-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
35 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,6 +3,41 @@ | |
| All notable changes to this project will be documented in this file starting from version **v4.0.0**. | ||
| This project adheres to [Semantic Versioning](http://semver.org/). | ||
|
|
||
| ## [5.0.0] - 2015-04-11 | ||
|
|
||
| ### Changed | ||
|
|
||
| - [sign] Only set defautl `iat` if the user does not specify that argument. | ||
|
|
||
| Documenting verify `algorithms` parameter. (`pose - dschenkelman`) | ||
| https://github.com/auth0/node-jsonwebtoken/commit/e900282a8d2dff1d4dec815f7e6aa7782e867d91 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/35036b188b4ee6b42df553bbb93bc8a6b19eae9d | ||
| https://github.com/auth0/node-jsonwebtoken/commit/954bd7a312934f03036b6bb6f00edd41f29e54d9 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/24a370080e0b75f11d4717cd2b11b2949d95fc2e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/a77df6d49d4ec688dfd0a1cc723586bffe753516 | ||
|
|
||
| ### Security | ||
|
|
||
| - [verify] Update to jws@^3.0.0 and renaming `header.alg` mismatch exception to `invalid algorithm` and adding more mismatch tests. | ||
|
|
||
| As `[email protected]` changed the verify method signature to be `jws.verify(signature, algorithm, secretOrKey)`, the token header must be decoded first in order to make sure that the `alg` field matches one of the allowed `options.algorithms`. After that, the now validated `header.alg` is passed to `jws.verify` | ||
|
|
||
| As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the `jws` one: | ||
| ``` | ||
| { [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' } | ||
| ``` | ||
|
|
||
| That old error (removed from jws) has been replaced by a `JsonWebTokenError` with message `invalid token`. | ||
|
|
||
| > Important: the 4.x branch of the library is secure to use but we decided to deprecate everything `< 5.0.0` to prevent security warnings from library `node-jws` when doing `npm install`. | ||
| https://github.com/auth0/node-jsonwebtoken/commit/634b8ed0ff5267dc25da5c808634208af109824e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/9f24ffd5791febb449d4d03ff58d7807da9b9b7e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/19e6cc6a1f2fd90356f89b074223b9665f2aa8a2 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/1e4623420159c6410616f02a44ed240f176287a9 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/954bd7a312934f03036b6bb6f00edd41f29e54d9 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/24a370080e0b75f11d4717cd2b11b2949d95fc2e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/a77df6d49d4ec688dfd0a1cc723586bffe753516 | ||
|
|
||
| ## [4.2.2] - 2015-03-26 | ||
| ### Fixed | ||
|
|
||
|
|
||