nats-io · neilalexander · Jul 25, 2025 · Jul 2, 2025 · Jul 3, 2025 · Jul 3, 2025
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "40 4 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   nightly_coverage:
     runs-on: ubuntu-latest

@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: "30 12 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   # At most one of these workflow per ref running
   group: ${{ github.workflow }}-${{ github.ref }}

@@ -1,6 +1,9 @@
 name: MQTT External Tests
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     env:

@@ -10,9 +10,14 @@ on:
   schedule:
     - cron: "40 4 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: ${{ vars.GHA_WORKER_RELEASE || 'ubuntu-latest' }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

@@ -5,12 +5,14 @@ on:
       - v*
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   run:
     name: GitHub Release
     runs-on: ${{ vars.GHA_WORKER_RELEASE || 'ubuntu-latest' }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   RACE: ${{ (github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/heads/release/') && github.event_name != 'pull_request') && '-race' || '' }}
 
@@ -51,11 +54,13 @@ jobs:
 
       - name: Check PR description is signed off
         if: github.event_name == 'pull_request'
+        env:
+          PR_DESC: ${{ github.event.pull_request.body }}
         run: |
-          if ! echo "${{ github.event.pull_request.body }}" | grep -Pq '^Signed-off-by:\s*(?!Your Name|.*<your\.email@example\.com>)'; then
-              echo "::error ::Pull request has not been signed off in the PR description with a \`Signed-off-by:\` line"
-              exit 1
-          fi
+          grep -Pq '^Signed-off-by:\s*(?!Your Name|.*<your\.email@example\.com>)' <<<"$PR_DESC" || {
+          echo "::error ::Pull request has not been signed off in the PR description with a \`Signed-off-by:\` line"
+          exit 1
+          }
 
   lint:
     name: Lint

@@ -21,7 +21,7 @@ builds:
     env:
       # This is the toolchain version we use for releases. To override, set the env var, e.g.:
       # GORELEASER_TOOLCHAIN="go1.22.8" TARGET='linux_amd64' goreleaser build --snapshot --clean --single-target
-      - GOTOOLCHAIN={{ envOrDefault "GORELEASER_TOOLCHAIN" "go1.24.4" }}
+      - GOTOOLCHAIN={{ envOrDefault "GORELEASER_TOOLCHAIN" "go1.24.5" }}
       - GO111MODULE=on
       - CGO_ENABLED=0
     goos:
@@ -34,6 +34,7 @@ builds:
       - arm
       - arm64
       - 386
+      - loong64
       - mips64le
       - s390x
       - ppc64le

@@ -2,7 +2,7 @@ module github.com/nats-io/nats-server/v2
 
 go 1.23.0
 
-toolchain go1.23.10
+toolchain go1.23.11
 
 require (
 	github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op
@@ -14,7 +14,7 @@ require (
 	github.com/nats-io/nkeys v0.4.11
 	github.com/nats-io/nuid v1.0.1
 	go.uber.org/automaxprocs v1.6.0
-	golang.org/x/crypto v0.39.0
-	golang.org/x/sys v0.33.0
+	golang.org/x/crypto v0.40.0
+	golang.org/x/sys v0.34.0
 	golang.org/x/time v0.12.0
 )
@@ -24,11 +24,11 @@ github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMT
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

@@ -231,10 +231,14 @@ func TestAuthCalloutBasics(t *testing.T) {
 		require_True(t, si.Name == "A")
 		require_True(t, ci.Host == "127.0.0.1")
 		// Allow dlc user.
-		if opts.Username == "dlc" && opts.Password == "zzz" {
+		if (opts.Username == "dlc" && opts.Password == "zzz") || opts.Token == "SECRET_TOKEN" {
 			var j jwt.UserPermissionLimits
 			j.Pub.Allow.Add("$SYS.>")
 			j.Payload = 1024
+			if opts.Token == "SECRET_TOKEN" {
+				// Token MUST NOT be exposed in user info.
+				require_Equal(t, ci.User, "[REDACTED]")
+			}
 			ujwt := createAuthUser(t, user, _EMPTY_, globalAccountName, "", nil, 10*time.Minute, &j)
 			m.Respond(serviceResponse(t, user, si.ID, ujwt, "", 0))
 		} else {
@@ -279,6 +283,39 @@ func TestAuthCalloutBasics(t *testing.T) {
 	if expires > 10*time.Minute || expires < (10*time.Minute-5*time.Second) {
 		t.Fatalf("Expected expires of ~%v, got %v", 10*time.Minute, expires)
 	}
+
+	// Callout with a token should also work, regardless of it being redacted in the user info.
+	nc.Close()
+	nc = at.Connect(nats.Token("SECRET_TOKEN"))
+	defer nc.Close()
+
+	resp, err = nc.Request(userDirectInfoSubj, nil, time.Second)
+	require_NoError(t, err)
+	response = ServerAPIResponse{Data: &UserInfo{}}
+	err = json.Unmarshal(resp.Data, &response)
+	require_NoError(t, err)
+
+	userInfo = response.Data.(*UserInfo)
+	dlc = &UserInfo{
+		// Token MUST NOT be exposed in user info.
+		UserID:  "[REDACTED]",
+		Account: globalAccountName,
+		Permissions: &Permissions{
+			Publish: &SubjectPermission{
+				Allow: []string{"$SYS.>"},
+				Deny:  []string{AuthCalloutSubject}, // Will be auto-added since in auth account.
+			},
+			Subscribe: &SubjectPermission{},
+		},
+	}
+	expires = userInfo.Expires
+	userInfo.Expires = 0
+	if !reflect.DeepEqual(dlc, userInfo) {
+		t.Fatalf("User info for %q did not match", "dlc")
+	}
+	if expires > 10*time.Minute || expires < (10*time.Minute-5*time.Second) {
+		t.Fatalf("Expected expires of ~%v, got %v", 10*time.Minute, expires)
+	}
 }
 
 func TestAuthCalloutMultiAccounts(t *testing.T) {

@@ -4360,7 +4360,7 @@ func sliceHeader(key string, hdr []byte) []byte {
 	if len(hdr) == 0 {
 		return nil
 	}
-	index := bytes.Index(hdr, stringToBytes(key))
+	index := bytes.Index(hdr, stringToBytes(key+":"))
 	hdrLen := len(hdr)
 	// Check that we have enough characters, this will handle the -1 case of the key not
 	// being found and will also handle not having enough characters for trailing CRLF.

@@ -3040,6 +3040,26 @@ func TestSliceHeader(t *testing.T) {
 	require_True(t, bytes.Equal(sliced, copied))
 }
 
+func TestSliceHeaderOrdering(t *testing.T) {
+	hdr := []byte("NATS/1.0\r\n\r\n")
+
+	// These headers share the same prefix, the longer subject
+	// must not invalidate the existence of the shorter one.
+	hdr = genHeader(hdr, JSExpectedLastSubjSeqSubj, "foo")
+	hdr = genHeader(hdr, JSExpectedLastSubjSeq, "24")
+
+	sliced := sliceHeader(JSExpectedLastSubjSeq, hdr)
+	copied := getHeader(JSExpectedLastSubjSeq, hdr)
+
+	require_NotNil(t, sliced)
+	require_Equal(t, cap(sliced), 2)
+
+	require_NotNil(t, copied)
+	require_Equal(t, cap(copied), len(copied))
+
+	require_True(t, bytes.Equal(sliced, copied))
+}
+
 func TestInProcessAllowedConnectionType(t *testing.T) {
 	tmpl := `
 		listen: "127.0.0.1:-1"