-
Notifications
You must be signed in to change notification settings - Fork 33
/
CHANGES
39 lines (30 loc) · 1.52 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
CHANGES
=======
1.0.0 (2015-10-06)
------------------
- Fixed bug in authentication tag computation (patch contributed by jaimeperez)
Important: This is a backwards incompatible change, in that tokens produced in this version will not be decipherable by tokens < 1.0.0. The jwe hash string used was changed to use an empty string rather than "." to fall in line with https://tools.ietf.org/html/rfc7518#section-5.2.2.1
0.3.0 (2015-04-10)
------------------
- Fixed critical JWT vulnerability (patch contributed by yuriikonovaliuk)
Important: Only unencrypted tokens are vulnerable. This fix lead to backward
incompatible change to `verify` function signature.
0.2.2 (2015-01-07)
------------------
- RFC compliance fixes (patch contributed by jaimeperez)
Important: This change introduces a temporarily injected key (__v) in order to
distinguish between legacy and newly issued tokens. This allows for the use
of either token as to not break backwards compatibility and (possibly)
degrade user experience. This will be removed for v1.0.
In order to verify whether or not clients are using a legacy token, the
application code can verify whether or not the key "__v" is contained in the
headers (this can be done after deserialize_compact). The existence of the key
identifies a newly created token.
0.2.1 (2014-11-24)
------------------
- Unpinned pycrypto dependency (patch contributed by kuba)
- Added CLI exposing "decrypt" command
- Added custom exceptions, making client error handling easier
0.1 (2014-04-16)
----------------
- Initial release