CHANGELOG.md
## 0.6.0 (28 February 2014)
Breaking changes:
- Changed the behaviour around unsigned tokens so that they are rejected by default, to make the default settings more secure.
## 0.5.2 (03 January 2014)
Improvements:
- RSpec assertions now use 3.x syntax (thanks to [@petergoldstein](https://github.com/petergoldstein))
- MultiJson is now an optional dependency (thanks [@petergoldstein](https://github.com/petergoldstein))
## 0.5.1 (11 June 2013)
Bug fixes:
- Fixed some loading errors when using the library with Sinatra.
Breaking changes:
- Methods on the `Sandal::Util` module are now static rather than being designed to be mixed in.
## 0.5.0 (07 June 2013)
Features:
- Updated to JWT draft-08 specification, and corresponding JWE, JWS and JWA drafts.
- Added a KeyError class for when invalid keys are given to the library.
- Added an ExpiredTokenError class to make handling the common case of expired tokens easier.
- Added a NAME constant to all classes with a JWA name to save user having to hard-code the name string.
Breaking changes:
- Tokens are not backwards compatible with previous versions of the library due to changes in the specification.
- Dropped support for Ruby 1.9.2; supported platforms are now 1.9.3, 2.0.0, JRuby (head) and Rubinius (head).
## 0.4.0 (30 April 2013)
Features:
- The decode_token method now recursively decodes/decrypts nested tokens rather than requiring multiple calls.
Breaking changes:
- The decode_token method is now used for both signed and encrypted tokens; the decrypt_token method has been removed.
Bug fixes:
- The 'none' algorithm value is now always set in plaintext tokens.
- The zip parameter is now used when encrypting/decrypting JWE tokens.
- The Concat KDF function now works correctly when inputs have different string encodings by treating them all as binary.
- Errors related to jwt_base64_encode not being found when running under rack (although they worked fine under rspec) are resolved.
## 0.3.0 (20 April 2013)
Features:
- Keys can now be passed as strings as well as OpenSSL types.
Breaking changes:
- Default options have changed so that the behaviour is consistent with no options being passed.
Bug fixes:
- Strings are now compared by codepoint rather than by byte, in accordance with JWS ยง 5.3.
- Integrity value check in AES/CBC+HS algorithms now uses the constant time string comparison function rather than ==.
- Base64 decoding now checks that the decode was not lossy, as jruby would do a 'best effort' decode of invalid base64 strings.
## 0.2.0 (05 April 2013)
Features:
- Added support for AES/CBC and AES/GCM encryption methods.
- Added RSA1_5, RSA-OAEP and direct key protection algorithms.
Bug fixes:
- Sandal::Sig::ES class is now not included in jruby as ECDSA isn't supported.
## 0.1.1 (01 April 2013)
Features:
- Changed from json to multi_json gem for improved compatibility.
- New Claims module can add claims validation functionality to Hash-like objects.
- New ClaimError type for claim validation errors.
Bug fixes:
- Base64 decoding now ensures there is no padding before decoding.
## 0.1.0 (30 March 2013)
The first version worth using.
Features:
- Supports all JWA signature algorithms (ES, HS, RS, none).
- Validates exp, nbf, iss and aud claims.
- Configurable token validation options.