Thanks for maintaining this project!
We have a use case where we serialize and deserialize a set of claims to and from JSON several times before finally passing a map[string]interface{} to Builder.Claims().
Simplified:
var claims map[string]interface{}
_ = json.Unmarshal(&claims, []byte(`{"timestamp": 1723559693}`))
_, _ = jwt.Signed(signer).Claims(claims).CompactSerialize()
// ...go-jose will serialize the timestamp as 1.723559693e+9 rather than 1723559693. This can confuse downstream consumers which expect integers for certain fields (timestamps in particular).
go-jose uses the forked encoding/json standard library from Go 1.6 according to the documentation.
Go 1.8 changed the behavior when serializing integral numbers:
Marshal encodes floating-point numbers using the same format as in ES6, preferring decimal (not exponential) notation for a wider range of values. In particular, all floating-point integers up to 264 format the same as the equivalent int64 representation.
One solution might be bumping the forked version to that of at least Go 1.8.
Another option is to use
import jjson "github.com/go-jose/go-jose/v3/json"
// ...
dec := jjson.NewDecoder(bytes.NewReader(jsonPayload))
dec.SetNumberType(jjson.UnmarshalIntOrFloat)
var claims map[string]interface{}
err := dec.Decode(&claims)rather than the standard library in strategic places.
I understand JSON marshaling/unmarshaling is security-sensitive and touching this code is risky. However, a forked stdlib version from over 8 years ago is probably also not ideal.
This ticket is not meant as an immediate call to action, but more of a reminder in the backlog.
Best,
Arne
Related:
#105
square/go-jose#353
Thanks for maintaining this project!
We have a use case where we serialize and deserialize a set of claims to and from JSON several times before finally passing a
map[string]interface{}toBuilder.Claims().Simplified:
go-jose will serialize the timestamp as
1.723559693e+9rather than1723559693. This can confuse downstream consumers which expect integers for certain fields (timestamps in particular).go-jose uses the forked
encoding/jsonstandard library from Go 1.6 according to the documentation.Go 1.8 changed the behavior when serializing integral numbers:
One solution might be bumping the forked version to that of at least Go 1.8.
Another option is to use
rather than the standard library in strategic places.
I understand JSON marshaling/unmarshaling is security-sensitive and touching this code is risky. However, a forked stdlib version from over 8 years ago is probably also not ideal.
This ticket is not meant as an immediate call to action, but more of a reminder in the backlog.
Best,
Arne
Related:
#105
square/go-jose#353