cluade code review changes

2026-02-20 16:38:24 +05:30
parent a048cb0d73
commit f1601020b1
16 changed files with 150 additions and 70 deletions
--- a/jwt/jwt.go
+++ b/jwt/jwt.go
@@ -28,13 +28,14 @@ func Parse(key ed25519.PrivateKey, tokenString string, issuer string) (jwt.MapCl
 // SignEdDSA (Edwards-curve Digital Signature Algorithm, typically Ed25519) is an excellent,
 // modern choice for JWT signing—arguably safer and more efficient than both HS256 and traditional RSA/ECDSA.
 func SignEdDSA(key ed25519.PrivateKey, claims map[string]any, issuer string, d time.Duration) (string, error) {
-	cl := jwt.MapClaims{
-		"iss": issuer,
-		"iat": jwt.NewNumericDate(time.Now().UTC()),
-		"exp": jwt.NewNumericDate(time.Now().Add(d)),
-	}
+	cl := jwt.MapClaims{}
 	maps.Copy(cl, claims)

+	// Set standard claims after user claims to prevent override
+	cl["iss"] = issuer
+	cl["iat"] = jwt.NewNumericDate(time.Now().UTC())
+	cl["exp"] = jwt.NewNumericDate(time.Now().Add(d))
+
 	t := jwt.NewWithClaims(jwt.SigningMethodEdDSA, cl)
 	return t.SignedString(key)
 }
@@ -61,13 +62,14 @@ func ParseEdDSA(key ed25519.PrivateKey, tokenString string, issuer string) (jwt.
 }

 func SignHS256(secret []byte, claims map[string]any, issuer string, d time.Duration) (string, error) {
-	cl := jwt.MapClaims{
-		"iss": issuer,
-		"iat": jwt.NewNumericDate(time.Now().UTC()),
-		"exp": jwt.NewNumericDate(time.Now().Add(d)),
-	}
+	cl := jwt.MapClaims{}
 	maps.Copy(cl, claims)

+	// Set standard claims after user claims to prevent override
+	cl["iss"] = issuer
+	cl["iat"] = jwt.NewNumericDate(time.Now().UTC())
+	cl["exp"] = jwt.NewNumericDate(time.Now().Add(d))
+
 	t := jwt.NewWithClaims(jwt.SigningMethodHS256, cl)
 	return t.SignedString(secret)
 }
@@ -102,10 +104,12 @@ func ParseHS256(secret []byte, tokenString string, issuer string) (jwt.MapClaims
 func SignES256(
 	key *ecdsa.PrivateKey, issuer, audience, subject string, d time.Duration, claims map[string]any,
 ) (string, error) {
-	cl := jwt.MapClaims{
-		"iat": jwt.NewNumericDate(time.Now().UTC()),
-		"exp": jwt.NewNumericDate(time.Now().Add(d)),
-	}
+	cl := jwt.MapClaims{}
+	maps.Copy(cl, claims)
+
+	// Set standard claims after user claims to prevent override
+	cl["iat"] = jwt.NewNumericDate(time.Now().UTC())
+	cl["exp"] = jwt.NewNumericDate(time.Now().Add(d))

 	if issuer != "" {
 		cl["iss"] = issuer
@@ -119,8 +123,6 @@ func SignES256(
 		cl["sub"] = subject
 	}

-	maps.Copy(cl, claims)
-
 	t := jwt.NewWithClaims(jwt.SigningMethodES256, cl)
 	return t.SignedString(key)
 }