fix(httpauth-jwt): WithJSONNumber in Verify, JSON errors in AuthMiddleware, bump httpauth v1.0.2 (#1)

Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and
rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded
as json.Number instead of float64 — exact parsing for all integers including
math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and
overflow back to math.MinInt64 on cast to int64.

AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of
http.Error. Standardizes the error format across the full httpauth-* middleware stack:
AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth)
all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}.

Update two existing tests (TestIssueTokenPair_CustomClaims,
TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64
— they were correct before WithJSONNumber, now reflect the actual decoded type.

Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a
bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via
json.Number.Int64() — proving no float64 round-trip occurs.

Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is
Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}.

Bump httpauth dependency to v1.0.2.

Reviewed-on: #1
Co-authored-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
Co-committed-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
This commit was merged in pull request #1.
This commit is contained in:
2026-05-18 14:38:54 -06:00
committed by NOCHEBUENADEV
parent 9e29f60f67
commit 941b8972ed
6 changed files with 106 additions and 16 deletions

View File

@@ -3,6 +3,23 @@
All notable changes to `code.nochebuena.dev/go/httpauth-jwt` are documented here.
Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [1.0.2] — 2026-05-18
### Changed
- All three `Verify` implementations (`hmacSigner`, `rsaSigner`, `rsaPublicVerifier`)
now pass `jwt.WithJSONNumber()` to `jwt.Parse`. JWT numeric claims — including
permission mask bitmasks — are decoded as `json.Number` instead of `float64`,
preserving exact bit patterns for values up to and including `math.MaxInt64`.
- `AuthMiddleware` now returns JSON error bodies instead of plain-text `http.Error`
for missing/invalid/expired Bearer tokens. Uses `httpauth.WriteJSONError` — the
same helper as `EnrichmentMiddleware` and `AuthzMiddleware` — ensuring a consistent
`{"code":"UNAUTHENTICATED","message":"unauthorized"}` response across the full
middleware stack.
- Dependency `code.nochebuena.dev/go/httpauth` bumped to v1.0.2.
[1.0.2]: https://code.nochebuena.dev/go/httpauth-jwt/releases/tag/v1.0.2
## [1.0.0] — 2026-05-08
### Changed