Skip to content

Latest commit

 

History

History
962 lines (659 loc) · 63.5 KB

CHANGELOG.md

File metadata and controls

962 lines (659 loc) · 63.5 KB

Changelog

v3.0.0 (NEXT)

Full Changelog

Breaking changes:

  • Require token signature to be verified before accessing payload #648 (@anakinj)
  • Drop support for the HS512256 algorithm #650 (@anakinj)
  • Remove deprecated claim verification methods #654 (@anakinj)
  • Remove dependency to rbnacl #655 (@anakinj)
  • Support only stricter base64 decoding (RFC 4648) #658 (@anakinj)
  • Custom algorithms are required to include JWT::JWA::SigningAlgorithm #660 (@anakinj)
  • Require RSA keys to be at least 2048 bits #661 (@anakinj)
  • Base64 encode and decode the k value for HMAC JWKs #662 (@anakinj)

Take a look at the upgrade guide for more details.

Features:

  • JWT::EncodedToken#verify! method that bundles signature and claim validation #647 (@anakinj)
  • Do not override the alg header if already given #659 (@anakinj)
  • Make JWK::KeyFinder compatible with JWT::EncodedToken #663 (@anakinj)
  • Your contribution here

Fixes and enhancements:

  • Ruby 3.4 to CI matrix #649 (@anakinj)
  • Your contribution here

v2.10.1 (2024-12-26)

Full Changelog

Fixes and enhancements:

v2.10.0 (2024-12-25)

Full Changelog

Features:

  • JWT::Token and JWT::EncodedToken for signing and verifying tokens #621 (@anakinj)
  • Detached payload support for JWT::Token and JWT::EncodedToken #630 (@anakinj)
  • Skip decoding payload if b64 header is present and false #631 (@anakinj)
  • Remove a few custom Rubocop configs #638 (@anakinj)

Fixes and enhancements:

  • Deprecation warnings for deprecated methods and classes #629 (@anakinj)
  • Improved documentation for public apis #629 (@anakinj)
  • Use correct methods when raising error during signing/verification with EdDSA #633
  • Fix JWT::EncodedToken behavior with empty string as token #640 (@ragalie)
  • Deprecation warnings for rbnacl backed functionality #641 (@anakinj)

v2.9.3 (2024-10-03)

Full Changelog

Fixes and enhancements:

  • Return truthy value for ::JWT::ClaimsValidator#validate! and ::JWT::Verify.verify_claims #628 (@anakinj)

v2.9.2 (2024-10-03)

Full Changelog

Features:

Fixes and enhancements:

  • Updated README to correctly document OpenSSL::HMAC documentation #617 (@aedryan)
  • Verify JWT header format #622 (@304)
  • Bring back ::JWT::ClaimsValidator, ::JWT::Verify and a few other removed interfaces for preserved backwards compatibility #624 (@anakinj)

v2.9.1 (2024-09-23)

Full Changelog

Fixes and enhancements:

  • Fix regression in iss and aud claim validation #619 (@anakinj)

v2.9.0 (2024-09-15)

Full Changelog

Features:

Fixes and enhancements:

v2.8.2 (2024-06-18)

Full Changelog

Fixes and enhancements:

v2.8.1 (2024-02-29)

Full Changelog

Features:

Fixes and enhancements:

v2.8.0 (2024-02-17)

Full Changelog

Features:

  • Updated rubocop to 1.56 #573 (@anakinj)
  • Run CI on Ruby 3.3 #577 (@anakinj)
  • Deprecation warning added for the HMAC algorithm HS512256 (HMAC-SHA-512 truncated to 256-bits) #575 (@anakinj)
  • Stop using RbNaCl for standard HMAC algorithms #575 (@anakinj)

Fixes and enhancements:

  • Fix signature has expired error if payload is a string #555 (@GobinathAL)
  • Fix key base equality and spaceship operators #569 (@magneland)
  • Remove explicit base64 require from x5c_key_finder #580 (@anakinj)
  • Performance improvements and cleanup of tests #581 (@anakinj)
  • Repair EC x/y coordinates when importing JWK #585 (@julik)
  • Explicit dependency to the base64 gem #582 (@anakinj)
  • Deprecation warning for decoding content not compliant with RFC 4648 #582 (@anakinj)
  • Algorithms moved under the ::JWT::JWA module (@anakinj)

v2.7.1 (2023-06-09)

Full Changelog

Fixes and enhancements:

v2.7.0 (2023-02-01)

Full Changelog

Features:

Fixes and enhancements:

  • Fix issue with multiple keys returned by keyfinder and multiple allowed algorithms #545 (@mpospelov)
  • Non-string kid header values are now rejected #543 (@bellebaum)

v2.6.0 (2022-12-22)

Full Changelog

Features:

