Non-string claim values?
spantaleev opened this issue · comments
Looks like the following methods expect that claim values would be string
, at least according to the docblocks:
\ParagonIE\Paseto\Builder::setClaims()
\ParagonIE\Paseto\JsonToken::setClaims()
\ParagonIE\Paseto\JsonToken::set(string $claim, $value)
\ParagonIE\Paseto\JsonToken::with(string $claim, $value)
Looks like these claims are ultimately serialized using json_encode
here:
Line 635 in a0134f9
.. and deserialized here:
Line 455 in a0134f9
I've managed to store an array
value in a claim just fine, but according to these docblocks, it's somewhat of a coincidence that it works. Looking at how JsonToken::set()
and JsonToken::with()
avoid typehinting $value
and how deserializing expects arbitrary depths, however, I suppose that non-string
claims are indeed supported.
It'd be nice if this confusion can be clarified and static analyzers (like phpstan) can be appeased.
Related conversation. AFAIK there is an intent that this is supported, there's even an example of a nested structure in the spec.
Great! If the spec mentions it, then that's encouraging.
Fixing it on the PHP side shouldn't be too difficult. We can just replace string
with mixed
and even typehint the non-typehinted $value
arguments with mixed
. I believe that typehinting with mixed
is PHP 8.0 only, so if PHP 7.1 compatibility is important (I guess it is), then this part can be skipped.