Skip to content

Commit

Permalink
Preserve insertion order for claims (#656)
Browse files Browse the repository at this point in the history
Co-authored-by: Jim Anderson <[email protected]>
  • Loading branch information
snago and jimmyjames authored Mar 27, 2023
1 parent a18955b commit e85a00a
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 5 deletions.
8 changes: 4 additions & 4 deletions lib/src/main/java/com/auth0/jwt/JWTCreator.java
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ public static class Builder {
private final Map<String, Object> headerClaims;

Builder() {
this.payloadClaims = new HashMap<>();
this.headerClaims = new HashMap<>();
this.payloadClaims = new LinkedHashMap<>();
this.headerClaims = new LinkedHashMap<>();
}

/**
Expand Down Expand Up @@ -112,7 +112,7 @@ public Builder withHeader(String headerClaimsJson) throws IllegalArgumentExcepti
}

try {
Map<String, Object> headerClaims = mapper.readValue(headerClaimsJson, HashMap.class);
Map<String, Object> headerClaims = mapper.readValue(headerClaimsJson, LinkedHashMap.class);
return withHeader(headerClaims);
} catch (JsonProcessingException e) {
throw new IllegalArgumentException("Invalid header JSON", e);
Expand Down Expand Up @@ -508,7 +508,7 @@ public Builder withPayload(String payloadClaimsJson) throws IllegalArgumentExcep
}

try {
Map<String, Object> payloadClaims = mapper.readValue(payloadClaimsJson, HashMap.class);
Map<String, Object> payloadClaims = mapper.readValue(payloadClaimsJson, LinkedHashMap.class);
return withPayload(payloadClaims);
} catch (JsonProcessingException e) {
throw new IllegalArgumentException("Invalid payload JSON", e);
Expand Down
49 changes: 48 additions & 1 deletion lib/src/test/java/com/auth0/jwt/JWTCreatorTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.ECDSAKeyProvider;
import com.auth0.jwt.interfaces.RSAKeyProvider;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
Expand Down Expand Up @@ -1010,4 +1010,51 @@ public void shouldCreatePayloadWithNullForList() {
assertThat(jwt, is(notNullValue()));
assertTrue(JWT.decode(jwt).getClaim("name").isNull());
}

@Test
public void shouldPreserveInsertionOrder() throws Exception {
String taxonomyJson = "{\"class\": \"mammalia\", \"order\": \"carnivora\", \"family\": \"canidae\", \"genus\": \"vulpes\"}";
List<String> taxonomyClaims = Arrays.asList("class", "order", "family", "genus");
List<String> headerInsertionOrder = new ArrayList<>(taxonomyClaims);
Map<String, Object> header = new LinkedHashMap<>();
for (int i = 0; i < 10; i++) {
String key = "h" + i;
header.put(key, "v" + 1);
headerInsertionOrder.add(key);
}

List<String> payloadInsertionOrder = new ArrayList<>(taxonomyClaims);
JWTCreator.Builder builder = JWTCreator.init()
.withHeader(taxonomyJson)
.withHeader(header)
.withPayload(taxonomyJson);
for (int i = 0; i < 10; i++) {
String name = "c" + i;
builder = builder.withClaim(name, "v" + i);
payloadInsertionOrder.add(name);
}
String signed = builder.sign(Algorithm.HMAC256("secret"));

assertThat(signed, is(notNullValue()));
String[] parts = signed.split("\\.");
Base64.Decoder urlDecoder = Base64.getUrlDecoder();
String headerJson = new String(urlDecoder.decode(parts[0]), StandardCharsets.UTF_8);
String payloadJson = new String(urlDecoder.decode(parts[1]), StandardCharsets.UTF_8);

ObjectMapper objectMapper = new ObjectMapper();

List<String> headerFields = new ArrayList<>();
objectMapper.readValue(headerJson, ObjectNode.class)
.fieldNames().forEachRemaining(headerFields::add);
headerFields.retainAll(headerInsertionOrder);
assertThat("Header insertion order should be preserved",
headerFields, is(equalTo(headerInsertionOrder)));

List<String> payloadFields = new ArrayList<>();
objectMapper.readValue(payloadJson, ObjectNode.class)
.fieldNames().forEachRemaining(payloadFields::add);
payloadFields.retainAll(payloadInsertionOrder);
assertThat("Claim insertion order should be preserved",
payloadFields, is(equalTo(payloadInsertionOrder)));
}
}

0 comments on commit e85a00a

Please sign in to comment.