All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
There are no unreleased changes yet.
0.5.1 - 2018-01-29
- Fix test helpers (tests using the rspec shared examples provided by this gem will be broken with 0.5.0 (#18)
0.5.0 - 2018-01-29
-
Verify the
audclaim by default when using automatic public key selection (#14)This resolves a security concern introduced in 0.4.0. To upgrade, make sure each service that uses automatic public key selection is upgraded to at least 0.4.1 before upgrading the key server to 0.5.0.
When generating keys, it is now required to add an
audclaim with the url of the request. See theaudverification section of the README for more specific instructions.
- Fix redefined const warning (#13)
- Fix gemspec warnings by being more specific about dependencies (#12)
- Better logging for unauthorized JWTs
0.4.1 - 2018-01-19
-
Include the
audclaim when requesting a public key for automatic public key selection (#10)This is in preparation for 0.5.0 and is provided as an intermidiate step to upgrade to 0.5.0 to avoid circular or deep dependencies from allowing any one server from upgrading to 0.5.0 quickly.
0.4.0 - 2018-01-17
-
Name change: The name of this gem changed from
as_jwt_authtoaction_sprout-jwt_auth(#7)Therefore, the base module is now
ActionSprout::JWTAuth, as opposed toAsJWTAuth. All references toAsJWTAuthwill need to be updated toActionSprout::JWTAuth.
-
Move automatic claims to the JWT payload (#8)
Originally, I incorrectly thought that these claims should be in the header and I was wrong. In order to take advantage of verification provided by the JWT gem, these claims need to be stored in the payload and not the header.
-
Automatic public key selection: When using the
verify_jwt!before_action, JWTAuth can determine the issuer from the JWT and use that to request a public key from a key server. (#6)-
Use the environment variable
JWT_KEY_SERVER_URL_TEMPLATEto configure the public key server endpoint -
This endpoint should be protected with the same gem using
verify_jwt! -
The result is cached in an
ActiveSupport::Cache::MemoryStore -
SECURITY NOTE: This feature is safe only if JWTs signed with keys existing in the key server's database are only used internally (meaning they are not shared with clients)
In the case that these JWTs are shared with clients (such as a smart web client, for example), and the corresponding public key is available from the key server, then any server using
verify_jwt!that does not have specific scoping rules will be vulnerable.UPDATE: Please upgrade to 0.5.0 for a security fix.
-
-
ActionSprout::JWTAuth.jwt_bodyreturns the body of the JWT without the header
-
AsJWTAuth.jwt_headerhas been removed in favor ofActionSprout::JWTAuth.jwt_issuer- Before, the only existing use of
jwt_headerwas to get the issuer - Now, the issuer is no longer even stored in the header
- Before, the only existing use of
0.3.1 - 2018-01-11
-
Automatically set private key and issuer using environment variables (#4)
When generating a JWT, if the
keyand/orissueroptions are missing, this gem will attempt to use values fromENVinstead, namelyAPP_NAMEforissuerandPRIVATE_KEYforkey.
-
This is the last version of this gem to be released under the name
as_jwt_auth- The next version will be
action_sprout-jwt_auth v0.4.0 - With the name change, there will probably be a fair amount of internal refactoring and potentially breaking changes.
- The next version will be
0.3.0 - 2018-01-10
- Require an
issuerwhen generating a JWT
-
Rails plugin (#3)
- Controller helper
verify_jwt!makes a good before_action - Add Rails testing helpers for testing controllers using
verify_jwt!
- Controller helper
-
Add
AsJWTAuth.jwt_headerto make it easy to inspect the JWT header -
Automatically add
iss,jid, andiatclaims when generating a JWT
0.2.1 - 2017-04-25
- Fix an issue where the jwt gem might not be correctly loaded when using
#generate_jwt(#2)
- Initial gem with
#verify_jwtand#generate_jwt