Pr branch (#25)

* fix update jwt-token version to avoid attackers to bypass intended access restrictions in situations with []string{} for m["aud"]

* del accountAddr

src/rpc/auth/auth/user_token.go

@@ -18,7 +18,7 @@ func (rpc *rpcAuth) UserToken(_ context.Context, pb *pbAuth.UserTokenReq) (*pbAu
 	}
 	log.Info("", "", "rpc user_token call..., im_mysql_model.AppServerFindFromUserByUserID")
 
-	tokens, expTime, err := utils.CreateToken(pb.UID, "", pb.Platform)
+	tokens, expTime, err := utils.CreateToken(pb.UID, pb.Platform)
 	if err != nil {
 		log.Error("", "", "rpc user_token call..., utils.CreateToken fail [uid: %s] [err: %s]", pb.UID, err.Error())
 		return &pbAuth.UserTokenResp{ErrCode: 500, ErrMsg: err.Error()}, err

src/utils/jwt_token.go

@@ -4,9 +4,8 @@ import (
 	"Open_IM/src/common/config"
 	"Open_IM/src/common/db"
 	"errors"
+	"github.com/golang-jwt/jwt/v4"
 	"time"
-
-	"github.com/dgrijalva/jwt-go"
 )
 
 var (
@@ -23,7 +22,7 @@ type Claims struct {
 	jwt.StandardClaims
 }
 
-func BuildClaims(uid, accountAddr, platform string, ttl int64) Claims {
+func BuildClaims(uid, platform string, ttl int64) Claims {
 	now := time.Now().Unix()
 	//if ttl=-1 Permanent token
 	expiresAt := int64(-1)
@@ -41,8 +40,8 @@ func BuildClaims(uid, accountAddr, platform string, ttl int64) Claims {
 		}}
 }
 
-func CreateToken(userID, accountAddr string, platform int32) (string, int64, error) {
-	claims := BuildClaims(userID, accountAddr, PlatformIDToName(platform), config.Config.TokenPolicy.AccessExpire)
+func CreateToken(userID string, platform int32) (string, int64, error) {
+	claims := BuildClaims(userID, PlatformIDToName(platform), config.Config.TokenPolicy.AccessExpire)
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	tokenString, err := token.SignedString([]byte(config.Config.TokenPolicy.AccessSecret))