Releases: jwt/ruby-jwt
Releases · jwt/ruby-jwt
jwt-2.5.0
Features:
Fixes and enhancements:
- Bring back the old Base64 (RFC2045) deocode mechanisms #488 (@anakinj).
- Rescue RbNaCl exception for EdDSA wrong key #491 (@n-studio).
- New parameter name for cases when kid is not found using JWK key loader proc #501 (@anakinj).
- Fix NoMethodError when a 2 segment token is missing 'alg' header #502 (@cmrd-senya).
- Support OpenSSL >= 3.0 #496 (@anakinj).
jwt-2.4.1
v2.4.1 (2022-06-07)
Fixes and enhancements:
- Raise JWT::DecodeError on invalid signature #484 (@freakyfelt!).
jwt-2.4.0
v2.4.0 (2022-06-06)
Features:
- Dropped support for Ruby 2.5 and older #453 - @anakinj.
- Use Ruby built-in url-safe base64 methods #454 - @bdewater.
- Updated rubocop to 1.23.0 #457 - @anakinj.
- Add x5c header key finder #338 - @bdewater.
- Author driven changelog process #463 - @anakinj.
- Allow regular expressions and procs to verify issuer #437 (rewritten).
- Add Support to be able to verify from multiple keys #425 (ritikesh).
Fixes and enhancements:
- Readme: Typo fix re MissingRequiredClaim #451 (antonmorant).
- Fix RuboCop TODOs #476 (typhoon2099).
- Make specific algorithms in README linkable #472 (milieu).
- Update note about supported JWK types #475 (dpashkevich).
- Create CODE_OF_CONDUCT.md #449 (loic5).
jwt-2.4.0.beta1
v2.4.0 (2022-05-03)
Implemented enhancements:
- Ensure presence of claims #244
- Support verifying signature signed using x5c header #59
- Add x5c header key finder #338 (bdewater)
Security fixes:
- Importing JWK then exporting results in different
kid#313
Closed issues:
- Is there a way to decode a ES256 encoded JWT with a root certificate but without a public key or a private key? #471
- Encode output with extra quote #469
- Please release new gem version #444
- HS512 signature verification fails for valid tokens #438
- ArgumentError: invalid base64 while calling JWT::JWK.import(hash) #361
- NoMethodError (undefined method `encode' for JsonWebToken:Module) #329
Merged pull requests:
- Fix RuboCop TODOs #476 (typhoon2099)
- Update note about supported JWK types #475 (dpashkevich)
- Make specific algorithms in README linkable #472 (milieu)
- Add tests for keyfinder logic to ensure the argument count does not matter #467 (anakinj)
- More tests for none token #466 (anakinj)
- Improve non algorithm tests #465 (anakinj)
- Bring back Ruby 2.5 support and CodeClimate coverage reports #464 (anakinj)
- Fix a little RuboCop issue #462 (anakinj)
- Fixes with latest RuboCop #459 (anakinj)
- Removed bundler-audit from codeclimate config #458 (anakinj)
- Updated rubocop to 1.23.0 #457 (anakinj)
- Add Ruby 3.1 to test matrix #456 (anakinj)
- Use Ruby built-in url-safe base64 methods #454 (bdewater)
- Stop running tests on EOL rubies. #453 (anakinj)
- Fix openssl gem version check to support versons greater than 3 #452 (anakinj)
- Readme: Typo fix re MissingRequiredClaim #451 (antonmorant)
- Fix for exception after mergeing #385 #450 (anakinj)
- Create CODE_OF_CONDUCT.md #449 (loic5)
- Allow regular expressions and procs to verify issuer #437 (rewritten)
- Add Support to be able to verify from multiple keys #425 (ritikesh)
- Define the secp256r1 curve #385 (anakinj)
jwt-2.3.0
v2.3.0 (2021-10-03)
Closed issues:
- [SECURITY] Algorithm Confusion Through kid Header #440
- JWT to memory #436
- ArgumentError: wrong number of arguments (given 2, expected 1) #429
- HMAC section of README outdated #421
- NoMethodError: undefined method `zero?' for nil:NilClass if JWT has no 'alg' field #410
- Release new version #409
