v2.3.0 (2021-10-03)

Full Changelog

Closed issues:

• [SECURITY] Algorithm Confusion Through kid Header #440
• JWT to memory #436
• ArgumentError: wrong number of arguments (given 2, expected 1) #429
• HMAC section of README outdated #421
• NoMethodError: undefined method `zero?' for nil:NilClass if JWT has no 'alg' field #410
• Release new version #409
• NameError: uninitialized constant JWT::JWK #403

Merged pull requests:

• Fix Style/MultilineIfModifier issues #447 (anakinj)
• feat(EdDSA): Accept EdDSA as algorithm header #446 (Pierre-Michard)
• Pass kid param through JWT::JWK.create_from #445 (shaun-guth-allscripts)
• fix document about passing JWKs as a simple Hash #443 (takayamaki)
• Tests for mixing JWK keys with mismatching algorithms #441 (anakinj)
• verify_claims test shouldnt be within the verify_sub test #431 (andyjdavis)
• Allow decode options to specify required claims #430 (andyjdavis)
• Fix OpenSSL::PKey::EC public_key handing in tests #427 (anakinj)
• Add documentation for find_key #426 (ritikesh)
• Give ruby 3.0 as a string to avoid number formatting issues #424 (anakinj)
• Tests for iat verification behaviour #423 (anakinj)
• Remove HMAC with nil secret from documentation #422 (boardfish)
• Update broken link in README #420 (severin)
• Add metadata for RubyGems #418 (nickhammond)
• Fixed a typo about class name #417 (mai-f)
• Fix references for v2.2.3 on CHANGELOG #416 (vyper)
• Raise IncorrectAlgorithm if token has no alg header #411 (bouk)

v2.2.3 (2021-04-19)

Full Changelog

Implemented enhancements:

• Verify algorithm before evaluating keyfinder #343
• Why jwt depends on json < 2.0 ? #179
• Support for JWK in-lieu of rsa_public #158
• Fix rspec raise_error warning #413 (excpt)
• Add support for JWKs with HMAC key type. #372 (phlegx)
• Improve 'none' algorithm handling #365 (danleyden)
• Handle parsed JSON JWKS input with string keys #348 (martinemde)
• Allow Numeric values during encoding #327 (fanfilmu)

Closed issues:

• "Signature verification raised", yet jwt.io says "Signature Verified" #401
• truffleruby-head build is failing #396
• JWT::JWK::EC needs require 'forwardable' #392
• How to use a 'signing key' as used by next-auth #389
• undefined method `verify' for nil:NilClass when validate a JWT with JWK #383
• Make specifying "algorithm" optional on decode #380
• ADFS created access tokens can't be validated due to missing 'kid' header #370
• new version? #355
• JWT gitlab OmniAuth provider setup support #354
• Release with support for RSA.import for ruby < 2.4 hasn't been released #347
• cannot load such file -- jwt #339

Merged pull requests:

• Remove codeclimate code coverage dev dependency #414 (excpt)
• Add forwardable dependency #408 (anakinj)
• Ignore casing of algorithm #405 (johnnyshields)
• Document function and add tests for verify claims method #404 (yasonk)
• documenting calling verify_jti callback with 2 arguments in the readme #402 (HoneyryderChuck)
• Target the master branch on the build status badge #399 (anakinj)
• Improving the local development experience #397 (anakinj)
• Fix sourcelevel broken links #395 (anakinj)
• Don't recommend installing gem with sudo #391 (tjschuck)
• Enable rubocop locally and on ci #390 (anakinj)
• Ci and test cleanup #387 (anakinj)
• Make JWT::JWK::EC compatible with Ruby 2.3 #386 (anakinj)
• Support JWKs for pre 2.3 rubies #382 (anakinj)
• Replace Travis CI with GitHub Actions (also favor openssl/rbnacl combinations over rails compatibility tests) #381 (anakinj)
• Add auth0 sponsor message #379 (excpt)
• Adapt HMAC to JWK RSA code style. #378 (phlegx)
• Disable Rails cops #376 (anakinj)
• Support exporting RSA JWK private keys #375 (anakinj)
• Ebert is SourceLevel nowadays #374 (anakinj)
• Add support for JWKs with EC key type #371 (richardlarocque)
• Add Truffleruby head to CI #368 (gogainda)
• Add more docs about JWK support #341 (take)

v2.2.2 (2020-08-18)

