auth0/node-jsonwebtoken
### [`v4.2.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#420---2015-03-16)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v4.1.0...v4.2.0)
##### Security
- \[asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key.
When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS\* family).
The issue was caused because the same signature was used to verify both type of tokens (`verify` method parameter: `secretOrPublicKey`).
This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`. (`jfromaniello`)
https://github.com/auth0/node-jsonwebtoken/commit/c2bf7b2cd7e8daf66298c2d168a008690bc4bdd3
https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
### [`v4.1.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#410---2015-03-10)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v4.0.0...v4.1.0)
##### Changed
- Assume the payload is JSON even when there is no `typ` property. [5290db1](https://togithub.com/auth0/node-jsonwebtoken/commit/5290db1bd74f74cd38c90b19e2355ef223a4d931)
### [`v4.0.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#400---2015-03-06)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.2...v4.0.0)
##### Changed
- The default encoding is now utf8 instead of binary. [92d33bd](https://togithub.com/auth0/node-jsonwebtoken/commit/92d33bd99a3416e9e5a8897d9ad8ff7d70a00bfd)
- Add `encoding` as a new option to `sign`. [1fc385e](https://togithub.com/auth0/node-jsonwebtoken/commit/1fc385ee10bd0018cd1441552dce6c2e5a16375f)
- Add `ignoreExpiration` to `verify`. [8d4da27](https://togithub.com/auth0/node-jsonwebtoken/commit/8d4da279e1b351ac71ace276285c9255186d549f)
- Add `expiresInSeconds` to `sign`. [dd156cc](https://togithub.com/auth0/node-jsonwebtoken/commit/dd156cc30f17028744e60aec0502897e34609329)
##### Fixed
- Fix wrong error message when the audience doesn't match. [44e3c8d](https://togithub.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327)
- Fix wrong error message when the issuer doesn't match. [44e3c8d](https://togithub.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327)
- Fix wrong `iat` and `exp` values when signing with `noTimestamp`. [331b7bc](https://togithub.com/auth0/node-jsonwebtoken/commit/331b7bc9cc335561f8806f2c4558e105cb53e0a6)
### [`v3.2.2`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.1...v3.2.2)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.1...v3.2.2)
### [`v3.2.1`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.0...v3.2.1)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.0...v3.2.1)
### [`v3.2.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.1...v3.2.0)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.1...v3.2.0)
### [`v3.1.1`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.0...v3.1.1)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.0...v3.1.1)
### [`v3.1.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.0.0...v3.1.0)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.0.0...v3.1.0)
### [`v3.0.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v2.0.0...v3.0.0)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v2.0.0...v3.0.0)
### [`v2.0.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/eea72087db2fd73bdc17195223ed532b25ba3e3d...v2.0.0)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/eea72087db2fd73bdc17195223ed532b25ba3e3d...v2.0.0)
### [`v1.1.2`](https://togithub.com/auth0/node-jsonwebtoken/compare/v1.1.1...v1.1.2)
[Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v1.1.1...v1.1.2)
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
0.4.0->4.2.0By merging this PR, the issue #26 will be automatically resolved and closed:
Release Notes
auth0/node-jsonwebtoken
### [`v4.2.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#420---2015-03-16) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v4.1.0...v4.2.0) ##### Security - \[asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key. When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS\* family). The issue was caused because the same signature was used to verify both type of tokens (`verify` method parameter: `secretOrPublicKey`). This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`. (`jfromaniello`) https://github.com/auth0/node-jsonwebtoken/commit/c2bf7b2cd7e8daf66298c2d168a008690bc4bdd3 https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 ### [`v4.1.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#410---2015-03-10) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v4.0.0...v4.1.0) ##### Changed - Assume the payload is JSON even when there is no `typ` property. [5290db1](https://togithub.com/auth0/node-jsonwebtoken/commit/5290db1bd74f74cd38c90b19e2355ef223a4d931) ### [`v4.0.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#400---2015-03-06) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.2...v4.0.0) ##### Changed - The default encoding is now utf8 instead of binary. [92d33bd](https://togithub.com/auth0/node-jsonwebtoken/commit/92d33bd99a3416e9e5a8897d9ad8ff7d70a00bfd) - Add `encoding` as a new option to `sign`. [1fc385e](https://togithub.com/auth0/node-jsonwebtoken/commit/1fc385ee10bd0018cd1441552dce6c2e5a16375f) - Add `ignoreExpiration` to `verify`. [8d4da27](https://togithub.com/auth0/node-jsonwebtoken/commit/8d4da279e1b351ac71ace276285c9255186d549f) - Add `expiresInSeconds` to `sign`. [dd156cc](https://togithub.com/auth0/node-jsonwebtoken/commit/dd156cc30f17028744e60aec0502897e34609329) ##### Fixed - Fix wrong error message when the audience doesn't match. [44e3c8d](https://togithub.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327) - Fix wrong error message when the issuer doesn't match. [44e3c8d](https://togithub.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327) - Fix wrong `iat` and `exp` values when signing with `noTimestamp`. [331b7bc](https://togithub.com/auth0/node-jsonwebtoken/commit/331b7bc9cc335561f8806f2c4558e105cb53e0a6) ### [`v3.2.2`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.1...v3.2.2) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.1...v3.2.2) ### [`v3.2.1`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.0...v3.2.1) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.0...v3.2.1) ### [`v3.2.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.1...v3.2.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.1...v3.2.0) ### [`v3.1.1`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.0...v3.1.1) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.0...v3.1.1) ### [`v3.1.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.0.0...v3.1.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.0.0...v3.1.0) ### [`v3.0.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v2.0.0...v3.0.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v2.0.0...v3.0.0) ### [`v2.0.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/eea72087db2fd73bdc17195223ed532b25ba3e3d...v2.0.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/eea72087db2fd73bdc17195223ed532b25ba3e3d...v2.0.0) ### [`v1.1.2`](https://togithub.com/auth0/node-jsonwebtoken/compare/v1.1.1...v1.1.2) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v1.1.1...v1.1.2)