fix: accept non-string values in Header extras#496
Open
kp-timo-beyel wants to merge 1 commit intoKeats:masterfrom
Open
fix: accept non-string values in Header extras#496kp-timo-beyel wants to merge 1 commit intoKeats:masterfrom
kp-timo-beyel wants to merge 1 commit intoKeats:masterfrom
Conversation
…ing, serde_json::Value> The `extras` field on `Header` used `HashMap<String, String>`, which caused `decode_header` and `decode` to fail when the JWT header contained non-string values (e.g. `"uid": 180444`). Since JOSE headers can legitimately carry arbitrary JSON values in custom fields, this changes the type to `HashMap<String, serde_json::Value>` so that integers, booleans, arrays, and objects are accepted. This is a breaking change for consumers that read from `Header.extras` directly — they now receive `serde_json::Value` instead of `String`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Header.extrasfromHashMap<String, String>toHashMap<String, serde_json::Value>decode_header/decodenow accept JWT headers with non-string custom fields (e.g."uid": 180444)Problem
When a JWT header contains a non-standard field with a non-string value such as:
{"typ": "JWT", "alg": "RS256", "kid": "...", "uid": 180444}decode_headerfails with a deserialization error because serde cannot coerce the integer180444into aStringfor the#[serde(flatten)] pub extras: HashMap<String, String>field.JOSE headers can legitimately carry arbitrary JSON values in custom fields, so the
extrasmap should accept any JSON value.Fix
Change the type of
Header.extrasfromHashMap<String, String>toHashMap<String, serde_json::Value>.Breaking change
Consumers that read from
Header.extrasdirectly now receiveserde_json::Valueinstead ofString. For string extras,.as_str().unwrap()(or pattern matching) is needed:Test plan
decode_token_with_non_string_extra_headerverifies integer header values are accepted