Preserve insertion order for claims

snago · snago · commit 2050c030bd49 · 2023-03-25T10:51:40.000+01:00
diff --git a/lib/src/main/java/com/auth0/jwt/JWTCreator.java b/lib/src/main/java/com/auth0/jwt/JWTCreator.java
@@ -71,8 +71,8 @@ public static class Builder {
         private final Map<String, Object> headerClaims;
 
         Builder() {
-            this.payloadClaims = new HashMap<>();
-            this.headerClaims = new HashMap<>();
+            this.payloadClaims = new LinkedHashMap<>();
+            this.headerClaims = new LinkedHashMap<>();
         }
 
         /**
diff --git a/lib/src/test/java/com/auth0/jwt/JWTCreatorTest.java b/lib/src/test/java/com/auth0/jwt/JWTCreatorTest.java
@@ -4,6 +4,7 @@
 import com.auth0.jwt.interfaces.ECDSAKeyProvider;
 import com.auth0.jwt.interfaces.RSAKeyProvider;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
@@ -938,4 +939,46 @@ public void shouldCreatePayloadWithNullForList() {
         assertThat(jwt, is(notNullValue()));
         assertTrue(JWT.decode(jwt).getClaim("name").isNull());
     }
+
+    @Test
+    public void shouldPreserveInsertionOrder() throws Exception {
+        List<String> headerInsertionOrder = new ArrayList<>();
+        Map<String, Object> header = new LinkedHashMap<>();
+        for (int i = 0; i < 10; i++) {
+            String key = "h" + i;
+            header.put(key, "v" + 1);
+            headerInsertionOrder.add(key);
+        }
+
+        List<String> payloadInsertionOrder = new ArrayList<>();
+        JWTCreator.Builder builder = JWTCreator.init().withHeader(header);
+        for (int i = 0; i < 10; i++) {
+            String name = "c" + i;
+            builder = builder.withClaim(name, "v" + i);
+            payloadInsertionOrder.add(name);
+        }
+        String signed = builder.sign(Algorithm.HMAC256("secret"));
+
+        assertThat(signed, is(notNullValue()));
+        String[] parts = signed.split("\\.");
+        Base64.Decoder urlDecoder = Base64.getUrlDecoder();
+        String headerJson = new String(urlDecoder.decode(parts[0]), StandardCharsets.UTF_8);
+        String payloadJson = new String(urlDecoder.decode(parts[1]), StandardCharsets.UTF_8);
+
+        ObjectMapper objectMapper = new ObjectMapper();
+
+        List<String> headerFields = new ArrayList<>();
+        objectMapper.readValue(headerJson, ObjectNode.class)
+                .fieldNames().forEachRemaining(headerFields::add);
+        headerFields.retainAll(headerInsertionOrder);
+        assertThat("Header insertion order should be preserved",
+                headerFields, is(equalTo(headerInsertionOrder)));
+
+        List<String> payloadFields = new ArrayList<>();
+        objectMapper.readValue(payloadJson, ObjectNode.class)
+                .fieldNames().forEachRemaining(payloadFields::add);
+        payloadFields.retainAll(payloadInsertionOrder);
+        assertThat("Claim insertion order should be preserved",
+                payloadFields, is(equalTo(payloadInsertionOrder)));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -71,8 +71,8 @@ public static class Builder {`
`71`	`71`	`private final Map<String, Object> headerClaims;`
`72`	`72`
`73`	`73`	`Builder() {`
`74`		`- this.payloadClaims = new HashMap<>();`
`75`		`- this.headerClaims = new HashMap<>();`
	`74`	`+ this.payloadClaims = new LinkedHashMap<>();`
	`75`	`+ this.headerClaims = new LinkedHashMap<>();`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`/**`