paragonie / paseto

Looks like the following methods expect that claim values would be string, at least according to the docblocks:

\ParagonIE\Paseto\Builder::setClaims()
\ParagonIE\Paseto\JsonToken::setClaims()
\ParagonIE\Paseto\JsonToken::set(string $claim, $value)
\ParagonIE\Paseto\JsonToken::with(string $claim, $value)

Looks like these claims are ultimately serialized using json_encode here:

paseto/src/Builder.php

Line 635 in a0134f9

$claims = json_encode($claimsArray, JSON_FORCE_OBJECT);

.. and deserialized here:

paseto/src/Parser.php

Line 455 in a0134f9

$claims = json_decode($decoded, true, ($this->maxClaimDepth ?? 512));

I've managed to store an array value in a claim just fine, but according to these docblocks, it's somewhat of a coincidence that it works. Looking at how JsonToken::set() and JsonToken::with() avoid typehinting $value and how deserializing expects arbitrary depths, however, I suppose that non-string claims are indeed supported.

It'd be nice if this confusion can be clarified and static analyzers (like phpstan) can be appeased.

Related conversation. AFAIK there is an intent that this is supported, there's even an example of a nested structure in the spec.

Great! If the spec mentions it, then that's encouraging.

Fixing it on the PHP side shouldn't be too difficult. We can just replace string with mixed and even typehint the non-typehinted $value arguments with mixed. I believe that typehinting with mixed is PHP 8.0 only, so if PHP 7.1 compatibility is important (I guess it is), then this part can be skipped.

I think this probably isn't a good enough reason on its own to drop PHP 7 support, so switching to `mixed` in the docblock sounds most sensible 😀 Do you want to open a PR to add this? I'd imagine it should be quite a straightforward one to get merged (especially since the typehints already allow this, would just be a docblock update I think).

Non-string claim values?