Full Changelog

Implemented enhancements:

• JWK does not decode. #332
• Inconsistent use of symbol and string keys in args (exp and alrogithm). #331
• Pin simplecov to < 0.18 #356 (anakinj)
• verifies algorithm before evaluating keyfinder #346 (jb08)
• Update Rails 6 appraisal to use actual release version #336 (smudge)
• Update Travis #326 (berkos)
• Improvement/encode hmac without key #312 (JotaSe)

Fixed bugs:

• v2.2.1 warning: already initialized constant JWT Error #335
• 2.2.1 is no longer raising JWT::DecodeError on nil verification key #328
• Fix algorithm picking from decode options #359 (excpt)
• Raise error when verification key is empty #358 (anakinj)

Closed issues:

• JWT RSA: is it possible to encrypt using the public key? #366
• Example unsigned token that bypasses verification #364
• Verify exp claim/field even if it's not present #363
• Decode any token #360
• [question] example of using a pub/priv keys for signing? #351
• JWT::ExpiredSignature raised for non-JSON payloads #350
• verify_aud only verifies that at least one aud is expected #345
• Sinatra 4.90s TTFB #344
• How to Logout #342
• jwt token decoding even when wrong token is provided for some letters #337
• Need to use symbolize\_keys everywhere! #330
• eval() used in Forwardable limits usage in iOS App Store #324
• HS512256 OpenSSL Exception: First num too large #322
• Can we change the separator character? #321
• Verifying iat without leeway may break with poorly synced clocks #319
• Adding support for 'hd' hosted domain string #314
• There is no "typ" header in version 2.0.0 #233

Merged pull requests:

• Fix 'already initialized constant JWT Error' #357 (excpt)
• Support RSA.import for all Ruby versions. #333 (rabajaj0509)
• Removed forwardable dependency #325 (anakinj)

v2.2.1 (2019-05-24)

Full Changelog

Fixed bugs:

• need to require 'forwardable' to use Forwardable #316
• Add forwardable dependency for JWK RSA KeyFinder #317 (excpt)

v2.2.0 (2019-03-20)

Full Changelog

Implemented enhancements:

• Use iat_leeway option #273
• Use of global state in latest version breaks thread safety of JWT.decode #268
• JSON support #246
• Change the Github homepage URL to https #301 (ekohl)
• Fix Salt length for conformance with PS family specification. #300 (tobypinder)
• Add support for Ruby 2.6 #299 (bustikiller)
• update homepage in gemspec to use HTTPS #298 (evgeni)
• Make sure alg parameter value isn't added twice #297 (korstiaan)
• Claims Validation #295 (jamesstonehill)
• JWT::Encode refactorings, alg and exp related bugfixes #293 (anakinj)
• Proposal of simple JWK support #289 (anakinj)
• Add RSASSA-PSS signature signing support #285 (oliver-hohn)
• Add note about using a hard coded algorithm in README #280 (revodoge)
• Add Appraisal support #278 (olbrich)
• Fix decode threading issue #269 (ab320012)
• Removed leeway from verify_iat #257 (ab320012)

Fixed bugs:

• Inconsistent handling of payload claim data types #282
• Use iat\_leeway option #273
• Issued at validation #247
• Fix bug and simplify segment validation #292 (anakinj)
• Removed leeway from verify\_iat #257 (ab320012)

Closed issues:

• RS256, public and private keys #291
• Allow passing current time to decode #288
• Verify exp claim without verifying jwt #281
• Decoding JWT with ES256 and secp256k1 curve #277
• Audience as an array - how to specify? #276
• signature validation using decode method for JWT #271
• JWT is easily breakable #267
• Ruby JWT Token #265
• ECDSA supported algorithms constant is defined as a string, not an array #264
• NoMethodError: undefined method `group' for <xxxxx> #261
• 'DecodeError'will replace 'ExpiredSignature' #260
• TypeError: no implicit conversion of OpenSSL::PKey::RSA into String #259
• NameError: uninitialized constant JWT::Algos::Eddsa::RbNaCl #258
• Get new token if curren token expired #256
• Infer algorithm from header #254
• Why is the result of decode is an array? #252
• Add support for headless token #251
• Leeway or exp_leeway #215
• Could you describe purpose of cert fixtures and their cryptokey lengths. #185

