Skip to content

Latest commit

 

History

History
309 lines (239 loc) · 11.7 KB

CHANGELOG.md

File metadata and controls

309 lines (239 loc) · 11.7 KB
Raw

Change Log

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

Unreleased

Changed

  • Pass python_requires argument to setuptools #440
  • Rename [wheel] section to [bdist_wheel] as the former is legacy #441
  • Remove setup.py test command in favor of pytest and tox #442
  • DX Tweaks #450
  • Remove Python 2.7 compatibility #457

Fixed

  • Decode return type is dict[str, Any] #393
  • Fix linter error in test_cli #414
  • Correct type for json_encoder argument #438
  • Run mypy with tox #421
  • Prefer https:// links where available #439
  • Fix mypy errors #449
  • Fix simple typo: encododed -> encoded #462

Added

  • Document (and prefer) pyjwt[crypto] req format #426
  • Set headers when encoding via command line #406

v1.7.1

Fixed

  • Update test dependencies with pinned ranges
  • Fix pytest deprecation warnings

v1.7.0

Changed

  • Remove CRLF line endings #353

Fixed

  • Update usage.rst #360

Added

v1.6.4

Fixed

  • Reverse an unintentional breaking API change to .decode() #352

v1.6.3

Changed

  • All exceptions inherit from PyJWTError #340

Added

Docs

  • Added section to usage docs for jwt.get_unverified_header() #350
  • Update legacy instructions for using pycrypto #337

v1.6.1

Fixed

  • Audience parameter throws InvalidAudienceError when application does not specify an audience, but the token does. #336

v1.6.0

Changed

  • Dropped support for python 2.6 and 3.3 #301
  • An invalid signature now raises an InvalidSignatureError instead of DecodeError #316

Fixed

  • Fix over-eager fallback to stdin #304

Added

  • Audience parameter now supports iterables #306

v1.5.3

Changed

  • Increase required version of the cryptography package to >=1.4.0.

Fixed

  • Remove uses of deprecated functions from the cryptography package.
  • Warn about missing algorithms param to decode() only when verify param is True #281

v1.5.2

Fixed

  • Ensure correct arguments order in decode super call 7c1e61d

v1.5.1

Changed

  • Change optparse for argparse. #238

Fixed

  • Guard against PKCS1 PEM encoded public keys #277
  • Add deprecation warning when decoding without specifying algorithms #277
  • Improve deprecation messages #270
  • PyJWT.decode: move verify param into options #271

Added

  • Support for Python 3.6 #262
  • Expose jwt.InvalidAlgorithmError #264

v1.5.0

Changed

  • Add support for ECDSA public keys in RFC 4253 (OpenSSH) format #244
  • Renamed commandline script jwt to jwt-cli to avoid issues with the script clobbering the jwt module in some circumstances. #187
  • Better error messages when using an algorithm that requires the cryptography package, but it isn't available #230
  • Tokens with future 'iat' values are no longer rejected #190
  • Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError
  • Remove rejection of future 'iat' claims #252

Fixed

  • Add back 'ES512' for backward compatibility (for now) #225
  • Fix incorrectly named ECDSA algorithm #219
  • Fix rpm build #196

Added

  • Add JWK support for HMAC and RSA keys #202

v1.4.2

Fixed

  • A PEM-formatted key encoded as bytes could cause a TypeError to be raised #213

v1.4.1

Fixed

  • Newer versions of Pytest could not detect warnings properly #182
  • Non-string 'kid' value now raises InvalidTokenError #174
  • jwt.decode(None) now gracefully fails with InvalidTokenError #183

v1.4

Fixed

  • Exclude Python cache files from PyPI releases.

Added

  • Added new options to require certain claims (require_nbf, require_iat, require_exp) and raise MissingRequiredClaimError if they are not present.
  • If audience= or issuer= is specified but the claim is not present, MissingRequiredClaimError is now raised instead of InvalidAudienceError and InvalidIssuerError

v1.3

Fixed

  • ECDSA (ES256, ES384, ES512) signatures are now being properly serialized #158
  • RSA-PSS (PS256, PS384, PS512) signatures now use the proper salt length for PSS padding. #163

Added

  • Added a new jwt.get_unverified_header() to parse and return the header portion of a token prior to signature verification.

Removed

  • Python 3.2 is no longer a supported platform. This version of Python is rarely used. Users affected by this should upgrade to 3.3+.

v1.2.0

Fixed

  • Added back verify_expiration= argument to jwt.decode() that was erroneously removed in v1.1.0.

Changed

  • Refactored JWS-specific logic out of PyJWT and into PyJWS superclass. #141

Deprecated

  • verify_expiration= argument to jwt.decode() is now deprecated and will be removed in a future version. Use the option= argument instead.

v1.1.0

Added

  • Added support for PS256, PS384, and PS512 algorithms. #132
  • Added flexible and complete verification options during decode. #131
  • Added this CHANGELOG.md file.

Deprecated

  • Deprecated usage of the .decode(..., verify=False) parameter.

Fixed

  • Fixed command line encoding. #128

v1.0.1

Fixed

  • Include jwt/contrib' and jwt/contrib/algorithms` in setup.py so that they will actually be included when installing. 882524d
  • Fix bin/jwt after removing jwt.header(). bd57b02

v1.0.0

Changed

  • Moved jwt.api.header out of the public API. #85
  • Added README details how to extract public / private keys from an x509 certificate. #100
  • Refactor api.py functions into an object (PyJWT). #101
  • Added support for PyCrypto and ecdsa when cryptography isn't available. #101

Fixed

  • Fixed a security vulnerability where alg=None header could bypass signature verification. #109
  • Fixed a security vulnerability by adding support for a whitelist of allowed alg values jwt.decode(algorithms=[]). #110