Fixes and enhancements:

  • Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 #530 (@jonmchan)

v2.5.0 (2022-08-25)

Full Changelog

Features:

Fixes and enhancements:

  • Bring back the old Base64 (RFC2045) deocode mechanisms #488 (@anakinj)
  • Rescue RbNaCl exception for EdDSA wrong key #491 (@n-studio)
  • New parameter name for cases when kid is not found using JWK key loader proc #501 (@anakinj)
  • Fix NoMethodError when a 2 segment token is missing 'alg' header #502 (@cmrd-senya)

v2.4.1 (2022-06-07)

Full Changelog

Fixes and enhancements:

v2.4.0 (2022-06-06)

Full Changelog

Features:

Fixes and enhancements:

v2.3.0 (2021-10-03)

Full Changelog

Closed issues:

  • [SECURITY] Algorithm Confusion Through kid Header #440
  • JWT to memory #436
  • ArgumentError: wrong number of arguments (given 2, expected 1) #429
  • HMAC section of README outdated #421
  • NoMethodError: undefined method `zero?' for nil:NilClass if JWT has no 'alg' field #410
  • Release new version #409
  • NameError: uninitialized constant JWT::JWK #403

Merged pull requests:

v2.2.3 (2021-04-19)

Full Changelog

Implemented enhancements:

  • Verify algorithm before evaluating keyfinder #343
  • Why jwt depends on json < 2.0 ? #179
  • Support for JWK in-lieu of rsa_public #158
  • Fix rspec raise_error warning #413 (excpt)
  • Add support for JWKs with HMAC key type. #372 (phlegx)
  • Improve 'none' algorithm handling #365 (danleyden)
  • Handle parsed JSON JWKS input with string keys #348 (martinemde)
  • Allow Numeric values during encoding #327 (fanfilmu)

Closed issues:

  • "Signature verification raised", yet jwt.io says "Signature Verified" #401
  • truffleruby-head build is failing #396
  • JWT::JWK::EC needs require 'forwardable' #392
  • How to use a 'signing key' as used by next-auth #389
  • undefined method `verify' for nil:NilClass when validate a JWT with JWK #383
  • Make specifying "algorithm" optional on decode #380
  • ADFS created access tokens can't be validated due to missing 'kid' header #370
  • new version? #355
  • JWT gitlab OmniAuth provider setup support #354
  • Release with support for RSA.import for ruby < 2.4 hasn't been released #347
  • cannot load such file -- jwt #339

Merged pull requests:

v2.2.2 (2020-08-18)

Full Changelog

Implemented enhancements:

  • JWK does not decode. #332
  • Inconsistent use of symbol and string keys in args (exp and alrogithm). #331
  • Pin simplecov to < 0.18 #356 (anakinj)
  • verifies algorithm before evaluating keyfinder #346 (jb08)
  • Update Rails 6 appraisal to use actual release version #336 (smudge)
  • Update Travis #326 (berkos)
  • Improvement/encode hmac without key #312 (JotaSe)

Fixed bugs:

  • v2.2.1 warning: already initialized constant JWT Error #335
  • 2.2.1 is no longer raising JWT::DecodeError on nil verification key #328
  • Fix algorithm picking from decode options #359 (excpt)
  • Raise error when verification key is empty #358 (anakinj)

Closed issues:

  • JWT RSA: is it possible to encrypt using the public key? #366
  • Example unsigned token that bypasses verification #364
  • Verify exp claim/field even if it's not present #363
  • Decode any token #360
  • [question] example of using a pub/priv keys for signing? #351
  • JWT::ExpiredSignature raised for non-JSON payloads #350
  • verify_aud only verifies that at least one aud is expected #345
  • Sinatra 4.90s TTFB #344
  • How to Logout #342
  • jwt token decoding even when wrong token is provided for some letters #337
  • Need to use symbolize_keys everywhere! #330
  • eval() used in Forwardable limits usage in iOS App Store #324
  • HS512256 OpenSSL Exception: First num too large #322
  • Can we change the separator character? #321
  • Verifying iat without leeway may break with poorly synced clocks #319
  • Adding support for 'hd' hosted domain string #314
  • There is no "typ" header in version 2.0.0 #233

Merged pull requests:

v2.2.1 (2019-05-24)

Full Changelog

Fixed bugs:

  • need to require 'forwardable' to use Forwardable #316
  • Add forwardable dependency for JWK RSA KeyFinder #317 (excpt)

Merged pull requests:

v2.2.0 (2019-05-23)

Full Changelog

Closed issues:

  • misspelled es512 curve name #310
  • With Base64 decode i can read the hashed content #306
  • hide post-it's for graphviz views #303

Merged pull requests:

v2.2.0.pre.beta.0 (2019-03-20)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • Inconsistent handling of payload claim data types #282
  • Issued at validation #247
  • Fix bug and simplify segment validation #292 (anakinj)

