Remove dependency on gjson?
Closed this issue · 2 comments
abustany commented
workos-go depends on gjson in internal/workos/http.go. gjson is used there to retrieve a field from a JSON payload, which would be just couple of lines using the stdlib only... Pulling 3rd party deps means everyone using the WorkOS Go SDK pulls them too, which in turn increases the risk of vulnerabilities ending up in our binaries (eg. GHSA-w942-gw6m-p62c - in this case not really a problem if you only parse JSON coming from WorkOS).
Easy fix to remove gjson:
diff --git a/internal/workos/http.go b/internal/workos/http.go
index c4702bc..da03b62 100644
--- a/internal/workos/http.go
+++ b/internal/workos/http.go
@@ -1,11 +1,10 @@
package workos
import (
+ "encoding/json"
"fmt"
"io/ioutil"
"net/http"
-
- "github.com/tidwall/gjson"
)
// TryGetHTTPError returns an error when the http response contains invalid
@@ -20,7 +19,7 @@ func TryGetHTTPError(r *http.Response) error {
body, err := ioutil.ReadAll(r.Body)
if err != nil {
msg = err.Error()
- } else if m := gjson.GetBytes(body, "message").Str; m != "" {
+ } else if m := getJSONErrorMessage(body); m != "" {
msg = m
} else {
msg = string(body)
@@ -34,6 +33,16 @@ func TryGetHTTPError(r *http.Response) error {
}
}
+func getJSONErrorMessage(b []byte) string {
+ var response struct{ Message string }
+
+ if err := json.Unmarshal(b, &response); err != nil {
+ return ""
+ }
+
+ return response.Message
+}
+
// HTTPError represents an http error.
type HTTPError struct {
Code intmaxdeviant commented
Hey @abustany, thanks for opening this issue.
This has been resolved and we no longer depend on gjson in v1.2.1 of the SDK.
abustany commented
Great, thanks for the quick turnaround!