auth-api/tests/node_modules/jsonwebtoken/CHANGELOG.md

Change Log

All notable changes to this project will be documented in this file starting from version v4.0.0. This project adheres to Semantic Versioning.

8.5.1 - 2019-03-18

Bug fix

• fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

8.5.0 - 2019-02-20

New Functionality

• feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
• Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

• Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
• Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
• Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
• ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

Docs

• Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554

8.4.0 - 2018-11-14

New Functionality

• Add verify option for nonce validation (#540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #540

Bug Fixes

• Updating Node version in Engines spec in package.json (#528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #528 #509
• Fixed error message when empty string passed as expiresIn or notBefore option (#531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #531

Docs

• Update README.md (#527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #527
• Update README.md (#538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #538
• Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #548
• Document NotBeforeError (#529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #529

Test Improvements

• Use lolex for faking date in tests (#491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #491
• Update dependencies used for running tests (#518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #518
• Minor test refactoring for recently added tests (#504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #504
• Create and implement async/sync test helpers (#523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #523
• Refactor tests related to audience and aud (#503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #503
• Refactor tests related to expiresIn and exp (#501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #501
• Refactor tests related to iat and maxAge (#507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #507
• Refactor tests related to iss and issuer (#543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #543
• Refactor tests related to kid and keyid (#545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #545
• Refactor tests related to notBefore and nbf (#497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #497
• Refactor tests related to subject and sub (#505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #505
• Implement async/sync tests for exp claim (#536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #536
• Implement async/sync tests for nbf claim (#537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #537
• Implement async/sync tests for sub claim (#534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #534
• Implement async/sync tests for the aud claim (#535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #535

CI

• Added Istanbul to check test-coverage (#468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #468
• Complete ESLint conversion and cleanup (#490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #490
• Make code-coverage mandatory when running tests (#495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #495

8.3.0 - 2018-06-11

• docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
• ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
• new feature: Secret callback revisited (#480) (d01cc7bcbdeb606d997a580f967b3169fcc622ba), closes #480
• docs:Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461

8.2.2 - 2018-05-30

• security: deps: jws@3.1.5 (#477) (ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51), closes #465
• docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
• ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
• docs: Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461

8.2.1 - 2018-04-05

• bug fix: Check payload is not null when decoded. (#444) (1232ae9352ce5fd1ca6c593291ce6ad0834a1ff5)
• docs: Clarify that buffer/string payloads must be JSON (#442) (e8ac1be7565a3fd986d40cb5e31a9f6c4d9aed1b)

8.2.0 - 2018-03-02

• Add a new mutatePayload option (#446) (d6d7c5e5103f05a92d3633ac190d3025a0455be0)

8.1.1 - 2018-01-22

• ci: add newer node versions to build matrix (#428) (83f3eee44e122da06f812d7da4ace1fa26c24d9d)
• deps: Bump ms version to add support for negative numbers (#438) (25e0e624545eaef76f3c324a134bf103bc394724)
• docs: Minor typo (#424) (dddcb73ac05de11b81feeb629f6cf78dd03d2047)
• bug fix: Not Before (nbf) calculated based on iat/timestamp (#437) (2764a64908d97c043d62eba0bf6c600674f9a6d6), closes #435

8.1.0 - 2017-10-09

• #402: Don't fail if captureStackTrace is not a function (#410) (77ee965d9081faaf21650f266399f203f69533c5)
• #403: Clarify error wording for "Expected object" error. (#409) (bb27eb346f0ff675a320b2de16b391a7cfeadc58)
• Enhance audience check to verify against regular expressions (#398) (81501a17da230af7b74a3f7535ab5cd3a19c8315)

8.0.1 - 2017-09-12

• Remove lodash.isarray dependency (#394) (7508e8957cb1c778f72fa9a363a7b135b3c9c36d)

