auth/jwt causes "fatal error: concurrent map writes" on concurrent requests

[Xzya]

Hello,

When having multiple concurrent requests to the same endpoint that contains the parser, it will cause fatal error: concurrent map writes since the same claims will be accessed by all requests at the same time. Here is some code to reproduce it:

package main

import (
	"context"

	"github.com/go-kit/kit/endpoint"

	"time"

	jwt "github.com/dgrijalva/jwt-go"
	jwtkit "github.com/go-kit/kit/auth/jwt"
)

func main() {
	testEndpoint := MakeTestEndpoint()
	testEndpoint = JWTParserMiddleware("secret")(testEndpoint)

	for i := 0; i < 10; i++ {
		go func() {
			ctx := context.WithValue(context.Background(), jwtkit.JWTTokenContextKey, "eyJhbGciOiJIUzI1NiIsImtpZCI6ImtpZCIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZ28ta2l0In0.14M2VmYyApdSlV_LZ88ajjwuaLeIFplB8JpyNy0A19E")
			testEndpoint(ctx, nil)
		}()
	}

	select {}
}

func JWTParserMiddleware(secret string) endpoint.Middleware {
	kf := func(token *jwt.Token) (interface{}, error) {
		return []byte(secret), nil
	}

	return jwtkit.NewParser(kf, jwt.SigningMethodHS256, jwt.MapClaims{})
}

func MakeTestEndpoint() endpoint.Endpoint {
	return func(ctx context.Context, request interface{}) (response interface{}, err error) {
		time.Sleep(1 * time.Second)
		return nil, nil
	}
}

Maybe use a factory instead of directly passing the claims?

Thanks!

[peterbourgon]

Ugh, indeed jwt.ParseWithClaims does a json.Decoder.Decode into the passed claims object. I guess we need to make a copy of the claims object before we invoke ParseWithClaims here.