- NameError: uninitialized constant JWT::JWK #403
Merged pull requests:
- Fix Style/MultilineIfModifier issues #447 (anakinj)
- feat(EdDSA): Accept EdDSA as algorithm header #446 (Pierre-Michard)
- Pass kid param through JWT::JWK.create_from #445 (shaun-guth-allscripts)
- fix document about passing JWKs as a simple Hash #443 (takayamaki)
- Tests for mixing JWK keys with mismatching algorithms #441 (anakinj)
- verify_claims test shouldnt be within the verify_sub test #431 (andyjdavis)
- Allow decode options to specify required claims #430 (andyjdavis)
- Fix OpenSSL::PKey::EC public_key handing in tests #427 (anakinj)
- Add documentation for find_key #426 (ritikesh)
- Give ruby 3.0 as a string to avoid number formatting issues #424 (anakinj)
- Tests for iat verification behaviour #423 (anakinj)
- Remove HMAC with nil secret from documentation #422 (boardfish)
- Update broken link in README #420 (severin)
- Add metadata for RubyGems #418 (nickhammond)
- Fixed a typo about class name #417 (mai-f)
- Fix references for v2.2.3 on CHANGELOG #416 (vyper)
- Raise IncorrectAlgorithm if token has no alg header #411 (bouk)
jwt-2.2.3
v2.2.3 (2021-04-19)
Implemented enhancements:
- Verify algorithm before evaluating keyfinder #343
- Why jwt depends on json < 2.0 ? #179
- Support for JWK in-lieu of rsa_public #158
- Fix rspec
raise_errorwarning #413 (excpt) - Add support for JWKs with HMAC key type. #372 (phlegx)
- Improve 'none' algorithm handling #365 (danleyden)
- Handle parsed JSON JWKS input with string keys #348 (martinemde)
- Allow Numeric values during encoding #327 (fanfilmu)
Closed issues:
- "Signature verification raised", yet jwt.io says "Signature Verified" #401
- truffleruby-head build is failing #396
- JWT::JWK::EC needs
require 'forwardable'#392 - How to use a 'signing key' as used by next-auth #389
- undefined method `verify' for nil:NilClass when validate a JWT with JWK #383
- Make specifying "algorithm" optional on decode #380
- ADFS created access tokens can't be validated due to missing 'kid' header #370
- new version? #355
- JWT gitlab OmniAuth provider setup support #354
- Release with support for RSA.import for ruby < 2.4 hasn't been released #347
- cannot load such file -- jwt #339
Merged pull requests:
- Remove codeclimate code coverage dev dependency #414 (excpt)
- Add forwardable dependency #408 (anakinj)
- Ignore casing of algorithm #405 (johnnyshields)
- Document function and add tests for verify claims method #404 (yasonk)
- documenting calling verify_jti callback with 2 arguments in the readme #402 (HoneyryderChuck)
- Target the master branch on the build status badge #399 (anakinj)
- Improving the local development experience #397 (anakinj)
- Fix sourcelevel broken links #395 (anakinj)
- Don't recommend installing gem with sudo #391 (tjschuck)
- Enable rubocop locally and on ci #390 (anakinj)
- Ci and test cleanup #387 (anakinj)
- Make JWT::JWK::EC compatible with Ruby 2.3 #386 (anakinj)
- Support JWKs for pre 2.3 rubies #382 (anakinj)
- Replace Travis CI with GitHub Actions (also favor openssl/rbnacl combinations over rails compatibility tests) #381 (anakinj)
- Add auth0 sponsor message #379 (excpt)
- Adapt HMAC to JWK RSA code style. #378 (phlegx)
- Disable Rails cops #376 (anakinj)
- Support exporting RSA JWK private keys #375 (anakinj)
- Ebert is SourceLevel nowadays #374 (anakinj)
- Add support for JWKs with EC key type #371 (richardlarocque)
- Add Truffleruby head to CI #368 (gogainda)
- Add more docs about JWK support #341 (take)
jwt-2.2.2
v2.2.2 (2020-08-18)
