atholbro
diff --git a/‎paseto/.api-validation/paseto.api‎
Lines changed: 133 additions & 138 deletions b/‎paseto/.api-validation/paseto.api‎
Lines changed: 133 additions & 138 deletions
diff --git a/‎paseto/src/main/kotlin/net/aholbrook/paseto/Footer.kt‎
Lines changed: 101 additions & 0 deletions b/‎paseto/src/main/kotlin/net/aholbrook/paseto/Footer.kt‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎paseto/src/main/kotlin/net/aholbrook/paseto/FooterSerde.kt‎
Lines changed: 153 additions & 0 deletions b/‎paseto/src/main/kotlin/net/aholbrook/paseto/FooterSerde.kt‎
Lines changed: 153 additions & 0 deletions
diff --git a/‎…ain/kotlin/net/aholbrook/paseto/Serde.kt‎ ‎…holbrook/paseto/PasetoTokenSerializer.kt‎paseto/src/main/kotlin/net/aholbrook/paseto/Serde.kt renamed to paseto/src/main/kotlin/net/aholbrook/paseto/PasetoTokenSerializer.kt
Lines changed: 4 additions & 44 deletions b/‎…ain/kotlin/net/aholbrook/paseto/Serde.kt‎ ‎…holbrook/paseto/PasetoTokenSerializer.kt‎paseto/src/main/kotlin/net/aholbrook/paseto/Serde.kt renamed to paseto/src/main/kotlin/net/aholbrook/paseto/PasetoTokenSerializer.kt
Lines changed: 4 additions & 44 deletions
@@ -0,0 +1,101 @@
+package net.aholbrook.paseto
+
+import kotlinx.serialization.json.JsonObject
+import kotlin.contracts.ExperimentalContracts
+import kotlin.contracts.InvocationKind
+import kotlin.contracts.contract
+
+sealed interface PasetoFooter
+
+@JvmInline
+value class StringFooter internal constructor(val value: String) : PasetoFooter
+
+@ConsistentCopyVisibility
+data class ClaimFooter internal constructor(
+    val keyId: String?, // kid
+    val wrappedKey: String?, // wpk
+    val claims: ClaimObject,
+) : PasetoFooter
+
+@PasetoDslMarker
+class ClaimFooterBuilder @PublishedApi internal constructor() {
+    var keyId: String? = null // kid
+    var wrappedKey: String? = null // wpk
+    private var claims: ClaimObject = ClaimObject()
+
+    @OptIn(ExperimentalContracts::class)
+    fun claims(init: ClaimObjectBuilder.() -> Unit) {
+        contract { callsInPlace(init, InvocationKind.EXACTLY_ONCE) }
+
+        val builder = ClaimObjectBuilder()
+        builder.init()
+        claims = builder.build()
+    }
+
+    fun claims(claims: ClaimObject) {
+        this.claims = claims
+    }
+
+    @PublishedApi
+    internal fun build(): ClaimFooter = ClaimFooter(
+        keyId = keyId,
+        wrappedKey = wrappedKey,
+        claims = claims,
+    )
+}
+
+fun footer(footer: String) = StringFooter(footer)
+
+@OptIn(ExperimentalContracts::class)
+inline fun footer(init: ClaimFooterBuilder.() -> Unit): ClaimFooter {
+    contract { callsInPlace(init, InvocationKind.EXACTLY_ONCE) }
+    return ClaimFooterBuilder().apply(init).build()
+}
+
+/**
+ * A Paseto footer extracted from a token which has not been cryptographically verified. It is therefore possible that
+ * a [TaintedPasetoFooter] has been tampered with.
+ *
+ * This is useful when the footer is used to carry information required to verify the key, like a key id (kid) claim.
+ */
+sealed interface TaintedPasetoFooter
+
+@JvmInline
+value class TaintedStringFooter(val value: String) : TaintedPasetoFooter
+
+@ConsistentCopyVisibility
+data class TaintedClaimFooter internal constructor(
+    val keyId: String?, // kid
+    val wrappedKey: String?, // wpk
+    val claims: ClaimObject,
+) : TaintedPasetoFooter
+
+/**
+ * Converts a [PasetoFooter] to it's [TaintedPasetoFooter] variant.
+ *
+ * This can be used to compare an [TaintedClaimFooter] against a [ClaimFooter] built using the [footer] builder.
+ * @receiver A [PasetoFooter] instance to turn taint.
+ * @return A [TaintedPasetoFooter] representation of the given [PasetoFooter].
+ */
+fun PasetoFooter.taint(): TaintedPasetoFooter? = when (this) {
+    is ClaimFooter -> TaintedClaimFooter(keyId, wrappedKey, claims)
+    is StringFooter -> TaintedStringFooter(value)
+}
+
+/**
+ * Escape hatch for direct access to the footer's claims as a [JsonObject].
+ *
+ * This is an internal API because it couples the caller to the `kotlinx.serialization` JSON implementation.
+ * It may change or be removed without notice if the underlying serialization strategy changes.
+ */
+@InternalApi
+fun ClaimFooter.claimsJson(): JsonObject = claims.toJson() as JsonObject
+
+/**
+ * Escape hatch for direct access to the footer's claims as a [JsonObject].
+ *
+ * This is an internal API because it couples the caller to the `kotlinx.serialization` JSON implementation.
+ * It may change or be removed without notice if the underlying serialization strategy changes.
+ */
+@InternalApi
+fun TaintedClaimFooter.claimsJson(): JsonObject = claims.toJson() as JsonObject
@@ -0,0 +1,153 @@
+package net.aholbrook.paseto
+
+import kotlinx.serialization.KSerializer
+import kotlinx.serialization.SerializationException
+import kotlinx.serialization.descriptors.SerialDescriptor
+import kotlinx.serialization.descriptors.buildClassSerialDescriptor
+import kotlinx.serialization.encoding.Decoder
+import kotlinx.serialization.encoding.Encoder
+import kotlinx.serialization.json.Json
+import kotlinx.serialization.json.JsonDecoder
+import kotlinx.serialization.json.JsonEncoder
