Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 (#28).
Fixed a potential issue that could occur when the presence of exp, iat or nbf was not required for verification and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork (#40).
The following version history is kept for historic purposes. To retrieve the current changes of each version, please refer to the change-log of the specific release versions on https://github.com/golang-jwt/jwt/releases.
4.0.0
Introduces support for Go modules. The v4 version will be backwards compatible with v3.x.y.
3.2.2
Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 (#28).
Fixed a potential issue that could occur when the verification of exp, iat or nbf was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork (#40).
Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code
Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
Fixed type confusing issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160
3.2.0
Added method ParseUnverified to allow users to split up the tasks of parsing and validation
HMAC signing method returns ErrInvalidKeyType instead of ErrInvalidKey where appropriate
Added options to request.ParseFromRequest, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include WithClaims and WithParser. Existing usage of this function will continue to work as before.
Deprecated ParseFromRequestWithClaims to simplify API in the future.
3.1.0
Improvements to jwt command line tool
Added SkipClaimsValidation option to Parser
Documentation updates
3.0.0
Compatibility Breaking Changes: See MIGRATION_GUIDE.md for tips on updating your code
Dropped support for []byte keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
ParseFromRequest has been moved to request subpackage and usage has changed
The Claims property on Token is now type Claims instead of map[string]interface{}. The default value is type MapClaims, which is an alias to map[string]interface{}. This makes it possible to use a custom type when decoding claims.
Other Additions and Changes
Added Claims interface type to allow users to decode the claims into a custom type
Added ParseWithClaims, which takes a third argument of type Claims. Use this function instead of Parse if you have a custom type you'd like to decode into.
Dramatically improved the functionality and flexibility of ParseFromRequest, which is now in the request subpackage
Added ParseFromRequestWithClaims which is the FromRequest equivalent of ParseWithClaims
Added new interface type Extractor, which is used for extracting JWT strings from http requests. Used with ParseFromRequest and ParseFromRequestWithClaims.
Added several new, more specific, validation errors to error type bitmask
Moved examples from README to executable example files
Signing method registry is now thread safe
Added new property to ValidationError, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
Bumps github.com/golang-jwt/jwt from 3.2.1+incompatible to 3.2.2+incompatible.
Release notes
Sourced from github.com/golang-jwt/jwt's releases.
Changelog
Sourced from github.com/golang-jwt/jwt's changelog.
... (truncated)
Commits
4bbdd8a
Prepare release 3.2.2 (#42)8e9d9eb
Fix security vulnerability (#40)3248367
add ed25519 support (#36)860640e
Allocation optimization (#33)3008b2b
remove support for Go <= 1.14 (#28)You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show