1## `jwt-go` Version History
2
3#### 4.0.0
4
5* Introduces support for Go modules. The `v4` version will be backwards compatible with `v3.x.y`.
6
7#### 3.2.2
8
9* Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 ([#28](https://github.com/golang-jwt/jwt/pull/28)).
10* Fixed a potential issue that could occur when the verification of `exp`, `iat` or `nbf` was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork ([#40](https://github.com/golang-jwt/jwt/pull/40)).
11* Added support for EdDSA / ED25519 ([#36](https://github.com/golang-jwt/jwt/pull/36)).
12* Optimized allocations ([#33](https://github.com/golang-jwt/jwt/pull/33)).
13
14#### 3.2.1
15
16* **Import Path Change**: See MIGRATION_GUIDE.md for tips on updating your code
17 * Changed the import path from `github.com/dgrijalva/jwt-go` to `github.com/golang-jwt/jwt`
18* Fixed type confusing issue between `string` and `[]string` in `VerifyAudience` ([#12](https://github.com/golang-jwt/jwt/pull/12)). This fixes CVE-2020-26160
19
20#### 3.2.0
21
22* Added method `ParseUnverified` to allow users to split up the tasks of parsing and validation
23* HMAC signing method returns `ErrInvalidKeyType` instead of `ErrInvalidKey` where appropriate
24* Added options to `request.ParseFromRequest`, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include `WithClaims` and `WithParser`. Existing usage of this function will continue to work as before.
25* Deprecated `ParseFromRequestWithClaims` to simplify API in the future.
26
27#### 3.1.0
28
29* Improvements to `jwt` command line tool
30* Added `SkipClaimsValidation` option to `Parser`
31* Documentation updates
32
33#### 3.0.0
34
35* **Compatibility Breaking Changes**: See MIGRATION_GUIDE.md for tips on updating your code
36 * Dropped support for `[]byte` keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
37 * `ParseFromRequest` has been moved to `request` subpackage and usage has changed
38 * The `Claims` property on `Token` is now type `Claims` instead of `map[string]interface{}`. The default value is type `MapClaims`, which is an alias to `map[string]interface{}`. This makes it possible to use a custom type when decoding claims.
39* Other Additions and Changes
40 * Added `Claims` interface type to allow users to decode the claims into a custom type
41 * Added `ParseWithClaims`, which takes a third argument of type `Claims`. Use this function instead of `Parse` if you have a custom type you'd like to decode into.
42 * Dramatically improved the functionality and flexibility of `ParseFromRequest`, which is now in the `request` subpackage
43 * Added `ParseFromRequestWithClaims` which is the `FromRequest` equivalent of `ParseWithClaims`
44 * Added new interface type `Extractor`, which is used for extracting JWT strings from http requests. Used with `ParseFromRequest` and `ParseFromRequestWithClaims`.
45 * Added several new, more specific, validation errors to error type bitmask
46 * Moved examples from README to executable example files
47 * Signing method registry is now thread safe
48 * Added new property to `ValidationError`, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)
49
50#### 2.7.0
51
52This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.
53
54* Added new option `-show` to the `jwt` command that will just output the decoded token without verifying
55* Error text for expired tokens includes how long it's been expired
56* Fixed incorrect error returned from `ParseRSAPublicKeyFromPEM`
57* Documentation updates
58
59#### 2.6.0
60
61* Exposed inner error within ValidationError
62* Fixed validation errors when using UseJSONNumber flag
63* Added several unit tests
64
65#### 2.5.0
66
67* Added support for signing method none. You shouldn't use this. The API tries to make this clear.
68* Updated/fixed some documentation
69* Added more helpful error message when trying to parse tokens that begin with `BEARER `
70
71#### 2.4.0
72
73* Added new type, Parser, to allow for configuration of various parsing parameters
74 * You can now specify a list of valid signing methods. Anything outside this set will be rejected.
75 * You can now opt to use the `json.Number` type instead of `float64` when parsing token JSON
76* Added support for [Travis CI](https://travis-ci.org/dgrijalva/jwt-go)
77* Fixed some bugs with ECDSA parsing
78
79#### 2.3.0
80
81* Added support for ECDSA signing methods
82* Added support for RSA PSS signing methods (requires go v1.4)
83
84#### 2.2.0
85
86* Gracefully handle a `nil` `Keyfunc` being passed to `Parse`. Result will now be the parsed token and an error, instead of a panic.
87
88#### 2.1.0
89
90Backwards compatible API change that was missed in 2.0.0.
91
92* The `SignedString` method on `Token` now takes `interface{}` instead of `[]byte`
93
94#### 2.0.0
95
96There were two major reasons for breaking backwards compatibility with this update. The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations. There will likely be no required code changes to support this change.
97
98The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods. Not all keys used for all signing methods have a single standard on-disk representation. Requiring `[]byte` as the type for all keys proved too limiting. Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys. Backwards compatibilty has been maintained for passing `[]byte` to the RSA signing methods, but they will also accept `*rsa.PublicKey` and `*rsa.PrivateKey`.
99
100It is likely the only integration change required here will be to change `func(t *jwt.Token) ([]byte, error)` to `func(t *jwt.Token) (interface{}, error)` when calling `Parse`.
101
102* **Compatibility Breaking Changes**
103 * `SigningMethodHS256` is now `*SigningMethodHMAC` instead of `type struct`
104 * `SigningMethodRS256` is now `*SigningMethodRSA` instead of `type struct`
105 * `KeyFunc` now returns `interface{}` instead of `[]byte`
106 * `SigningMethod.Sign` now takes `interface{}` instead of `[]byte` for the key
107 * `SigningMethod.Verify` now takes `interface{}` instead of `[]byte` for the key
108* Renamed type `SigningMethodHS256` to `SigningMethodHMAC`. Specific sizes are now just instances of this type.
109 * Added public package global `SigningMethodHS256`
110 * Added public package global `SigningMethodHS384`
111 * Added public package global `SigningMethodHS512`
112* Renamed type `SigningMethodRS256` to `SigningMethodRSA`. Specific sizes are now just instances of this type.
113 * Added public package global `SigningMethodRS256`
114 * Added public package global `SigningMethodRS384`
115 * Added public package global `SigningMethodRS512`
116* Moved sample private key for HMAC tests from an inline value to a file on disk. Value is unchanged.
117* Refactored the RSA implementation to be easier to read
118* Exposed helper methods `ParseRSAPrivateKeyFromPEM` and `ParseRSAPublicKeyFromPEM`
119
120#### 1.0.2
121
122* Fixed bug in parsing public keys from certificates
123* Added more tests around the parsing of keys for RS256
124* Code refactoring in RS256 implementation. No functional changes
125
126#### 1.0.1
127
128* Fixed panic if RS256 signing method was passed an invalid key
129
130#### 1.0.0
131
132* First versioned release
133* API stabilized
134* Supports creating, signing, parsing, and validating JWT tokens
135* Supports RS256 and HS256 signing methods
View as plain text