Implemented enhancements:
- JWK does not decode. #332
- Inconsistent use of symbol and string keys in args (exp and alrogithm). #331
- Pin simplecov to < 0.18 #356 (anakinj)
- verifies algorithm before evaluating keyfinder #346 (jb08)
- Update Rails 6 appraisal to use actual release version #336 (smudge)
- Update Travis #326 (berkos)
- Improvement/encode hmac without key #312 (JotaSe)
Fixed bugs:
- v2.2.1 warning: already initialized constant JWT Error #335
- 2.2.1 is no longer raising
JWT::DecodeErroronnilverification key #328 - Fix algorithm picking from decode options #359 (excpt)
- Raise error when verification key is empty #358 (anakinj)
Closed issues:
- JWT RSA: is it possible to encrypt using the public key? #366
- Example unsigned token that bypasses verification #364
- Verify exp claim/field even if it's not present #363
- Decode any token #360
- [question] example of using a pub/priv keys for signing? #351
- JWT::ExpiredSignature raised for non-JSON payloads #350
- verify_aud only verifies that at least one aud is expected #345
- Sinatra 4.90s TTFB #344
- How to Logout #342
- jwt token decoding even when wrong token is provided for some letters #337
- Need to use
symbolize\_keyseverywhere! #330 - eval() used in Forwardable limits usage in iOS App Store #324
- HS512256 OpenSSL Exception: First num too large #322
- Can we change the separator character? #321
- Verifying iat without leeway may break with poorly synced clocks #319
- Adding support for 'hd' hosted domain string #314
- There is no "typ" header in version 2.0.0 #233
Merged pull requests:
jwt-2.2.1
jwt-2.2.0
v2.2.0 (2019-03-20)
Implemented enhancements:
- Use iat_leeway option #273
- Use of global state in latest version breaks thread safety of JWT.decode #268
- JSON support #246
- Change the Github homepage URL to https #301 (ekohl)
- Fix Salt length for conformance with PS family specification. #300 (tobypinder)
- Add support for Ruby 2.6 #299 (bustikiller)
- update homepage in gemspec to use HTTPS #298 (evgeni)
- Make sure alg parameter value isn't added twice #297 (korstiaan)
- Claims Validation #295 (jamesstonehill)
- JWT::Encode refactorings, alg and exp related bugfixes #293 (anakinj)
- Proposal of simple JWK support #289 (anakinj)
- Add RSASSA-PSS signature signing support #285 (oliver-hohn)
- Add note about using a hard coded algorithm in README #280 (revodoge)
- Add Appraisal support #278 (olbrich)
- Fix decode threading issue #269 (ab320012)
- Removed leeway from verify_iat #257 (ab320012)
Fixed bugs:
- Inconsistent handling of payload claim data types #282
- Use iat\_leeway option #273
- Issued at validation #247
- Fix bug and simplify segment validation #292 (anakinj)
- Removed leeway from verify\_iat #257 (ab320012)
Closed issues:
- RS256, public and private keys #291
- Allow passing current time to
decode#288 - Verify exp claim without verifying jwt #281
- Decoding JWT with ES256 and secp256k1 curve #277
- Audience as an array - how to specify? #276
- signature validation using decode method for JWT #271
- JWT is easily breakable #267
- Ruby JWT Token #265
- ECDSA supported algorithms constant is defined as a string, not an array #264
- NoMethodError: undefined method `group' for <xxxxx> #261
- 'DecodeError'will replace 'ExpiredSignature' #260
- TypeError: no implicit conversion of OpenSSL::PKey::RSA into String #259
- NameError: uninitialized constant JWT::Algos::Eddsa::RbNaCl #258
- Get new token if curren token expired #256
- Infer algorithm from header #254
- Why is the result of decode is an array? #252