Merged pull requests:

• Misc config improvements #296 (jamesstonehill)
• Fix JSON conflict between #293 and #292 #294 (anakinj)
• Drop Ruby 2.2 from test matrix #290 (anakinj)
• Remove broken reek config #283 (excpt)
• Add missing test, Update common files #275 (excpt)
• Remove iat_leeway option #274 (wohlgejm)
• improving code quality of jwt module #266 (ab320012)
• fixed ECDSA supported versions const #263 (starbeast)
• Added my name to contributor list #262 (ab320012)
• Use Class\#new Shorthand For Error Subclasses #255 (akabiru)
• [CI] Test against Ruby 2.5 #253 (nicolasleger)
• Fix README #250 (rono23)
• Fix link format #248 (y-yagi)

2.2.0-beta.0 (2019-03-20)

Full Changelog

Implemented enhancements:

• Use iat_leeway option #273
• Use of global state in latest version breaks thread safety of JWT.decode #268
• JSON support #246
• Change the Github homepage URL to https #301 (ekohl)
• Fix Salt length for conformance with PS family specification. #300 (tobypinder)
• Add support for Ruby 2.6 #299 (bustikiller)
• update homepage in gemspec to use HTTPS #298 (evgeni)
• Make sure alg parameter value isn't added twice #297 (korstiaan)
• Claims Validation #295 (jamesstonehill)
• JWT::Encode refactorings, alg and exp related bugfixes #293 (anakinj)
• Proposal of simple JWK support #289 (anakinj)
• Add RSASSA-PSS signature signing support #285 (oliver-hohn)
• Add note about using a hard coded algorithm in README #280 (revodoge)
• Add Appraisal support #278 (olbrich)
• Fix decode threading issue #269 (ab320012)
• Removed leeway from verify_iat #257 (ab320012)

Fixed bugs:

• Inconsistent handling of payload claim data types #282
• Use iat\_leeway option #273
• Issued at validation #247
• Fix bug and simplify segment validation #292 (anakinj)
• Removed leeway from verify\_iat #257 (ab320012)

Closed issues:

• RS256, public and private keys #291
• Allow passing current time to decode #288
• Verify exp claim without verifying jwt #281
• Decoding JWT with ES256 and secp256k1 curve #277
• Audience as an array - how to specify? #276
• signature validation using decode method for JWT #271
• JWT is easily breakable #267
• Ruby JWT Token #265
• ECDSA supported algorithms constant is defined as a string, not an array #264
• NoMethodError: undefined method `group' for <xxxxx> #261
• 'DecodeError'will replace 'ExpiredSignature' #260
• TypeError: no implicit conversion of OpenSSL::PKey::RSA into String #259
• NameError: uninitialized constant JWT::Algos::Eddsa::RbNaCl #258
• Get new token if curren token expired #256
• Infer algorithm from header #254
• Why is the result of decode is an array? #252
• Add support for headless token #251
• Leeway or exp_leeway #215
• Could you describe purpose of cert fixtures and their cryptokey lengths. #185

Merged pull requests:

• Misc config improvements #296 (jamesstonehill)
• Fix JSON conflict between #293 and #292 #294 (anakinj)
• Drop Ruby 2.2 from test matrix #290 (anakinj)
• Remove broken reek config #283 (excpt)
• Add missing test, Update common files #275 (excpt)
• Remove iat_leeway option #274 (wohlgejm)
• improving code quality of jwt module #266 (ab320012)
• fixed ECDSA supported versions const #263 (starbeast)
• Added my name to contributor list #262 (ab320012)
• Use Class\#new Shorthand For Error Subclasses #255 (akabiru)
• [CI] Test against Ruby 2.5 #253 (nicolasleger)
• Fix README #250 (rono23)
• Fix link format #248 (y-yagi)

2.1.0 (2017-10-06)

Full Changelog

Implemented enhancements:

• Ed25519 support planned? #217
• Verify JTI Proc #207
• Allow a list of algorithms for decode #241 (lautis)
• verify takes 2 params, second being payload closes: #207 #238 (ab320012)
• simplified logic for keyfinder #237 (ab320012)
• Show backtrace if rbnacl-libsodium not loaded #231 (buzztaiki)
• Support for ED25519 #229 (ab320012)