+import kotlinx.serialization.json.JsonObject
+import kotlinx.serialization.json.JsonPrimitive
+import kotlinx.serialization.json.buildJsonObject
+import kotlinx.serialization.json.contentOrNull
+import kotlinx.serialization.json.jsonObject
+import kotlinx.serialization.json.jsonPrimitive
+import net.aholbrook.paseto.exception.FooterExceedsMaxDepthException
+import net.aholbrook.paseto.exception.FooterExceedsMaxKeysException
+import net.aholbrook.paseto.exception.FooterExceedsMaxLengthException
+import net.aholbrook.paseto.exception.FooterJsonParseException
+import net.aholbrook.paseto.protocol.jsonCountDepthAndKeys
+
+/**
+ * Determines how token footer text is interpreted when decoding.
+ *
+ * - [AUTO]: Treat object-like footer text (`{...}`) as JSON claims when possible;
+ *   otherwise fall back to a plain string footer.
+ * - [CLAIMS]: Require a valid JSON claims footer and fail if parsing/validation fails.
+ * - [STRING]: Always treat footer text as plain string data (no claims parsing).
+ */
+enum class FooterParseMode {
+    /**
+     * Parse object-like footer text as claims, throwing on depth/key limit violations and falling back to
+     * [StringFooter] on parse failure.
+     */
+    AUTO,
+
+    /**
+     * Require footer to be valid claims JSON; throw on parse/validation errors.
+     */
+    CLAIMS,
+
+    /**
+     * Always decode footer as plain string.
+     */
+    STRING,
+}
+
+internal data class FooterOptions(
+    val parseMode: FooterParseMode = FooterParseMode.AUTO,
+    val maxLength: Int = 8192,
+    val maxDepth: Int = 2,
+    val maxKeys: Int = 512,
+)
+
+@PasetoDslMarker
+class FooterOptionsBuilder @PublishedApi internal constructor() {
+    var parseMode: FooterParseMode = FooterParseMode.AUTO
+    var maxLength: Int = 8192
+    var maxDepth: Int = 2
+    var maxKeys: Int = 512
+
+    internal fun build(): FooterOptions = FooterOptions(
+        parseMode = parseMode,
+        maxLength = maxLength,
+        maxDepth = maxDepth,
+        maxKeys = maxKeys,
+    )
+}
+
+internal fun Json.encodeFooter(footerOptions: FooterOptions, footer: PasetoFooter): String {
+    val encoded = when (footer) {
+        is ClaimFooter -> encodeToString(ClaimFooterSerializer, footer)
+        is StringFooter -> footer.value
+    }
+
+    footerOptions.validateFooter(encoded)
+    return encoded
+}
+
+internal fun Json.decodeFooter(footerOptions: FooterOptions, footer: String): PasetoFooter {
+    footerOptions.validateFooter(footer)
+
+    return when (footerOptions.parseMode) {
+        FooterParseMode.AUTO -> try {
+            decodeFromString(ClaimFooterSerializer, footer)
+        } catch (_: Exception) {
+            StringFooter(footer)
+        }
+
+        FooterParseMode.CLAIMS -> try {
+            decodeFromString(ClaimFooterSerializer, footer)
+        } catch (ex: Exception) {
+            throw FooterJsonParseException(ex.message, ex)
+        }
+
+        FooterParseMode.STRING -> StringFooter(footer)
+    }
+}
+
+private fun String.isJsonObject(): Boolean = trim().let { it.startsWith("{") && it.endsWith("}") }
+
+private fun FooterOptions.validateFooter(footer: String?) {
+    if (footer == null) return
+
+    if (footer.length > maxLength) throw FooterExceedsMaxLengthException(footer.length, maxLength)
+    if (parseMode == FooterParseMode.STRING) return
+    if (parseMode == FooterParseMode.AUTO && !footer.isJsonObject()) return
+
+    val (depth, keys) = jsonCountDepthAndKeys(footer)
+    if (depth > maxDepth) throw FooterExceedsMaxDepthException(depth, maxDepth)
+    if (keys > maxKeys) throw FooterExceedsMaxKeysException(keys, maxKeys)
+}
+
+internal object ClaimFooterSerializer : KSerializer<ClaimFooter> {
+    private val reserved = setOf("kid", "wpk")
+
+    override val descriptor: SerialDescriptor = buildClassSerialDescriptor("ClaimFooter")
+
+    override fun deserialize(decoder: Decoder): ClaimFooter {
+        when (val element = (decoder as JsonDecoder).decodeJsonElement()) {
+            is JsonObject -> {
+                fun take(name: String) = element.jsonObject[name]?.jsonPrimitive?.contentOrNull
+
+                val claims = buildJsonObject {
+                    element.jsonObject.filterNot { it.key in reserved }.forEach { put(it.key, it.value) }
+                }
+
+                return ClaimFooter(
+                    keyId = take("kid"),
+                    wrappedKey = take("wpk"),
+                    claims = claims.toClaim() as ClaimObject,
+                )
+            }
+
+            else -> throw SerializationException("expected object, got $element")
+        }
+    }
+
+    override fun serialize(encoder: Encoder, value: ClaimFooter) {
+        val output = encoder as JsonEncoder
+        val element = buildJsonObject {
+            value.keyId?.let { put("kid", JsonPrimitive(it)) }
+            value.wrappedKey?.let { put("wpk", JsonPrimitive(it)) }
+
+            (value.claims.toJson() as JsonObject)
+                .filterNot { it.key in reserved }
+                .forEach { (k, v) -> put(k, v) }
+        }
+        output.encodeJsonElement(element)
+    }
+}
@@ -1,7 +1,6 @@
 package net.aholbrook.paseto
 
