3 lat temu · 179adeac57
--- a/CHANGES-5.0.md
+++ b/CHANGES-5.0.md
@@ -5,6 +5,7 @@
 
				 * Websocket listener failed to read headers `X-Forwared-For` and `X-Forwarded-Port` [8415](https://github.com/emqx/emqx/pull/8415)
			
 
				 * Deleted `cluster_singleton` from MQTT bridge config document. This config is no longer applicable in 5.0 [8407](https://github.com/emqx/emqx/pull/8407)
			
 
				 * Fix `emqx/emqx:latest` docker image publish to use the Erlang flavor, but not Elixir flavor [8414](https://github.com/emqx/emqx/pull/8414)
			
 
				+* Changed the `exp` field in JWT auth to be optional rather than required to fix backwards compatability with 4.X releases. [8425](https://github.com/emqx/emqx/pull/8425)
			
 
				 
			
 
				 ## Enhancements
			
 
				 
			
@@ -18,14 +19,14 @@ Going forward, it will be an enterprise only feature.
 
				 Main reason: relup requires carefully crafted upgrade instructions from ALL previous versions.
			
 
				 
			
 
				 For example, 4.3 is now at 4.3.16, we have `4.3.0->4.3.16`, `4.3.1->4.3.16`, ... 16 such upgrade paths in total to maintain.
			
 
				-This had been the biggest obstacle for EMQX team to act agile enought in deliverying enhancements and fixes.
			
 
				+This had been the biggest obstacle for EMQX team to act agile enough in deliverying enhancements and fixes.
			
 
				 
			
 
				 ## Enhancements
			
 
				 
			
 
				 ## Bug fixes
			
 
				 
			
 
				 * Fixed a typo in `bin/emqx` which affects MacOs release when trying to enable Erlang distribution over TLS [8398](https://github.com/emqx/emqx/pull/8398)
			
 
				-* Ristricted shell was accidentally disabled in 5.0.1, it has been added back. [8396]{https://github.com/emqx/emqx/pull/8396)
			
 
				+* Restricted shell was accidentally disabled in 5.0.1, it has been added back. [8396](https://github.com/emqx/emqx/pull/8396)
			
 
				 
			
 
				 # 5.0.1
			
 
				 
			
--- a/apps/emqx_authn/src/emqx_authn.app.src
+++ b/apps/emqx_authn/src/emqx_authn.app.src
@@ -1,7 +1,7 @@
 
				 %% -*- mode: erlang -*-
			
 
				 {application, emqx_authn, [
			
 
				     {description, "EMQX Authentication"},
			
 
				-    {vsn, "0.1.1"},
			
 
				+    {vsn, "0.1.2"},
			
 
				     {modules, []},
			
 
				     {registered, [emqx_authn_sup, emqx_authn_registry]},
			
 
				     {applications, [kernel, stdlib, emqx_resource, ehttpc, epgsql, mysql, jose]},
			
--- a/apps/emqx_authn/src/emqx_authn.appup.src
+++ b/apps/emqx_authn/src/emqx_authn.appup.src
@@ -1,13 +1,5 @@
 
				 %% -*- mode: erlang -*-
			
 
				 %% Unless you know what you are doing, DO NOT edit manually!!
			
 
				 {VSN,
			
 
				-  [{"0.1.0",
			
 
				-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
			
 
				-     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
			
 
				-     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
			
 
				-   {<<".*">>,[]}],
			
 
				-  [{"0.1.0",
			
 
				-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
			
 
				-     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
			
 
				-     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
			
 
				-   {<<".*">>,[]}]}.
			
 
				+  [{<<".*">>,[]}],
			
 
				+  [{<<".*">>,[]}]}.
			
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@@ -432,13 +432,13 @@ verify_claims(Claims, VerifyClaims0) ->
 
				     Now = os:system_time(seconds),
			
 
				     VerifyClaims =
			
 
				         [
			
 
				-            {<<"exp">>, required, fun(ExpireTime) ->
			
 
				+            {<<"exp">>, fun(ExpireTime) ->
			
 
				                 is_integer(ExpireTime) andalso Now < ExpireTime
			
 
				             end},
			
 
				-            {<<"iat">>, optional, fun(IssueAt) ->
			
 
				+            {<<"iat">>, fun(IssueAt) ->
			
 
				                 is_integer(IssueAt) andalso IssueAt =< Now
			
 
				             end},
			
 
				-            {<<"nbf">>, optional, fun(NotBefore) ->
			
 
				+            {<<"nbf">>, fun(NotBefore) ->
			
 
				                 is_integer(NotBefore) andalso NotBefore =< Now
			
 
				             end}
			
 
				         ] ++ VerifyClaims0,
			
@@ -468,13 +468,11 @@ try_convert_to_int(Claims, []) ->
 
				 
			
 
				 do_verify_claims(_Claims, []) ->
			
 
				     ok;
			
 
				-do_verify_claims(Claims, [{Name, Required, Fun} | More]) when is_function(Fun) ->
			
 
				-    case {Required, maps:take(Name, Claims)} of
			
 
				-        {optional, error} ->
			
 
				+do_verify_claims(Claims, [{Name, Fun} | More]) when is_function(Fun) ->
			
 
				+    case maps:take(Name, Claims) of
			
 
				+        error ->
			
 
				             do_verify_claims(Claims, More);
			
 
				-        {required, error} ->
			
 
				-            {error, {missing_claim, Name}};
			
 
				-        {_, {Value, NClaims}} ->
			
 
				+        {Value, NClaims} ->
			
 
				             case Fun(Value) of
			
 
				                 true ->
			
 
				                     do_verify_claims(NClaims, More);
			
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@@ -399,15 +399,15 @@ t_verify_claims(_) ->
 
				     },
			
 
				     ?assertMatch({ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential3, State1)),
			
 
				 
			
 
				-    %% No exp
			
 
				+    %% No exp treated as unexpired
			
 
				     Payload4 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
			
 
				     JWS4 = generate_jws('hmac-based', Payload4, Secret),
			
 
				     Credential4 = #{
			
 
				         username => <<"myuser">>,
			
 
				         password => JWS4
			
 
				     },
			
 
				-    ?assertEqual(
			
 
				-        {error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential4, State1)
			
 
				+    ?assertMatch(
			
 
				+        {ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential4, State1)
			
 
				     ).
			
 
				 
			
 
				 t_jwt_not_allow_empty_claim_name(_) ->