Security fixes:

  • Decoding JWT with ES256 and secp256k1 curve #277

Closed issues:

  • RS256, public and private keys #291
  • Allow passing current time to decode #288
  • Verify exp claim without verifying jwt #281
  • Audience as an array - how to specify? #276
  • signature validation using decode method for JWT #271
  • JWT is easily breakable #267
  • Ruby JWT Token #265
  • ECDSA supported algorithms constant is defined as a string, not an array #264
  • NoMethodError: undefined method `group' for <xxxxx> #261
  • 'DecodeError'will replace 'ExpiredSignature' #260
  • TypeError: no implicit conversion of OpenSSL::PKey::RSA into String #259
  • NameError: uninitialized constant JWT::Algos::Eddsa::RbNaCl #258
  • Get new token if curren token expired #256
  • Infer algorithm from header #254
  • Why is the result of decode is an array? #252
  • Add support for headless token #251
  • Leeway or exp_leeway #215
  • Could you describe purpose of cert fixtures and their cryptokey lengths. #185

Merged pull requests:

v2.1.0 (2017-10-06)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • JWT.encode failing on encode for string #235
  • The README says it uses an algorithm by default #226
  • Fix string payload issue #236 (excpt)

Security fixes:

Closed issues:

  • Change from 1.5.6 to 2.0.0 and appears a "Completed 401 Unauthorized" #240
  • Why doesn't the decode function use a default algorithm? #227

Merged pull requests:

v2.0.0 (2017-09-03)

Full Changelog

Fixed bugs:

  • Support versions outside 2.1 #209
  • Verifying expiration without leeway throws exception #206
  • Ruby interpreter warning #200
  • TypeError: no implicit conversion of String into Integer #188
  • Fix JWT.encode(nil) #203 (tmm1)

Closed issues:

  • Possibility to disable claim verifications #222
  • Proper way to verify Firebase id tokens #216

Merged pull requests:

v2.0.0.beta1 (2017-02-27)

Full Changelog

Implemented enhancements:

Fixed bugs:

  • ruby-jwt::raw_to_asn1: Fails for signatures less than byte_size #155
  • The leeway parameter is applies to all time based verifications #129
  • Make algorithm option required to verify signature #184 (EmilioCristalli)
  • Validate audience when payload is a scalar and options is an array #183 (steti)

Closed issues:

  • Different encoded value between servers with same password #197
  • Signature is different at each run #190
  • Include custom headers with password #189
  • can't create token - 'NotImplementedError: Unsupported signing method' #186
  • Cannot verify JWT at all?? #177
  • verify_iss: true is raising JWT::DecodeError instead of JWT::InvalidIssuerError #170

Merged pull requests:

v1.5.6 (2016-09-19)

Full Changelog

Fixed bugs:

  • Fix missing symbol handling in aud verify code #166 (excpt)

Merged pull requests:

v1.5.5 (2016-09-16)

Full Changelog

Implemented enhancements:

  • JWT.decode always raises JWT::ExpiredSignature for tokens created with Time objects passed as the exp parameter #148

Fixed bugs:

  • expiration check does not give "Signature has expired" error for the exact time of expiration #157
  • JTI claim broken? #152
  • Audience Claim broken? #151
  • 1.5.3 breaks compatibility with 1.5.2 #133
  • Version 1.5.3 breaks 1.9.3 compatibility, but not documented as such #132
  • Fix: exp claim check #161 (excpt)

Security fixes:

  • [security] Signature verified after expiration/sub/iss checks #153
  • Signature validation before claim verification #160 (excpt)

Closed issues:

  • Rendering Json Results in JWT::DecodeError #162
  • PHP Libraries #154
  • Is ruby-jwt thread-safe? #150
  • JWT 1.5.3 #143
  • gem install v 1.5.3 returns error #141
  • Adding a CHANGELOG #140

Merged pull requests:

v1.5.4 (2016-03-24)

Full Changelog

Closed issues:

Merged pull requests:

v1.5.3 (2016-02-24)

Full Changelog

Implemented enhancements:

  • Refactor obsolete code for ruby 1.8 support #120
  • Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb #106
  • Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb #105
  • Allow a proc to be passed for JTI verification #126 (yahooguntu)
  • Relax restrictions on "jti" claim verification #113 (lwe)

Closed issues:

  • Verifications not functioning in latest release #128
  • Base64 is generating invalid length base64 strings - cross language interop #127
  • Digest::Digest is deprecated; use Digest #119
  • verify_rsa no method 'verify' for class String #115
  • Add a changelog #111

Merged pull requests:

jwt-1.5.2 (2015-10-27)

Full Changelog

Implemented enhancements:

