Skip to content

Version Changes

Jose C edited this page Jan 3, 2018 · 3 revisions


API breaking changes:

  • Some methods for AuthenticatorService move from OptionT to F[A].
  • Changed type param order in TSecAuthService for partial unification #90 @jarreds
  • Added error handler for authed service (doesn't break existing code, but it does break binary)

New goodies and bugfixes in 0.0.1-M7!!!

  • TSecAuthService now composes with <+>!
  • You can now add specific authorization to specific TSecAuthedServices, using withAuthorization
  • HMAC signing can now take arbitrary length keys (Thank you to @fiadliel for bringing this to light) as per the spec. (bugfix)
  • Fixed rolling window authentication.


API breaking changes:

Type Signatures

Type signatures are now consistent over All modules. This means types have gone from:

  • For message authentication codes: A to MAC[A] (i.e HMACSHA256 to MAC[SHA256])
  • For digest hashes: A to CryptoHash[A] (i.e SHA256 to CryptoHash[SHA256])
  • For password hashes: A to PasswordHash[A]
  • For signatures: A to CryptoSignature[A]

However, the underlying type itself is the same, so code itself should not change, except for passwordhashers.

Password hasher changes

The following passwordhasher changes were implemented:

  • The default methods are now hashpw, hashpwUnsafe, checkpw and checkpwUnsafe. Methods with unsafe in the name are impure.
  • Password Hashing has received a slight speed optimization for BCrypt via our ManagedRandom, and StringBuilder over StringBuffer, especially considering no synchronization is needed. The dependency on org.mindrot.JBCrypt is gone, we have forked our own slightly more restrictive but safer version (our version uses byte arrays to hash, not passwords. The crypto primitive logic is the same).
  • #58 Byte arrays are now the default, and they are wiped after password hashing.
  • BCrypt now includes a way to vary the number of rounds hashpwWithRounds. This doesn't change password checking whatsoever, it's a net gain.

JWT Changes

JWT received a few changes as well:

  • JWT methods now default to monadic. This makes sense, as tsec is an FP-first library. Thus now, all JWTMacM methods have become JWTMac by default, and JWTMac has become JWTMacImpure, same with JWTSig.

Primitive renaming changes

Tsec is FP-first, thus JCA primitives should be pure by default, thus the following were renamed:

  • JCAMacPure => JCAMac
  • JCASignerPure => JCASigner
  • JCASymmPure => JCASymmetricCipher

For the converse, the impure versions now all have Impure in their name. They are:

  • JCAMacImpure
  • JCASignerImpure
  • JCAAEADImpure
  • JCASymmCipherImpure

New goodies in 0.0.1-M6!!!

  • Passwordhashers now operate on byte and char arrays, and wipe the data from the original source arrays when done (with a bit of inlining optimization done by @hrhino)
  • MAC, Signature and MessageDigest primitives now have convenience methods to not have to work directly on the algebra instances, i.e JCAMac.sign[IO, A]. See the source on the primitive for more details.
  • Update http4s to 0.18.0-M6
  • All newtypes expose their cats.evidence.Is, to be able to use the subst methods. i.e, if you need to work with a doobie Meta[String] object, you can use[SCrypt].substitute to get a Meta[PasswordHash[SCrypt]]

Internal changes, not impacting user-api but for maintainers:

  • Due to the type sigs being consistent, a few code smells have gone away: In particular, StringEV and ByteEV are no longer necessary, and thus have been removed. This has no impact on the user level api.
  • the JWT trait now takes two type parameters, thus JWSSignature is no longer needed: the signature itself now depends on the primitive used: Mac OR CryptoSignature

Updates http4s version to 0.18.0-M5


Updates http4s version to 0.18.0-M5


This release adds:

  • Credentials-based authentication
  • CSRF
  • Improved Documentation
  • Bearer Token Authenticator
  • SecureRandomId generation

Breaking changes:

  • JWTClaims jwtId changed from UUID to String, to be able to use SecureRandomId
  • TaggedByteSyntax changed from toArray to asByteArray
  • Alg type parameter removed from authenticator
  • BackingStore signature changed.
  • Authorization signature changed to include the token type
  • Type parameters are now consistent across all authorization and authentication related classes, with left to right ordering with priority: Effect type > Id type > User Type > Token type. Auth token type is always last.
  • SignedCookie and AEADCookie method fromRaw changed to apply
Clone this wiki locally
You can’t perform that action at this time.