frasertweedale / hs-jose

Haskell JOSE and JWT library
http://hackage.haskell.org/package/jose
Apache License 2.0
122 stars 46 forks source link

How do I set unregistered claims without using the deprecated unregisteredClaims or addClaim methods? #116

Open ChrisPenner opened 1 year ago

ChrisPenner commented 1 year ago

The previous way to handle unregistered claims was to use these methods:

image

Which have both been deprecated, stating to "use a sub-type", which I assume means to define an instance of HasClaimsSet for some type I define; However, there doesn't appear to be any way to actually provide unregistered claims for a custom type, since there's no lens for unregistered claims in HasClaimsSet to implement in the instance, and there's no way to create a ClaimsSet record otherwise since the _unregisteredClaims field of ClaimsSet isn't exported.

I suppose I could use the FromJSON instance of ClaimsSet to implement HasClaimsSet without using any deprecated methods, but that definitely seems like taking the long-way around and would involve introducing a possible failure point in the decoding step.

Perhaps was an claimUnregistered :: Lens' a (Map Text Value) accidentally omitted from HasClaimsSet when the other methods were deprecated?

Thanks!

frasertweedale commented 1 year ago

image

The design decision I took was that non-RFC7159 claims processed (or produced) by an application should be defined as first-class fields of subtypes. There is a simple example at the top of https://hackage.haskell.org/package/jose-0.10/docs/Crypto-JWT.html (data Super). You should not need to use instance FromJSON ClaimsSet to define instance HasClaimsSet for the subtype. You also need to define FromJSON (if verifying) and ToJSON (if producing) for the subtype.

How you get and set the additional fields (claims) in the subtype is up to you. Lenses, ordinary field accessors, whatever you prefer. But there will no longer be a Map of unrecognised/unregistered claims.