Changelog History
-
v1.1.1 Changes
July 28, 2016- ๐ Fixed handling of expiration exceptions during selection of decryption method (patch contributed by yuriikonovaliuk)
-
v1.1.0 Changes
March 03, 2016- ๐ Allowed to decrypt JWE compliant tokens (patch contributed by yuriikonovaliuk)
Note: Tokens generated by
encrypt
are not JWE spec compliant. Prior to this patchdecrypt
was not able to decrypt JWE spec compliant tokens as well. -
v1.0.0 Changes
October 06, 2015- ๐ Fixed bug in authentication tag computation (patch contributed by jaimeperez)
Important: This is a backwards incompatible change, in that tokens produced in this version will not be decipherable by tokens < 1.0.0. The jwe hash string used was changed to use an empty string rather than "." to fall in line with https://tools.ietf.org/html/rfc7518#section-5.2.2.1
-
v0.3.0 Changes
April 10, 2015- ๐ Fixed critical JWT vulnerability (patch contributed by yuriikonovaliuk)
Important: Only unencrypted tokens are vulnerable. This fix lead to backward incompatible change to
verify
function signature. -
v0.2.2 Changes
January 07, 2015- ๐ RFC compliance fixes (patch contributed by jaimeperez)
Important: This change introduces a temporarily injected key (__v) in order to distinguish between legacy and newly issued tokens. This allows for the use of either token as to not break backwards compatibility and (possibly) ๐ degrade user experience. This will be removed for v1.0.
In order to verify whether or not clients are using a legacy token, the application code can verify whether or not the key "__v" is contained in the headers (this can be done after deserialize_compact). The existence of the key identifies a newly created token.
-
v0.2.1 Changes
November 24, 2014- ๐ Unpinned pycrypto dependency (patch contributed by kuba)
- โ Added CLI exposing "decrypt" command
- โ Added custom exceptions, making client error handling easier
-
v0.1 Changes
April 16, 2014- ๐ Initial release