8.0.0 - 2017-09-06

Breaking changes: See Migration notes from v7

• docs: readme, migration notes (12cd8f7f47224f904f6b8f39d1dee73775de4f6f)
• verify: remove process.nextTick (#302) (3305cf04e3f674b9fb7e27c9b14ddd159650ff82)
• Reduce size of NPM package (#347) (0be5409ac6592eeaae373dce91ec992fa101bd8a)
• Remove joi to shrink module size (#348) (2e7e68dbd59e845cdd940afae0a296f48438445f)
• maxAge: Add validation to timespan result (66a4f8b996c8357727ce62a84605a005b2f5eb18)

7.4.3 - 2017-08-17

• Fix breaking change on 7.4.2 for empty secret + "none" algorithm (sync code style) (PR 386)

7.4.2 - 2017-08-04

• bugfix: sign: add check to be sure secret has a value (c584d1cbc34b788977b36f17cd57ab2212f1230e)
• docs: about refreshing tokens (016fc10b847bfbb76b82171cb530f32d7da2001b)
• docs: verifying with base64 encoded secrets (c25e9906801f89605080cc71b3ee23a5e45a5811)
• tests: Add tests for ES256 (89900ea00735f76b04f437c9f542285b420fa9cb)
• docs: document keyid as option (#361) (00086c2c006d7fc1a47bae02fa87d194d79aa558)
• docs: readme: Using private key with passpharase (#353) (27a7f1d4f35b662426ff0270526d48658da4c8b7)

7.4.1 - 2017-05-17

• bump ms to v2 due a ReDoS vulnerability (#352) (adcfd6ae4088c838769d169f8cd9154265aa13e0)

7.4.0 - 2017-04-24

• Add docs about numeric date fields (659f73119900a4d837650d9b3f5af4e64a2f843b)
• Make Options object optional for callback-ish sign (e202c4fd00c35a24e9ab606eab89186ade13d0cc)

7.3.0 - 2017-02-13

• Add more information to maxAge option in README (1b0592e99cc8def293eed177e2575fa7f1cf7aa5)
• Add clockTimestamp option to verify() you can set the current time in seconds with it (#274) (8fdc1504f4325e7003894ffea078da9cba5208d9)
• Fix handling non string tokens on verify() input (#305) (1b6ec8d466504f58c5a6e2dae3360c828bad92fb), closes #305
• Fixed a simple typo in docs (#287) (a54240384e24e18c00e75884295306db311d0cb7), closes #287
• Raise jws.decode error to avoid confusion with "invalid token" error (#294) (7f68fe06c88d5c5653785bd66bc68c5b20e1bd8e)
• rauchg/ms.js changed to zeit/ms (#303) (35d84152a6b716d757cb5b1dd3c79fe3a1bc0628)

7.2.1 - 2016-12-07

• add nsp check to find vulnerabilities on npm test (4219c34b5346811c07f520f10516cc495bcc70dd)
• revert to joi@^6 to keep ES5 compatibility (51d4796c07344bf817687f7ccfeef78f00bf5b4f)

7.2.0 - 2016-12-06

• improve the documentation for expiration (771e0b5f9bed90771fb79140eb38e51a3ecac8f0)
• Restructured a sentence (ccc7610187a862f7a50177eadc9152eef26cd065)
• Allow keyid on sign. (b412be91b89acb3a742bb609d3b54e47e1dfc441)
• upgrade joi (715e3d928023d414d45c6dc3f096a7c8448139ae)
• upgrade to latest nodes and Travis infrastructure (3febcc1dd23ecdec1abbf89313959941d15eb47a)

7.1.10 - 2016-12-06

• Bump node-jws version number (07813dd7194630c9f452684279178af76464a759)
• improve the documentation for expiration (771e0b5f9bed90771fb79140eb38e51a3ecac8f0)

7.1.9 - 2016-08-11

• Revert "Merge branch 'venatir-master'" (d06359ef3b4e619680e043ee7c16adda16598f52)

