diff --git a/CHANGELOG.md b/CHANGELOG.md index bf40eb5..c7965bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,23 @@ All notable changes to `code.nochebuena.dev/go/httpauth-jwt` are documented here. Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [1.0.2] — 2026-05-18 + +### Changed + +- All three `Verify` implementations (`hmacSigner`, `rsaSigner`, `rsaPublicVerifier`) + now pass `jwt.WithJSONNumber()` to `jwt.Parse`. JWT numeric claims — including + permission mask bitmasks — are decoded as `json.Number` instead of `float64`, + preserving exact bit patterns for values up to and including `math.MaxInt64`. +- `AuthMiddleware` now returns JSON error bodies instead of plain-text `http.Error` + for missing/invalid/expired Bearer tokens. Uses `httpauth.WriteJSONError` — the + same helper as `EnrichmentMiddleware` and `AuthzMiddleware` — ensuring a consistent + `{"code":"UNAUTHENTICATED","message":"unauthorized"}` response across the full + middleware stack. +- Dependency `code.nochebuena.dev/go/httpauth` bumped to v1.0.2. + +[1.0.2]: https://code.nochebuena.dev/go/httpauth-jwt/releases/tag/v1.0.2 + ## [1.0.0] — 2026-05-08 ### Changed diff --git a/auth.go b/auth.go index a38f54e..52efc97 100644 --- a/auth.go +++ b/auth.go @@ -32,26 +32,26 @@ func AuthMiddleware(verifier Verifier, publicPaths []string) func(http.Handler) authHeader := r.Header.Get("Authorization") if !strings.HasPrefix(authHeader, "Bearer ") { - http.Error(w, "unauthorized", http.StatusUnauthorized) + httpauthmw.WriteJSONError(w, http.StatusUnauthorized, "UNAUTHENTICATED", "unauthorized") return } tokenStr := strings.TrimPrefix(authHeader, "Bearer ") token, err := verifier.Verify(tokenStr) if err != nil { - http.Error(w, "unauthorized", http.StatusUnauthorized) + httpauthmw.WriteJSONError(w, http.StatusUnauthorized, "UNAUTHENTICATED", "unauthorized") return } claims, ok := token.Claims.(jwt.MapClaims) if !ok { - http.Error(w, "unauthorized", http.StatusUnauthorized) + httpauthmw.WriteJSONError(w, http.StatusUnauthorized, "UNAUTHENTICATED", "unauthorized") return } uid, _ := claims["sub"].(string) if uid == "" { - http.Error(w, "unauthorized", http.StatusUnauthorized) + httpauthmw.WriteJSONError(w, http.StatusUnauthorized, "UNAUTHENTICATED", "unauthorized") return } diff --git a/go.mod b/go.mod index f833633..1187f67 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,11 @@ module code.nochebuena.dev/go/httpauth-jwt go 1.26 require ( - code.nochebuena.dev/go/httpauth v1.0.0 + code.nochebuena.dev/go/httpauth v1.0.2 github.com/golang-jwt/jwt/v5 v5.2.1 ) -require code.nochebuena.dev/go/rbac v1.0.0 // indirect +require ( + code.nochebuena.dev/go/rbac v1.0.0 // indirect + code.nochebuena.dev/go/xerrors v1.0.1 // indirect +) diff --git a/go.sum b/go.sum index c5557e3..326ff84 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,8 @@ -code.nochebuena.dev/go/httpauth v1.0.0 h1:B2ypnlL7yQkePHC3EKo4LPgJbd5lWZ6RuA1o6sx84so= -code.nochebuena.dev/go/httpauth v1.0.0/go.mod h1:rGaQDInGkavpk8nbiG7azPqcyYsrwo0+E+ZNocRW2MY= +code.nochebuena.dev/go/httpauth v1.0.2 h1:BegLr1nHk/i/RbhEf2Xh9FZZ9psUqjFyQ+hvFJR4Ro4= +code.nochebuena.dev/go/httpauth v1.0.2/go.mod h1:vVyYhdgHBpOJc9uih6bMtrXBPmvPRgTJrI8cfErXojk= code.nochebuena.dev/go/rbac v1.0.0 h1:FnsU1HU6vvwchKuZNxDa9RPIFeNwJi0vShWvHKABMws= code.nochebuena.dev/go/rbac v1.0.0/go.mod h1:LzW8tTJmdbu6HHN26NZZ3HzzdlZAd1sp6aml25Cfz5c= +code.nochebuena.dev/go/xerrors v1.0.1 h1:fgXoabY/ZwxAzaM1sKFf3sbL7ZHWyDxItB/rdbnl0mo= +code.nochebuena.dev/go/xerrors v1.0.1/go.mod h1:03MMVfrhaf4XmTMgMrEUFCmuZPGHUCKDitiQvwCuwvY= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= diff --git a/jwtauth_test.go b/jwtauth_test.go index 5c2a957..6d80c26 100644 --- a/jwtauth_test.go +++ b/jwtauth_test.go @@ -4,7 +4,9 @@ import ( "context" "crypto/rand" "crypto/rsa" + "encoding/json" "errors" + "math" "net/http" "net/http/httptest" "testing" @@ -152,7 +154,7 @@ func TestIssueTokenPair_StandardClaims(t *testing.T) { func TestIssueTokenPair_CustomClaims(t *testing.T) { custom := map[string]any{ - "permisos": map[string]any{"usuarios": float64(515)}, + "permisos": map[string]any{"usuarios": int64(515)}, } pair, err := IssueTokenPair(testHMAC, "uid1", custom, testCfg) if err != nil { @@ -164,8 +166,13 @@ func TestIssueTokenPair_CustomClaims(t *testing.T) { if !ok { t.Fatalf("permisos claim missing or wrong type: %T", mc["permisos"]) } - if permisos["usuarios"] != float64(515) { - t.Errorf("want usuarios=515, got %v", permisos["usuarios"]) + // Verify uses jwt.WithJSONNumber — numeric claims come back as json.Number. + n, ok := permisos["usuarios"].