/form3tech-oss/jwt-go

[lammel]

Discussion continues in the related PR #1663

[SVilgelm]

Looks like the maintainer of jwt-go is not going to fix this issue in the v3 release.
@vishr What do you think about upgrading jwt-go to use the v4.preview1 release?

[jpcox]

See https://github.com/dgrijalva/jwt-go README.md re the move to https://github.com/golang-jwt/jwt.

Also see https://github.com/golang-jwt/jwt/releases/tag/v3.2.1 for a fix to the CVE. This version is API compatible with 3.2.0 unlike v4.preview1.

[aldas]

Please see #1916 (comment)

[aldas]

done in #1946