7.1.8 - 2016-08-10

• Fixed tests, however typ: 'JWT' should not be in the options at all, so please review other tests (01903bcdc61b4ed429acbbd1fe0ffe0db364473b)
• Removing unnecessary extra decoding. jwtString is already verified as valid and signature checked (55d5834f7b637011e1d8b927ff78a92a5fd521cf)
• update changelog (5117aacd0118a10331889a64e61d8186112d8a23)

7.1.7 - 2016-07-29

• Use lodash.once instead of unlicensed/unmaintained cb (3ac95ad93ef3068a64e03d8d14deff231b1ed529)

7.1.6 - 2016-07-15

• fix issue with buffer payload. closes #216 (6b50ff324b4dfd2cb0e49b666f14a6672d015b22), closes #216

7.1.5 - 2016-07-15

• update jws in package.json (b6260951eefc68aae5f4ede359210761f901ff7a)

7.1.4 - 2016-07-14

• add redundant test (bece8816096f324511c3efcb8db0e64b75d757a1)
• fix an issue of double callback on error (758ca5eeca2f1b06c32c9fce70642bf488b2e52b)

7.1.2 - 2016-07-12

• do not stringify the payload when signing async - closes #224 (084f537d3dfbcef2bea411cc0a1515899cc8aa21), closes #224

7.1.1 - 2016-07-12

• do not mutate options in jwt.verify, closes #227 (63263a28a268624dab0927b9ad86fffa44a10f84), closes #227
• refactor into multiple files (e11d505207fa33501298300c9accbfb809d8748d)

7.1.0 - 2016-07-12

• Exp calculated based on iat. fix #217 (757a16e0e35ad19f9e456820f55d5d9f3fc76aee), closes #217

7.0.0 - 2016-05-19

• change jwt.sign to return errors on callback instead of throwing errors (1e46c5a42aa3dab8478efa4081d8f8f5c5485d56)

6.2.0 - 2016-04-29

• add support for options.clockTolerance to jwt.verify (65ddea934f226bf06bc9d6a55be9587515cfc38d)

6.1.2 - 2016-04-29

• fix sign method for node.js 0.12. closes #193 (9c38374142d3929be3c9314b5e9bc5d963c5955f), closes #193
• improve async test (7b0981380ddc40a5f1208df520631785b5ffb85a)

6.1.0 - 2016-04-27

• verify unsigned tokens (ec880791c10ed5ef7c8df7bf28ebb95c810479ed)

6.0.1 - 2016-04-27

This was an immediate change after publishing 6.0.0.

• throw error on invalid options when the payload is not an object (304f1b33075f79ed66f784e27dc4f5307aa39e27)

6.0.0 - 2016-04-27

• Change .sign to standard async callback (50873c7d45d2733244d5da8afef3d1872e657a60)

• Improved the options for the sign method (53c3987b3cc34e95eb396b26fc9b051276e2f6f9)

  • throw error on invalid options like expiresIn when the payload is not an object (304f1b33075f79ed66f784e27dc4f5307aa39e27)
  • expiresInMinutes and expiresInSeconds are deprecated and no longer supported.
  • notBeforeInMinutes and notBeforeInSeconds are deprecated and no longer supported.
  • options are strongly validated.
  • options.expiresIn, options.notBefore, options.audience, options.issuer, options.subject and options.jwtid are mutually exclusive with payload.exp, payload.nbf, payload.aud, payload.iss
  • options.algorithm is properly validated.
  • options.headers is renamed to options.header.

• update CHANGELOG to reflect most of the changes. closes #136 (b87a1a8d2e2533fbfab518765a54f00077918eb7), closes #136

• update readme (53a88ecf4494e30e1d62a1cf3cc354650349f486)

5.7.0 - 2016-02-16

• add support for validating multiples issuers. closes #163 (39d9309ae05648dbd72e5fd1993df064ad0e8fa5), closes #163

5.6.1 - 2016-02-16

• 5.6.1 (06d8209d499dbc9a8dd978ab6cbb9c6818fde203)
• fix wrong error when setting expiration on non-object payload. closes #153 (7f7d76edfd918d6afc7c7cead888caa42ccaceb4), closes #153

