All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Moved CI build to GitHub Actions (#52).
- Updated test matrix to test against the following gem versions, any gem versions outside of this matrix are no longer fully supported (#58):
faraday
:~> 1.10.0
,~> 2.8.0
,~> 2.9.0
&~> 2.10.0
jwt
:~> 1.5.0
,~> 2.6.0
,~> 2.7.0
&~> 2.8.0
rack
:~> 2.1.0
- Removed support for Ruby 2.4 & 2.5 (#58)
- Add Ruby 3.3 (#56), 3.2 (#55) to our test matrix
- Compatibility with Rack 3+ (#58)
- Added support for Faraday version >= 1.2.0
- Removed support for Ruby 2.3
- Support for multiple key stores
- Resolved deprecation warnings on ruby 2.7
- Run CI tests against more ruby versions (added 2.6 and 2.7)
- Fixed an issue where the Faraday middleware empties request body in Faraday v1.0.0
- Remove restriction on JWT version < 2.2
- Added option
bearer_schema
to the Faraday middleware to allow the caller to specify whether to follow the Bearer schema when setting the JWT token in the Authorization request header (defaults to false)
- Ensure we use the JWT Token in the Authorization header using the Bearer schema. We will still support Authorization headers without the Bearer schema
- Requests signed using version 2.5.0 can only be successfully verified by version 2.5.0. This will be addressed in version 2.5.1. To ensure compatibility it is recommended to skip this version or update the version of your request verifying service prior to the request signing service
- Add support for JWT version 2.1
- Added ability to configure verification leeway via the rack middleware
- Use
JWT.decode
to extract thekid
a JWT token.
- Sort query string parameters before comparing them
- If request fails verification, raise error that indicates specifically what failed
- Pass ownership to [email protected]
- Add contributors to README
- Pin
jwt
gem dependency to version1.5.x
, as the recent 2.0.0 release is currently incompatible withjwt_signed_request
- Check
PATH_INFO
instead ofREQUEST_PATH
when performing path exclusion
- Added ability to add signing and verifying keys to the
KeyStore
- Changed API so users can instead provide a
key_id
when signing requests - With requestes signed with a
key_id
, there is no need to provide asecret_key
when verifying requests. - Backwards compability with version 1.x.x
- Fix minor claims releated errors from @twe4ked.
- Allow configurable expiry leeway to verification