Replace jwt.SigningMethodNone ⇒ jwt.SigningMethodHS256

Go pattern

Using the none algorithm in a JWT token is risky because it assumes the token's integrity is already ensured. This could let a malicious actor create a fake JWT token that gets automatically verified. Avoid using none and go for a safer algorithm like HS256 instead.

references

Replace jwt.SigningMethodNonejwt.SigningMethodHS256

BEFORE
package main

import (
	"fmt"
	"github.com/dgrijalva/jwt-go"
)

func createUnsignedToken() {
	// Creating a JWT token without any signature (unsafe)
	claims := jwt.StandardClaims{
		ExpiresAt: 15000,
		Issuer:    "test",
	}

	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)
	ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
	fmt.Printf("%v %v\n", ss, err)
}

func createSignedToken(key []byte) {
	// Creating a JWT token with HMAC SHA-256 signature
	claims := jwt.StandardClaims{
		ExpiresAt: 15000,
		Issuer:    "test",
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	ss, err := token.SignedString(key)
	fmt.Printf("%v %v\n", ss, err)
}
AFTER
package main

import (
	"fmt"
	"github.com/dgrijalva/jwt-go"
)

func createUnsignedToken() {
	// Creating a JWT token without any signature (unsafe)
	claims := jwt.StandardClaims{
		ExpiresAt: 15000,
		Issuer:    "test",
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
	fmt.Printf("%v %v\n", ss, err)
}

func createSignedToken(key []byte) {
	// Creating a JWT token with HMAC SHA-256 signature
	claims := jwt.StandardClaims{
		ExpiresAt: 15000,
		Issuer:    "test",
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	ss, err := token.SignedString(key)
	fmt.Printf("%v %v\n", ss, err)
}