5.6.0 - 2016-02-16

• added missing validations of sub and jti (a1affe960d0fc52e9042bcbdedb65734f8855580)
• Fix tests in jwt.rs.tests.js which causes 4 to fail (8aedf2b1f575b0d9575c1fc9f2ac7bc868f75ff1)
• Update README.md (349b7cd00229789b138928ca060d3ef015aedaf9)

5.5.4 - 2016-01-04

• minor (46552e7c45025c76e3f647680d7539a66bfac612)

5.5.3 - 2016-01-04

• add a console.warn on invalid options for string payloads (71200f14deba0533d3261266348338fac2d14661)
• minor (65b1f580382dc58dd3da6f47a52713776fd7cdf2)

5.5.2 - 2016-01-04

• fix signing method with sealed objects, do not modify the params object. closes #147 (be9c09af83b09c9e72da8b2c6166fa51d92aeab6), closes #147

5.5.1 - 2016-01-04

• fix nbf verification. fix #152 (786d37b299c67771b5e71a2ca476666ab0f97d98), closes #152

5.5.0 - 2015-12-28

• improvements to nbf and jti claims (46372e928f6d2e7398f9b88022ca617d2a3b0699)
• Remove duplicate payload line (fix bug in IE strict mode) (8163d698e0c5ad8c44817a5dcd42a15d7e9c6bc8)
• Remove duplicate require('ms') line (7c00bcbcbf8f7503a1070b394a165eccd41de66f)
• Update README to reflect addition of async sign (d661d4b6f68eb417834c99b36769444723041ccf)

5.4.0 - 2015-10-02

• deprecate expireInMinutes and expireInSeconds - in favor of expiresIn (39ecc6f8f310f8462e082f1d53de0b4222b29b6f)

5.3.0 - 2015-10-02

• 5.3.0 (5d559ced3fbf10c1adae2e5792deda06ea89bcd3)
• minor (6e81ff87a3799b0e56db09cbae42a97e784716c4)

5.1.0 - 2015-10-02

• added async signing (9414fbcb15a1f9cf4fe147d070e9424c547dabba)
• Update README.md (40b2aaaa843442dfb8ee7b574f0a788177e7c904)

5.0.5 - 2015-08-19

• add ms dep to package.json (f13b3fb7f29dff787e7c91ebe2eb5adeeb05f251)
• add note to explain, related to #96 #101 #6 (dd8969e0e6ed0bcb9cae905d2b1a96476bd85da3)
• add tests for options.headers (7787dd74e705787c39a871ca29c75a2e0a3948ac)
• add tests for verify expires (d7c5793d98c300603440ab460c11665f661ad3a0)
• add verify option maxAge (with tests) (49d54e54f7e70b1c53a2e4ee67e116c907d75319)
• fix spelling error in error message (8078b11b224fa05ac9003ca5aa2c85e9f0128cfb)
• Fix typo options.header is not a documented option + (5feaa5b962ccbddeff054817a410f7b0c1e6ce7f)
• update JWT spec link. closes #112 (f5fa50f797456a12240589161835c7ea30807195), closes #112

5.0.3 - 2015-07-15

• Added nbf support (f26ba4e2fa197a20497632b63ffcd13ae93aacc4)
• Added support for subject and jwt id (ab76ec5bc554e2d1e25376ddb7cea711d86af651)
• Fix this referring to the global object instead of module.exports in verify() (93f554312e37129027fcf4916f48cb8d1b53588c)
• Fix typo, line 139 README, complete option for .decode. (59c110aeb8c7c1847ef2ffd77702d13627c89e10)
• minor (61ff1172272b582902313e958058ff22413494af)

5.0.2 - 2015-06-15

• fix typo in docs . closes #86 (3d3413221f36acef4dfd1cbed87f1f3565cd6f84), closes #86