(json.Number) + if !ok { + t.Fatalf("want json.Number, got %T", permisos["usuarios"]) + } + if v, _ := n.Int64(); v != 515 { + t.Errorf("want usuarios=515, got %d", v) } } @@ -277,8 +284,48 @@ func TestRefreshTokenPair_CustomClaimsInNewToken(t *testing.T) { if !ok { t.Fatalf("permisos missing from new access token") } - if permisos["usuarios"] != float64(7) { - t.Errorf("want 7, got %v", permisos["usuarios"]) + // Verify uses jwt.WithJSONNumber — numeric claims come back as json.Number. + n, ok := permisos["usuarios"].(json.Number) + if !ok { + t.Fatalf("want json.Number, got %T", permisos["usuarios"]) + } + if v, _ := n.Int64(); v != 7 { + t.Errorf("want 7, got %d", v) + } +} + +// --- json.Number precision --- + +func TestVerify_JSONNumberPreservesMaxInt64(t *testing.T) { + // math.MaxInt64 cannot be represented exactly as float64 — it would round to 2^63 + // and overflow back to math.MinInt64 on cast. WithJSONNumber keeps it as a decimal + // string and json.Number.Int64() parses it exactly. + custom := map[string]any{ + "masks": map[string]any{"*": int64(math.MaxInt64)}, + } + pair, err := IssueTokenPair(testHMAC, "uid1", custom, testCfg) + if err != nil { + t.Fatalf("IssueTokenPair: %v", err) + } + tok, err := testHMAC.Verify(pair.AccessToken) + if err != nil { + t.Fatalf("Verify: %v", err) + } + mc, _ := tok.Claims.(jwt.MapClaims) + masks, ok := mc["masks"].(map[string]any) + if !ok { + t.Fatalf("masks claim missing or wrong type: %T", mc["masks"]) + } + n, ok := masks["*"].(json.Number) + if !ok { + t.Fatalf("want json.Number, got %T — WithJSONNumber() may not be set", masks["*"]) + } + got, err := n.Int64() + if err != nil { + t.Fatalf("Int64(): %v", err) + } + if got != math.MaxInt64 { + t.Errorf("want MaxInt64 (%d), got %d — precision lost in float64 round-trip", int64(math.MaxInt64), got) } } @@ -364,6 +411,27 @@ func TestAuthMiddleware_PublicPathWildcard(t *testing.T) { } } +func TestAuthMiddleware_UnauthorizedJSON(t *testing.T) { + h := AuthMiddleware(testHMAC, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + rec := httptest.NewRecorder() + h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/api", nil)) + if rec.Code != http.StatusUnauthorized { + t.Errorf("want 401, got %d", rec.Code) + } + if ct := rec.Header().Get("Content-Type"); ct != "application/json" { + t.Errorf("want Content-Type application/json, got %q", ct) + } + var body map[string]any + if err := json.NewDecoder(rec.Body).Decode(&body); err != nil { + t.Fatalf("response body is not valid JSON: %v", err) + } + if body["code"] != "UNAUTHENTICATED" { + t.Errorf("want code UNAUTHENTICATED, got %q", body["code"]) + } +} + func TestAuthMiddleware_RSAPublicKeyVerifier(t *testing.T) { verifier := NewRSAPublicKeyVerifier(&testRSAKey.PublicKey) pair, _ := IssueTokenPair(testRSA, "uid1", nil, testCfg) diff --git a/signer.go b/signer.go index 76765be..068c69c 100644 --- a/signer.go +++ b/signer.go @@ -42,7 +42,7 @@ func (s *hmacSigner) Verify(tokenString string) (*jwt.Token, error) { return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) } return s.secret, nil - }) + }, jwt.WithJSONNumber()) } // --- RSA (RS256) --- @@ -89,7 +89,7 @@ func (s *rsaSigner) Verify(tokenString string) (*jwt.Token, error) { return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) } return s.public, nil - }) + }, jwt.WithJSONNumber()) } // --- RSA public-key-only verifier --- @@ -129,5 +129,5 @@ func (v *rsaPublicVerifier) Verify(tokenString string) (*jwt.Token, error) { return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"]) } return v.public, nil - }) + }, jwt.WithJSONNumber()) }