Skip to content

Latest commit

 

History

History
232 lines (183 loc) · 9.3 KB

CHANGELOG.md

File metadata and controls

232 lines (183 loc) · 9.3 KB

Change Log

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

Changed

Fixed

Added

Fixed

  • Audience parameter throws InvalidAudienceError when application does not specify an audience, but the token does. #336

Changed

  • Dropped support for python 2.6 and 3.3 #301
  • An invalid signature now raises an InvalidSignatureError instead of DecodeError #316

Fixed

  • Fix over-eager fallback to stdin #304

Added

  • Audience parameter now supports iterables #306

Changed

  • Increase required version of the cryptography package to >=1.4.0.

Fixed

  • Remove uses of deprecated functions from the cryptography package.
  • Warn about missing algorithms param to decode() only when verify param is True #281

Fixed

  • Ensure correct arguments order in decode super call 7c1e61d

Changed

  • Change optparse for argparse. #238

Fixed

  • Guard against PKCS1 PEM encododed public keys #277
  • Add deprecation warning when decoding without specifying algorithms #277
  • Improve deprecation messages #270
  • PyJWT.decode: move verify param into options #271

Added

  • Support for Python 3.6 #262
  • Expose jwt.InvalidAlgorithmError #264

Changed

  • Add support for ECDSA public keys in RFC 4253 (OpenSSH) format #244
  • Renamed commandline script jwt to jwt-cli to avoid issues with the script clobbering the jwt module in some circumstances. #187
  • Better error messages when using an algorithm that requires the cryptography package, but it isn't available #230
  • Tokens with future 'iat' values are no longer rejected #190
  • Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError
  • Remove rejection of future 'iat' claims #252

Fixed

  • Add back 'ES512' for backward compatibility (for now) #225
  • Fix incorrectly named ECDSA algorithm #219
  • Fix rpm build #196

Added

  • Add JWK support for HMAC and RSA keys #202

Fixed

  • A PEM-formatted key encoded as bytes could cause a TypeError to be raised #213

Fixed

  • Newer versions of Pytest could not detect warnings properly #182
  • Non-string 'kid' value now raises InvalidTokenError #174
  • jwt.decode(None) now gracefully fails with InvalidTokenError #183

Fixed

  • Exclude Python cache files from PyPI releases.

Added

  • Added new options to require certain claims (require_nbf, require_iat, require_exp) and raise MissingRequiredClaimError if they are not present.
  • If audience= or issuer= is specified but the claim is not present, MissingRequiredClaimError is now raised instead of InvalidAudienceError and InvalidIssuerError

Fixed

  • ECDSA (ES256, ES384, ES512) signatures are now being properly serialized #158
  • RSA-PSS (PS256, PS384, PS512) signatures now use the proper salt length for PSS padding. #163

Added

  • Added a new jwt.get_unverified_header() to parse and return the header portion of a token prior to signature verification.

Removed

  • Python 3.2 is no longer a supported platform. This version of Python is rarely used. Users affected by this should upgrade to 3.3+.

Fixed

  • Added back verify_expiration= argument to jwt.decode() that was erroneously removed in v1.1.0.

Changed

  • Refactored JWS-specific logic out of PyJWT and into PyJWS superclass. #141

Deprecated

  • verify_expiration= argument to jwt.decode() is now deprecated and will be removed in a future version. Use the option= argument instead.

Added

  • Added support for PS256, PS384, and PS512 algorithms. #132
  • Added flexible and complete verification options during decode. #131
  • Added this CHANGELOG.md file.

Deprecated

  • Deprecated usage of the .decode(..., verify=False) parameter.

Fixed

  • Fixed command line encoding. #128

Fixed

  • Include jwt/contrib' and jwt/contrib/algorithms` in setup.py so that they will actually be included when installing. 882524d
  • Fix bin/jwt after removing jwt.header(). bd57b02

Changed

  • Moved jwt.api.header out of the public API. #85
  • Added README details how to extract public / private keys from an x509 certificate. #100
  • Refactor api.py functions into an object (PyJWT). #101
  • Added support for PyCrypto and ecdsa when cryptography isn't available. #101

Fixed

  • Fixed a security vulnerability where alg=None header could bypass signature verification. #109
  • Fixed a security vulnerability by adding support for a whitelist of allowed alg values jwt.decode(algorithms=[]). #110