Make JWT constants final values

auth0 / java-jwt

Java implementation of JSON Web Token (JWT)

MIT License

5.89k stars 921 forks source link

Make JWT constants final values #604

Closed poovamraj closed 2 years ago

poovamraj commented 2 years ago

Changes

We have made all our constants as final values as this would allow us to use them at compile time. This should have been the right way from the beginning as these are constants. This will be a breaking change where we make the fields final so they cannot be mutated. But this behaviour is not expected from the library users, hence we should be able to proceed

References

https://github.com/auth0/java-jwt/issues/603

Checklist

[x] I have read the Auth0 general contribution guidelines
[x] I have read the Auth0 Code of Conduct
[x] All existing and new tests complete without errors

poovamraj commented 2 years ago

The build is failing because the fields were not final before. This would mean that these values could be changed by the library user. Hence the API Diff job is throwing an error.

But in reality, these values should not be changed and this wouldn't be a breaking change. (Even if users were changing the values of the variables which is highly unlikely) This should be the right way ahead.

jimmyjames commented 2 years ago

As the apiDiff build check indicates, this technically is a breaking change. It's also a bug that these fields are not marked final - as the fields correspond to the registered claims defined in RFC 7519, they should not be mutable. So, this fix is a good one.

As @poovamraj noted it's not intended that these fields be modified, and such anticipated use is not expected. That said we will need to mark this PR as breaking, clarify the PR description, and note so on the changelog so anyone who may be relying on this bug will be aware of changes required when this is released.