Files
httpauth-jwt/go.sum

9 lines
708 B
Plaintext
Raw Permalink Normal View History

fix(httpauth-jwt): WithJSONNumber in Verify, JSON errors in AuthMiddleware, bump httpauth v1.0.2 (#1) Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded as json.Number instead of float64 — exact parsing for all integers including math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and overflow back to math.MinInt64 on cast to int64. AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of http.Error. Standardizes the error format across the full httpauth-* middleware stack: AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth) all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}. Update two existing tests (TestIssueTokenPair_CustomClaims, TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64 — they were correct before WithJSONNumber, now reflect the actual decoded type. Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via json.Number.Int64() — proving no float64 round-trip occurs. Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}. Bump httpauth dependency to v1.0.2. Reviewed-on: https://code.nochebuena.dev/go/httpauth-jwt/pulls/1 Co-authored-by: Rene Nochebuena Guerrero <rene@nochebuena.dev> Co-committed-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
2026-05-18 14:38:54 -06:00
code.nochebuena.dev/go/httpauth v1.0.2 h1:BegLr1nHk/i/RbhEf2Xh9FZZ9psUqjFyQ+hvFJR4Ro4=
code.nochebuena.dev/go/httpauth v1.0.2/go.mod h1:vVyYhdgHBpOJc9uih6bMtrXBPmvPRgTJrI8cfErXojk=
code.nochebuena.dev/go/rbac v1.0.0 h1:FnsU1HU6vvwchKuZNxDa9RPIFeNwJi0vShWvHKABMws=
code.nochebuena.dev/go/rbac v1.0.0/go.mod h1:LzW8tTJmdbu6HHN26NZZ3HzzdlZAd1sp6aml25Cfz5c=
fix(httpauth-jwt): WithJSONNumber in Verify, JSON errors in AuthMiddleware, bump httpauth v1.0.2 (#1) Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded as json.Number instead of float64 — exact parsing for all integers including math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and overflow back to math.MinInt64 on cast to int64. AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of http.Error. Standardizes the error format across the full httpauth-* middleware stack: AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth) all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}. Update two existing tests (TestIssueTokenPair_CustomClaims, TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64 — they were correct before WithJSONNumber, now reflect the actual decoded type. Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via json.Number.Int64() — proving no float64 round-trip occurs. Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}. Bump httpauth dependency to v1.0.2. Reviewed-on: https://code.nochebuena.dev/go/httpauth-jwt/pulls/1 Co-authored-by: Rene Nochebuena Guerrero <rene@nochebuena.dev> Co-committed-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
2026-05-18 14:38:54 -06:00
code.nochebuena.dev/go/xerrors v1.0.1 h1:fgXoabY/ZwxAzaM1sKFf3sbL7ZHWyDxItB/rdbnl0mo=
code.nochebuena.dev/go/xerrors v1.0.1/go.mod h1:03MMVfrhaf4XmTMgMrEUFCmuZPGHUCKDitiQvwCuwvY=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=