  • Must we specify algorithm when calling decode to avoid vulnerabilities? #107
  • Code review: Rspec test refactoring #85 (excpt)

Fixed bugs:

  • aud verifies if aud is passed in, :sub does not #102
  • iat check does not use leeway so nbf could pass, but iat fail #83

Closed issues:

  • Test ticket from Code Climate #104
  • Test ticket from Code Climate #100
  • Is it possible to decode the payload without validating the signature? #97
  • What is audience? #96
  • Options hash uses both symbols and strings as keys. #95

Merged pull requests:

jwt-1.5.1 (2015-06-22)

Full Changelog

Implemented enhancements:

  • Fix either README or source code #78
  • Validate against draft 20 #38

Fixed bugs:

  • ECDSA signature verification fails for valid tokens #84
  • Shouldn't verification of additional claims, like iss, aud etc. be enforced when in options? #81
  • decode fails with 'none' algorithm and verify #75

Closed issues:

  • Doc mismatch: uninitialized constant JWT::ExpiredSignature #79
  • TypeError when specifying a wrong algorithm #77
  • jti verification doesn't prevent replays #73

Merged pull requests:

  • Correctly sign ECDSA JWTs #87 (jurriaan)
  • fixed results of decoded tokens in readme #86 (piscolomo)
  • Force verification of "iss" and "aud" claims #82 (lwe)

jwt-1.5.0 (2015-05-09)

Full Changelog

Implemented enhancements:

  • Needs to support asymmetric key signatures over shared secrets #46
  • Implement Elliptic Curve Crypto Signatures #74 (jtdowney)
  • Add an option to verify the signature on decode #71 (javawizard)

Closed issues:

  • Check JWT vulnerability #76

Merged pull requests:

  • Fixed some examples to make them copy-pastable #72 (jer)

jwt-1.4.1 (2015-03-12)

Full Changelog

Fixed bugs:

  • jti verification not working per the spec #68
  • Verify ISS should be off by default #66

Merged pull requests:

  • Fix #66 #68 #69 (excpt)
  • When throwing errors, mention expected/received values #65 (rolodato)

jwt-1.4.0 (2015-03-10)

Full Changelog

Closed issues:

  • The behavior using 'json' differs from 'multi_json' #41

Merged pull requests:

jwt-1.3.0 (2015-02-24)

Full Changelog

Closed issues:

  • Signature Verification to Return Verification Error rather than decode error #57
  • Incorrect readme for leeway #55
  • What is the reason behind stripping the = in base64 encoding? #54
  • Preperations for version 2.x #50
  • Release a new version #47
  • Catch up for ActiveWhatever 4.1.1 series #40

Merged pull requests:

  • raise verification error for signiture verification #58 (punkle)
  • Added support for not before claim verification #56 (punkle)

jwt-1.2.1 (2015-01-22)

Full Changelog

Closed issues:

  • JWT.encode({"exp": 10}, "secret") #52
  • JWT.encode({"exp": 10}, "secret") #51

Merged pull requests:

  • Accept expiration claims as string #53 (yarmand)

jwt-1.2.0 (2014-11-24)

Full Changelog

Closed issues:

  • set token to expire #42

Merged pull requests:

jwt-0.1.13 (2014-05-08)

Full Changelog

Closed issues:

  • yanking of version 0.1.12 causes issues #39
  • Semantic versioning #37
  • Update gem to get latest changes #36

jwt-1.0.0 (2014-05-07)

Full Changelog

Closed issues:

  • API request - JWT::decoded_header() #26

Merged pull requests:

jwt-0.1.11 (2014-01-17)

Full Changelog

Closed issues:

  • url safe encode and decode #28
  • Release #27

Merged pull requests:

jwt-0.1.10 (2014-01-10)

Full Changelog

Closed issues:

  • change to signature of JWT.decode method #14

Merged pull requests:

jwt-0.1.8 (2013-03-14)

Full Changelog

Merged pull requests:

jwt-0.1.7 (2013-03-07)

Full Changelog

Merged pull requests:

  • Catch MultiJson::LoadError and reraise as JWT::DecodeError #16 (rwygand)

jwt-0.1.6 (2013-03-05)

Full Changelog

Merged pull requests:

  • Fixes a theoretical timing attack #15 (mgates)
  • Use StandardError as parent for DecodeError #13 (Oscil8)

jwt-0.1.5 (2012-07-20)

Full Changelog

Closed issues:

  • Unable to specify signature header fields #7

Merged pull requests:

jwt-0.1.4 (2011-11-11)

Full Changelog

Merged pull requests:

jwt-0.1.3 (2011-06-30)

Full Changelog

Closed issues:

  • signatures calculated incorrectly (hexdigest instead of digest) #1

Merged pull requests:

* This Changelog was automatically generated by github_changelog_generator