WP-API
Whitelist the allowed types in Meta Endpoint
Currently we handle registering meta even if your register the type as anything other than boolean number and string, however we don't currently have great ways to handle non-scaler meta. For now, let's whitelist these types and throw a doing_it_wrong if meta is registered with an invalid type.
Is this a security issue? If it's not then I think just leave it as "no objects" or even "no objects which aren't stdClass obj". It's just that it will be far easier for people to use it, otherwise they're going to wonder how they're doing register_meta wrong.
It becomes more complex with nested objects, arrays etc, which is why I think we should stick to the scalar types at first. However, once we have (hopefully soon) support for recursively checking objects and arrays, then I think we'd allow them too. I'd like to be able to continue to cast all values to their correct types, and full validation on input. Right now, I could quite easily mess up security if I declared type array and put any object in it.
That makes sense. Could you wait on this for a few days? I have something that I did once that might fit and I know I looked at it once months and months ago. Might be a total bust admittedly.