- Add support for headless token #251
- Leeway or exp_leeway #215
- Could you describe purpose of cert fixtures and their cryptokey lengths. #185
Merged pull requests:
- Misc config improvements #296 (jamesstonehill)
- Fix JSON conflict between #293 and #292 #294 (anakinj)
- Drop Ruby 2.2 from test matrix #290 (anakinj)
- Remove broken reek config #283 (excpt)
- Add missing test, Update common files #275 (excpt)
- Remove iat_leeway option #274 (wohlgejm)
- improving code quality of jwt module #266 (ab320012)
- fixed ECDSA supported versions const #263 (starbeast)
- Added my name to contributor list #262 (ab320012)
- Use
Class\#newShorthand For Error Subclasses #255 (akabiru) - [CI] Test against Ruby 2.5 #253 (nicolasleger)
- Fix README #250 (rono23)
- Fix link format #248 (y-yagi)
jwt-2.2.0-beta.0
2.2.0-beta.0 (2019-03-20)
Implemented enhancements:
- Use iat_leeway option #273
- Use of global state in latest version breaks thread safety of JWT.decode #268
- JSON support #246
- Change the Github homepage URL to https #301 (ekohl)
- Fix Salt length for conformance with PS family specification. #300 (tobypinder)
- Add support for Ruby 2.6 #299 (bustikiller)
- update homepage in gemspec to use HTTPS #298 (evgeni)
- Make sure alg parameter value isn't added twice #297 (korstiaan)
- Claims Validation #295 (jamesstonehill)
- JWT::Encode refactorings, alg and exp related bugfixes #293 (anakinj)
- Proposal of simple JWK support #289 (anakinj)
- Add RSASSA-PSS signature signing support #285 (oliver-hohn)
- Add note about using a hard coded algorithm in README #280 (revodoge)
- Add Appraisal support #278 (olbrich)
- Fix decode threading issue #269 (ab320012)
- Removed leeway from verify_iat #257 (ab320012)
Fixed bugs:
- Inconsistent handling of payload claim data types #282
- Use iat\_leeway option #273
- Issued at validation #247
- Fix bug and simplify segment validation #292 (anakinj)
- Removed leeway from verify\_iat #257 (ab320012)
Closed issues:
- RS256, public and private keys #291
- Allow passing current time to
decode#288 - Verify exp claim without verifying jwt #281
- Decoding JWT with ES256 and secp256k1 curve #277
- Audience as an array - how to specify? #276
- signature validation using decode method for JWT #271
- JWT is easily breakable #267
- Ruby JWT Token #265
- ECDSA supported algorithms constant is defined as a string, not an array #264
- NoMethodError: undefined method `group' for <xxxxx> #261
- 'DecodeError'will replace 'ExpiredSignature' #260
- TypeError: no implicit conversion of OpenSSL::PKey::RSA into String #259
- NameError: uninitialized constant JWT::Algos::Eddsa::RbNaCl #258
- Get new token if curren token expired #256
- Infer algorithm from header #254
- Why is the result of decode is an array? #252
- Add support for headless token #251
- Leeway or exp_leeway #215
- Could you describe purpose of cert fixtures and their cryptokey lengths. #185
Merged pull requests:
- Misc config improvements #296 (jamesstonehill)
- Fix JSON conflict between #293 and #292 #294 (anakinj)
- Drop Ruby 2.2 from test matrix #290 (anakinj)
- Remove broken reek config #283 (excpt)
- Add missing test, Update common files #275 (excpt)
- Remove iat_leeway option #274 (wohlgejm)
- improving code quality of jwt module #266 (ab320012)
- fixed ECDSA supported versions const #263 (starbeast)
- Added my name to contributor list #262 (ab320012)
- Use
Class\#newShorthand For Error Subclasses #255 (akabiru) - [CI] Test against Ruby 2.5 #253 (nicolasleger)
- Fix README #250 (rono23)
- Fix link format #248 (y-yagi)