• v1.0.2 941b8972ed

    Rene Nochebuena released this 2026-05-18 14:39:23 -06:00 | 0 commits to main since this release

    v1.0.2

    code.nochebuena.dev/go/httpauth-jwt

    Overview

    v1.0.2 adds jwt.WithJSONNumber() to all Verify implementations, standardizes
    AuthMiddleware error responses to JSON, and bumps the httpauth dependency to
    v1.0.2 to consume wildcard resource fallback, json.Number precision handling, and
    the shared WriteJSONError helper.

    No breaking changes. All v1.0.x consumers can upgrade with go get.

    What Changed Since v1.0.1

    jwt.WithJSONNumber() in all Verify implementations

    All three Verify implementations now pass jwt.WithJSONNumber() to jwt.Parse:

    • hmacSigner.Verify
    • rsaSigner.Verify
    • rsaPublicVerifier.Verify

    Without this option, the JWT library decodes all numbers as float64. float64
    cannot represent math.MaxInt64 = 9223372036854775807 exactly — it rounds to 2^63 = 9223372036854775808, which overflows back to math.MinInt64 when cast to int64.
    This would corrupt the ADMIN wildcard permission mask stored in JWT claims.

    With jwt.WithJSONNumber(), numbers are preserved as json.Number (a decimal string
    wrapper). json.Number.Int64() parses the exact value — no float64 round-trip, no
    overflow. httpauth.ClaimsPermissionProvider (v1.0.2) handles all three types —
    int64, float64, json.Number — so the chain is fully covered.

    JSON error body in AuthMiddleware

    AuthMiddleware now returns a structured JSON body for all 401 responses by calling
    httpauth.WriteJSONError. Previously it called http.Error which writes text/plain.

    The full middleware stack now produces consistent error responses:

    Middleware Condition Status Code
    AuthMiddleware Missing/invalid/expired token 401 UNAUTHENTICATED
    EnrichmentMiddleware No uid in context 401 UNAUTHENTICATED
    EnrichmentMiddleware Enricher returns error 500 INTERNAL
    AuthzMiddleware No identity in context 401 UNAUTHENTICATED
    AuthzMiddleware Permission denied or provider error 403 PERMISSION_DENIED

    Dependency bump

    code.nochebuena.dev/go/httpauth v1.0.1 → v1.0.2

    Migration

    No breaking changes. Callers that inspect decoded JWT claims should note that numeric
    values now come back as json.Number instead of float64.

    go get code.nochebuena.dev/go/httpauth-jwt@v1.0.2
    go get code.nochebuena.dev/go/httpauth@v1.0.2
    
    Downloads