5.0.1 - 2015-05-15

• Add option to return header and payload when decoding. (7254e011b59f892d1947e6c11819281adac7069d)
• Avoid uncaught "SyntaxError: Unexpected token ͧ" error. (0dc59cd6ee15d83a606acffa7909ee76176ae186)
• Document complete option in README. (ec32b20241a74d9681ea26e1a7024b4642468c00)
• Fix example in README, silence verbose logging. (ba3174d10033c41e9c211a38f1cc67f74fbd7f69)
• Fix link to auth0.com in README (1b3c5ff72c9bc25e9271646e679f3080f2a042a0)
• Immediate return if not decoded. (851bda2b10168f3269c3da6e74d310742f31a193)
• Prevent throw on undefined/null secret (0fdf78d4dbf609455f3277d6169a987aef0384d4)
• Removed path from test (d6240e24186732d368bffe21143becf44c38f0d6)
• Simplified checking for missing key (f1cffd033bffc44f20558eda4a797c3fa2f4ee05)
• Typo (ffe68dbe0219bab535c1018448eb4c0b22f1f902)
• Update CHANGELOG.md (927cce0dad1bc9aad75aeef53e276cf4cfc0d776)
• Update CHANGELOG.md (6879e0fdde222995c70a3a69a4af94993d9c667e)
• Update CHANGELOG.md (c5596c10e8705727fa13e0394184a606083078bc)
• Update CHANGELOG.md (07541f0315f26d179e1cde92732b6124d6869b6f)
• Update CHANGELOG.md (e6465d48ddd1dc2c3297229b28c78fd5490a2ba9)

[5.0.0] - 2015-04-11

Changed

• [sign] Only set defautl iat if the user does not specify that argument.

e900282a8d 35036b188b 954bd7a312 24a370080e a77df6d49d

Security

• [verify] Update to jws@^3.0.0 and renaming header.alg mismatch exception to invalid algorithm and adding more mismatch tests.

As jws@3.0.0 changed the verify method signature to be jws.verify(signature, algorithm, secretOrKey), the token header must be decoded first in order to make sure that the alg field matches one of the allowed options.algorithms. After that, the now validated header.alg is passed to jws.verify

As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the jws one:

{ [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' }

That old error (removed from jws) has been replaced by a JsonWebTokenError with message invalid token.

Important: versions >= 4.2.2 this library are safe to use but we decided to deprecate everything < 5.0.0 to prevent security warnings from library node-jws when doing npm install.

634b8ed0ff 9f24ffd579 19e6cc6a1f 1e46234201 954bd7a312 24a370080e a77df6d49d

[4.2.2] - 2015-03-26

Fixed

• [asymmetric-keys] Fix verify for RSAPublicKey formated keys (jfromaniello - awlayton) 402794663b 8df6aabbc7

[4.2.1] - 2015-03-17

Fixed

• [asymmetric-keys] Fixed issue when public key starts with BEING PUBLIC KEY (https://github.com/auth0/node-jsonwebtoken/issues/70) (jfromaniello) 7017e74db9

[4.2.0] - 2015-03-16

Security

• [asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key. When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS* family).

The issue was caused because the same signature was used to verify both type of tokens (verify method parameter: secretOrPublicKey).

This change adds a new parameter to the verify called algorithms. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string BEGIN CERTIFICATE the default is [ 'RS256','RS384','RS512','ES256','ES384','ES512' ] otherwise is [ 'HS256','HS384','HS512' ]. (jfromaniello) c2bf7b2cd7 1bb584bc38

[4.1.0] - 2015-03-10

Changed

• Assume the payload is JSON even when there is no typ property. 5290db1

[4.0.0] - 2015-03-06

Changed

• The default encoding is now utf8 instead of binary. 92d33bd
• Add encoding as a new option to sign. 1fc385e
• Add ignoreExpiration to verify. 8d4da27
• Add expiresInSeconds to sign. dd156cc

Fixed

• Fix wrong error message when the audience doesn't match. 44e3c8d
• Fix wrong error message when the issuer doesn't match. 44e3c8d
• Fix wrong iat and exp values when signing with noTimestamp. 331b7bc