fix(httpauth-jwt): WithJSONNumber in Verify, JSON errors in AuthMiddleware, bump httpauth v1.0.2 #1

Merged
Rene Nochebuena merged 1 commits from fix/httpauth-jwt-v1.0.2 into main 2026-05-18 14:38:54 -06:00

Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and
rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded
as json.Number instead of float64 — exact parsing for all integers including
math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and
overflow back to math.MinInt64 on cast to int64.

AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of
http.Error. Standardizes the error format across the full httpauth-* middleware stack:
AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth)
all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}.

Update two existing tests (TestIssueTokenPair_CustomClaims,
TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64
— they were correct before WithJSONNumber, now reflect the actual decoded type.

Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a
bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via
json.Number.Int64() — proving no float64 round-trip occurs.

Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is
Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}.

Bump httpauth dependency to v1.0.2.

Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded as json.Number instead of float64 — exact parsing for all integers including math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and overflow back to math.MinInt64 on cast to int64. AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of http.Error. Standardizes the error format across the full httpauth-* middleware stack: AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth) all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}. Update two existing tests (TestIssueTokenPair_CustomClaims, TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64 — they were correct before WithJSONNumber, now reflect the actual decoded type. Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via json.Number.Int64() — proving no float64 round-trip occurs. Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}. Bump httpauth dependency to v1.0.2.
Rene Nochebuena added 1 commit 2026-05-18 14:38:46 -06:00
Pass jwt.WithJSONNumber() to jwt.Parse in hmacSigner.Verify, rsaSigner.Verify, and
rsaPublicVerifier.Verify. JWT numbers (including permission bitmasks) are now decoded
as json.Number instead of float64 — exact parsing for all integers including
math.MaxInt64 (the ADMIN wildcard mask). Float64 would round MaxInt64 to 2^63 and
overflow back to math.MinInt64 on cast to int64.

AuthMiddleware now calls httpauth.WriteJSONError for all 401 responses instead of
http.Error. Standardizes the error format across the full httpauth-* middleware stack:
AuthMiddleware (httpauth-jwt), EnrichmentMiddleware, and AuthzMiddleware (httpauth)
all produce {"code":"UNAUTHENTICATED"|"PERMISSION_DENIED"|"INTERNAL","message":"..."}.

Update two existing tests (TestIssueTokenPair_CustomClaims,
TestRefreshTokenPair_CustomClaimsInNewToken) to assert json.Number instead of float64
— they were correct before WithJSONNumber, now reflect the actual decoded type.

Add TestVerify_JSONNumberPreservesMaxInt64: issues a token with math.MaxInt64 as a
bitmask, verifies it, and asserts the decoded value is exactly math.MaxInt64 via
json.Number.Int64() — proving no float64 round-trip occurs.

Add TestAuthMiddleware_UnauthorizedJSON: asserts the 401 response is
Content-Type: application/json with body {"code":"UNAUTHENTICATED","message":"..."}.

Bump httpauth dependency to v1.0.2.
Rene Nochebuena requested review from CoreDevelopers 2026-05-18 14:38:46 -06:00
Rene Nochebuena requested review from Agents 2026-05-18 14:38:46 -06:00
Rene Nochebuena merged commit 941b8972ed into main 2026-05-18 14:38:54 -06:00
Rene Nochebuena deleted branch fix/httpauth-jwt-v1.0.2 2026-05-18 14:38:54 -06:00
Sign in to join this conversation.
No Reviewers
go/CoreDevelopers
go/Agents
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: go/httpauth-jwt#1