search

o1egl / paseto

Platform-Agnostic Security Tokens implementation in GO (Golang)
MIT License
856 stars 35 forks source link

naming json tags in struct claims breaks unmarshalling #25

Closed costela closed 4 years ago

costela commented 4 years ago

Hi,

Thanks for the package!

I believe I found a problem with custom claims, specifically when using a struct as custom claim with field named via json tags.

To reproduce:

package main

import (
    "encoding/base64"
    "encoding/json"
    "fmt"
    "log"

    "github.com/o1egl/paseto/v2"
)

type someClaim struct {
    Foo string `json:"foox"`
}

func main() {
    secret, _ := base64.StdEncoding.DecodeString("vQVOM5M6dUftMNhwkvjTX3ObFupqzRrYMSc/IM9hZ2M=")

    tokenIn := &paseto.JSONToken{}
    tokenIn.Set("someclaim", &someClaim{Foo: "nonempty"})

    tokenInStr, _ := paseto.Encrypt(secret, tokenIn, "")

    tokenOut := &paseto.JSONToken{}
    paseto.Decrypt(tokenInStr, secret, tokenOut, nil)

    var someClaim someClaim
    tokenOut.Get("someclaim", &someClaim)
    out, _ := json.Marshal(someClaim)
    fmt.Printf("claim: %s\n", out)

    tokenOutStr, _ := tokenOut.MarshalJSON()
    fmt.Printf("token: %s\n", tokenOutStr)
}

Expected:

claim: {"foox":"nonempty"}
token: {"someclaim":{"foox":"nonempty"}}

Got:

claim: {"foox":""}
token: {"someclaim":{"foox":"nonempty"}}

Removing the json:"foox" tag fixes the issue, but this is of course not ideal.

Cheers

o1egl commented 4 years ago

@costela thank you for helping me to improve the lib. I fixed that bug in v2.1.1