jwt-3.0.0.beta1

v3.0.0-beta1 (2025-01-25)

Full Changelog

Breaking changes:

• Require token signature to be verified before accessing payload #648 (@anakinj)
• Drop support for the HS512256 algorithm #650 (@anakinj)
• Remove deprecated claim verification methods #654 (@anakinj)
• Remove dependency to rbnacl #655 (@anakinj)
• Support only stricter base64 decoding (RFC 4648) #658 (@anakinj)
• Custom algorithms are required to include JWT::JWA::SigningAlgorithm #660 (@anakinj)
• Require RSA keys to be at least 2048 bits #661 (@anakinj)
• Base64 encode and decode the k value for HMAC JWKs #662 (@anakinj)

Take a look at the upgrade guide for more details.

Features:

• JWT::EncodedToken#verify! method that bundles signature and claim validation #647 (@anakinj)
• Do not override the alg header if already given #659 (@anakinj)
• Make JWK::KeyFinder compatible with JWT::EncodedToken #663 (@anakinj)

Fixes and enhancements:

• Ruby 3.4 to CI matrix #649 (@anakinj)

jwt-2.10.1

v2.10.1 (2024-12-26)

Full Changelog

Fixes and enhancements:

• Make version constants public again #646 (@anakinj)

jwt-2.10.0

v2.10.0 (2024-12-25)

Full Changelog

Features:

• JWT::Token and JWT::EncodedToken for signing and verifying tokens #621 (@anakinj)
• Detached payload support for JWT::Token and JWT::EncodedToken #630 (@anakinj)
• Skip decoding payload if b64 header is present and false #631 (@anakinj)
• Remove a few custom Rubocop configs #638 (@anakinj)

Fixes and enhancements:

• Deprecation warnings for deprecated methods and classes #629 (@anakinj)
• Improved documentation for public apis #629 (@anakinj)
• Use correct methods when raising error during signing/verification with EdDSA #633
• Fix JWT::EncodedToken behavior with empty string as token #640 (@ragalie)
• Deprecation warnings for rbnacl backed functionality #641 (@anakinj)

jwt-2.9.3

v2.9.3 (2024-10-03)

Full Changelog

Fixes and enhancements:

• Return truthy value for ::JWT::ClaimsValidator#validate! and ::JWT::Verify.verify_claims #628 (@anakinj)

jwt-2.9.2

v2.9.2 (2024-10-03)

Full Changelog

Features:

• Standalone claim verification interface #626 (@anakinj)

Fixes and enhancements:

• Updated README to correctly document OpenSSL::HMAC documentation #617 (@aedryan)
• Verify JWT header format #622 (@304)
• Bring back ::JWT::ClaimsValidator, ::JWT::Verify and a few other removed interfaces for preserved backwards compatibility #624 (@anakinj)

jwt-2.9.1

Full Changelog

Fixes and enhancements:

• Fix regression in iss and aud claim validation #619 (@anakinj)

jwt-2.9.0

Full Changelog

Features:

• Build and push gem using a GH action #612 (@anakinj)

Fixes and enhancements:

• Refactor claim validators into their own classes #605 (@anakinj, @MatteoPierro)
• Allow extending available algorithms #607 (@anakinj)
• Do not include the EdDSA algorithm if rbnacl not available #613 (@anakinj)

jwt-2.8.2

Full Changelog

Fixes and enhancements:

• Print deprecation warnings only on when token decoding succeeds #600 (@anakinj)
• Unify code style #602 (@anakinj)

jwt-2.8.1

Full Changelog

Features:

• Configurable base64 decode behaviour #589 (@anakinj)

Fixes and enhancements:

• Output deprecation warnings once #589 (@anakinj)

jwt-2.8.0

Full Changelog

Features:

• Updated rubocop to 1.56 #573 (@anakinj)
• Run CI on Ruby 3.3 #577 (@anakinj)
• Deprecation warning added for the HMAC algorithm HS512256 (HMAC-SHA-512 truncated to 256-bits) #575 (@anakinj)
• Stop using RbNaCl for standard HMAC algorithms #575 (@anakinj)

Fixes and enhancements:

• Fix signature has expired error if payload is a string #555 (@GobinathAL)
• Fix key base equality and spaceship operators #569 (@magneland)
• Remove explicit base64 require from x5c_key_finder #580 (@anakinj)
• Performance improvements and cleanup of tests #581 (@anakinj)
• Repair EC x/y coordinates when importing JWK #585 (@julik)
• Explicit dependency to the base64 gem #582 (@anakinj)
• Deprecation warning for decoding content not compliant with RFC 4648 #582 (@anakinj)
• Algorithms moved under the ::JWT::JWA module (@anakinj)