 import kotlinx.serialization.KSerializer
-import kotlinx.serialization.SerializationException
 import kotlinx.serialization.descriptors.SerialDescriptor
 import kotlinx.serialization.descriptors.buildClassSerialDescriptor
 import kotlinx.serialization.encoding.Decoder
@@ -20,12 +19,12 @@ import java.time.format.DateTimeFormatter
 
 private val RFC3339_FORMATTER = DateTimeFormatter.ofPattern("uuuu-MM-dd'T'HH:mm:ss'Z'").withZone(ZoneOffset.UTC)
 
-internal object PasetoTokenSerializer : KSerializer<PasetoToken> {
+internal object PasetoTokenSerializer : KSerializer<Token> {
     private val reserved = setOf("iss", "sub", "aud", "exp", "nbf", "iat", "jti")
 
     override val descriptor: SerialDescriptor = buildClassSerialDescriptor("PasetoToken")
 
-    override fun deserialize(decoder: Decoder): PasetoToken {
+    override fun deserialize(decoder: Decoder): Token {
         val obj = (decoder as JsonDecoder).decodeJsonElement().jsonObject
 
         fun take(name: String) = obj[name]?.jsonPrimitive?.contentOrNull
@@ -36,7 +35,7 @@ internal object PasetoTokenSerializer : KSerializer<PasetoToken> {
             obj.filterNot { it.key in reserved }.forEach { put(it.key, it.value) }
         }
 
-        return PasetoToken(
+        return Token(
             issuer = take("iss"),
             subject = take("sub"),
             audience = take("aud"),
@@ -49,7 +48,7 @@ internal object PasetoTokenSerializer : KSerializer<PasetoToken> {
         )
     }
 
-    override fun serialize(encoder: Encoder, value: PasetoToken) {
+    override fun serialize(encoder: Encoder, value: Token) {
         val output = encoder as JsonEncoder
 
         val obj = buildJsonObject {
@@ -75,42 +74,3 @@ internal object PasetoTokenSerializer : KSerializer<PasetoToken> {
         output.encodeJsonElement(obj)
     }
 }
-
-internal object ClaimFooterSerializer : KSerializer<ClaimFooter> {
-    private val reserved = setOf("kid", "wpk")
-
-    override val descriptor: SerialDescriptor = buildClassSerialDescriptor("ClaimFooter")
-
-    override fun deserialize(decoder: Decoder): ClaimFooter {
-        when (val element = (decoder as JsonDecoder).decodeJsonElement()) {
-            is JsonObject -> {
-                fun take(name: String) = element.jsonObject[name]?.jsonPrimitive?.contentOrNull
-
-                val claims = buildJsonObject {
-                    element.jsonObject.filterNot { it.key in reserved }.forEach { put(it.key, it.value) }
-                }
-
-                return ClaimFooter(
-                    keyId = take("kid"),
-                    wrappedKey = take("wpk"),
-                    claims = claims.toClaim() as ClaimObject,
-                )
-            }
-
-            else -> throw SerializationException("expected object, got $element")
-        }
-    }
-
-    override fun serialize(encoder: Encoder, value: ClaimFooter) {
-        val output = encoder as JsonEncoder
-        val element = buildJsonObject {
-            value.keyId?.let { put("kid", JsonPrimitive(it)) }
-            value.wrappedKey?.let { put("wpk", JsonPrimitive(it)) }
-
-            (value.claims.toJson() as JsonObject)
-                .filterNot { it.key in reserved }
-                .forEach { (k, v) -> put(k, v) }
-        }
-        output.encodeJsonElement(element)
-    }
-}