fix(httpauth-jwt): WithJSONNumber in Verify, JSON errors in AuthMiddleware, bump httpauth v1.0.2 (#1)
Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and
rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded
as json.Number instead of float64 — exact parsing for all integers including
math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and
overflow back to math.MinInt64 on cast to int64.
AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of
http.Error. Standardizes the error format across the full httpauth-* middleware stack:
AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth)
all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}.
Update two existing tests (TestIssueTokenPair_CustomClaims,
TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64
— they were correct before WithJSONNumber, now reflect the actual decoded type.
Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a
bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via
json.Number.Int64() — proving no float64 round-trip occurs.
Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is
Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}.
Bump httpauth dependency to v1.0.2.
Reviewed-on: #1
Co-authored-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
Co-committed-by: Rene Nochebuena Guerrero <rene@nochebuena.dev>
This commit was merged in pull request #1.
This commit is contained in:
@@ -42,7 +42,7 @@ func (s *hmacSigner) Verify(tokenString string) (*jwt.Token, error) {
|
||||
return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])
|
||||
}
|
||||
return s.secret, nil
|
||||
})
|
||||
}, jwt.WithJSONNumber())
|
||||
}
|
||||
|
||||
// --- RSA (RS256) ---
|
||||
@@ -89,7 +89,7 @@ func (s *rsaSigner) Verify(tokenString string) (*jwt.Token, error) {
|
||||
return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])
|
||||
}
|
||||
return s.public, nil
|
||||
})
|
||||
}, jwt.WithJSONNumber())
|
||||
}
|
||||
|
||||
// --- RSA public-key-only verifier ---
|
||||
@@ -129,5 +129,5 @@ func (v *rsaPublicVerifier) Verify(tokenString string) (*jwt.Token, error) {
|
||||
return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])
|
||||
}
|
||||
return v.public, nil
|
||||
})
|
||||
}, jwt.WithJSONNumber())
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user