- 🛠 Fixed handling of expiration exceptions during selection of decryption method (patch contributed by yuriikonovaliuk)
- 👍 Allowed to decrypt JWE compliant tokens (patch contributed by yuriikonovaliuk)
Note: Tokens generated by
encryptare not JWE spec compliant. Prior to this patch
decryptwas not able to decrypt JWE spec compliant tokens as well.
- 🛠 Fixed bug in authentication tag computation (patch contributed by jaimeperez)
Important: This is a backwards incompatible change, in that tokens produced in this version will not be decipherable by tokens < 1.0.0. The jwe hash string used was changed to use an empty string rather than "." to fall in line with https://tools.ietf.org/html/rfc7518#section-126.96.36.199
- 🛠 Fixed critical JWT vulnerability (patch contributed by yuriikonovaliuk)
Important: Only unencrypted tokens are vulnerable. This fix lead to backward incompatible change to
- 🛠 RFC compliance fixes (patch contributed by jaimeperez)
Important: This change introduces a temporarily injected key (__v) in order to distinguish between legacy and newly issued tokens. This allows for the use of either token as to not break backwards compatibility and (possibly) 🚚 degrade user experience. This will be removed for v1.0.
In order to verify whether or not clients are using a legacy token, the application code can verify whether or not the key "__v" is contained in the headers (this can be done after deserialize_compact). The existence of the key identifies a newly created token.
- 📌 Unpinned pycrypto dependency (patch contributed by kuba)
- ➕ Added CLI exposing "decrypt" command
- ➕ Added custom exceptions, making client error handling easier
- 🎉 Initial release