added serde to grant types #162
Conversation
| #[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)] | ||
| #[serde(tag = "type")] |
There was a problem hiding this comment.
For this type, there's a security concern when serializing Private since this may leak information rather unwittingly. I suppose it's okay overall but may be a paper cut when using the library. Just as a smoke-test, are there any alternatives that mitigate or avoid the risk?
There was a problem hiding this comment.
Indeed that is an issue. As a quick fix we can ignore it during serialization, but if we rely on serialization to store them on the server like with sqlx json it will work improperly and since that is my usecase for the serialization i kept it in.
Ideally it would serialize, but there would be a function to sanitize it before sending it to a user.
It's a double edged sword but i would err on the safer side with a serde skip indeed
This adds serde to the grant types
I license past and future contributions under the dual MIT/Apache-2.0 license, allowing licensees to chose either at their option.