Non-string claim values?

[spantaleev]

Looks like the following methods expect that claim values would be string, at least according to the docblocks:

• \ParagonIE\Paseto\Builder::setClaims()
• \ParagonIE\Paseto\JsonToken::setClaims()
• \ParagonIE\Paseto\JsonToken::set(string $claim, $value)
• \ParagonIE\Paseto\JsonToken::with(string $claim, $value)

Looks like these claims are ultimately serialized using json_encode here: https://github.com/paragonie/paseto/blob/a0134f9501a132192136886bf85f8ce3368e1787/src/Builder.php#L635

.. and deserialized here: https://github.com/paragonie/paseto/blob/a0134f9501a132192136886bf85f8ce3368e1787/src/Parser.php#L455

I've managed to store an array value in a claim just fine, but according to these docblocks, it's somewhat of a coincidence that it works. Looking at how JsonToken::set() and JsonToken::with() avoid typehinting $value and how deserializing expects arbitrary depths, however, I suppose that non-string claims are indeed supported.

It'd be nice if this confusion can be clarified and static analyzers (like phpstan) can be appeased.

[aidantwoods]

Related conversation. AFAIK there is an intent that this is supported, there's even an example of a nested structure in the spec.

[spantaleev]

Great! If the spec mentions it, then that's encouraging.

Fixing it on the PHP side shouldn't be too difficult. We can just replace string with mixed and even typehint the non-typehinted $value arguments with mixed. I believe that typehinting with mixed is PHP 8.0 only, so if PHP 7.1 compatibility is important (I guess it is), then this part can be skipped.

[aidantwoods]

I think this probably isn't a good enough reason on its own to drop PHP 7 support, so switching to mixed in the docblock sounds most sensible 😀

Do you want to open a PR to add this? I'd imagine it should be quite a straightforward one to get merged (especially since the typehints already allow this, would just be a docblock update I think).