v3.1.0
Breaking Changes📦 jwt-librariesView on GitHub →
⚠ 1 breaking✨ 3 features🐛 1 fixes🔧 3 symbols
Summary
Version 3.1.0 introduces significant security and feature enhancements, including JWK support and stricter key validation for ECDSA, alongside a breaking change requiring claim verification before accessing the token payload.
⚠️ Breaking Changes
- Accessing JWT::EncodedToken#payload now requires claims to have been verified first. Previously, this could be accessed without verification, potentially leading to insecure usage.
Migration Steps
- If you were accessing JWT::EncodedToken#payload before verifying claims, ensure you call #verify before accessing #payload.
✨ New Features
- Added support for the x5t header parameter for X.509 certificate thumbprint verification.
- Support signing and verifying tokens using a JSON Web Key (JWK).
- Allow OpenSSL::PKey::EC::Point to be used as the verification key in ECDSA operations.
🐛 Bug Fixes
- ECDSA signing or verification now raises an error if the provided key is not an instance of OpenSSL::PKey::EC, improving key validation.