Fixed bugs:

• JWT.encode failing on encode for string #235
• The README says it uses an algorithm by default #226
• Fix string payload issue #236 (excpt)

Closed issues:

• Change from 1.5.6 to 2.0.0 and appears a "Completed 401 Unauthorized" #240
• Why doesn't the decode function use a default algorithm? #227

Merged pull requests:

• Update README.md #242 (excpt)
• Update ebert configuration #232 (excpt)
• added algos/strategy classes + structs for inputs #230 (ab320012)
• Add HS256 algorithm to decode default options #228 (madkin10)

Changelog

v2.0.0.beta1 (2017-02-27)

Full Changelog

Implemented enhancements:

• Error with method sign for String #171
• Refactor the encondig code #121
• Refactor #196 (EmilioCristalli)
• Move signature logic to its own module #195 (EmilioCristalli)
• Add options for claim-specific leeway #187 (EmilioCristalli)
• Add user friendly encode error if private key is a String, #171 #176 (xamenrax)
• Return empty string if signature less than byte_size #155 #175 (xamenrax)
• Remove 'typ' optional parameter #174 (xamenrax)
• Pass payload to keyfinder #172 (CodeMonkeySteve)
• Use RbNaCl for HMAC if available with fallback to OpenSSL #149 (mwpastore)

Fixed bugs:

• ruby-jwt::raw_to_asn1: Fails for signatures less than byte_size #155
• The leeway parameter is applies to all time based verifications #129
• Add options for claim-specific leeway #187 (EmilioCristalli)
• Make algorithm option required to verify signature #184 (EmilioCristalli)
• Validate audience when payload is a scalar and options is an array #183 (steti)

Closed issues:

• Different encoded value between servers with same password #197
• Signature is different at each run #190
• Include custom headers with password #189
• can't create token - 'NotImplementedError: Unsupported signing method' #186
• Why jwt depends on json < 2.0 ? #179
• Cannot verify JWT at all?? #177
• verify_iss: true is raising JWT::DecodeError instead of JWT::InvalidIssuerError #170

Merged pull requests:

• Version bump 2.0.0.beta1 #199 (excpt)
• Update CHANGELOG.md and minor fixes #198 (excpt)
• Add Codacy coverage reporter #194 (excpt)
• Add minimum required ruby version to gemspec #193 (excpt)
• Code smell fixes #192 (excpt)
• Version bump to 2.0.0.dev #191 (excpt)
• Basic encode module refactoring #121 #182 (xamenrax)
• Fix travis ci build configuration #181 (excpt)
• Fix travis ci build configuration #180 (excpt)
• Fix typo in README #178 (tomeduarte)
• Fix code style #173 (excpt)
• Fixed a typo in a spec name #169 (Mingan)

Change Log

v2.0.0 (2017-09-03)

Full Changelog

Fixed bugs:

• Support versions outside 2.1 #209
• Verifying expiration without leeway throws exception #206
• Ruby interpreter warning #200
• TypeError: no implicit conversion of String into Integer #188
• Fix JWT.encode(nil) #203 (tmm1)

Closed issues:

• Possibility to disable claim verifications #222
• Proper way to verify Firebase id tokens #216

Merged pull requests:

• Skip 'exp' claim validation for array payloads #224 (excpt)
• Use a default leeway of 0 #223 (travisofthenorth)
• Fix reported codesmells #221 (excpt)
• Add fancy gem version badge #220 (excpt)
• Add missing dist option to .travis.yml #219 (excpt)
• Fix ruby version requirements in gemspec file #218 (excpt)
• Fix a little typo in the readme #214 (RyanBrushett)
• Update README.md #212 (zuzannast)
• Fix typo in HS512256 algorithm description #211 (ojab)
• Allow configuration of multiple acceptable issuers #210 (ojab)
• Enforce exp to be an Integer #205 (lucasmazza)
• ruby 1.9.3 support message upd #204 (maokomioko)
• Guard against partially loaded RbNaCl when failing to load libsodium #202 (Dorian)

Full Changelog

Fixed bugs:

• Fix missing symbol handling in aud verify code #166 (excpt)

Merged pull requests:

• Fix rubocop code smells #167 (excpt)