Builder toString() return claims as JSON array instead of object on v2 public mode
shuLhan opened this issue · comments
Shulhan commented
Environment
- Paseto v1.0.3
- PHP v7.4.10
Steps to reproduce
The following code may reproduce it (the actual code to Verify it is in Go [1], I try to reproduce it in PHP as possible),
$b64privateKey =
"cdYaGhnvzHnFRusKavzKrk11pQTaLzRYfKfh67maUTKCJzIh3PeV/XvucsTR50qIOo2Xk+LzSWUSogDgZuI0BA==";
$privateKey = base64_decode($b64privateKey);
$sendingKey = new AsymmetricSecretKey($privateKey, null);
$builder = new Builder(null, null, $sendingKey);
$builder = $builder->setPurpose(new Purpose("public"));
$token = $builder->toString();
$pieces = explode(".", $token);
$sm = rtrim($pieces[2], "=");
$sm = base64_decode(strtr($pieces[2], '-_', '+/'));
$got = substr($sm, 0, strlen($sm)-64);
echo "got message: $got\n";
Expected value
got message: {}
Actual value
got message: []
Section 6 said that "All PASETO payloads MUST be a JSON object [RFC8259]."
RFC 7519 (JSON Web Token) [2] mentions that all claims are options and draft v01 [3] does not mention that one of the claims should be filled, so the claims to be transported should be "{}" not "[]".
--
[1] https://github.com/shuLhan/share/blob/master/lib/paseto/paseto.go#L292
[2] https://tools.ietf.org/html/rfc7519#section-4.1
[3] https://github.com/paragonie/paseto/blob/master/docs/RFC/draft-paragon-paseto-rfc-01.txt#L920