Hello community, here is the log from the commit of package rubygem-jwt for openSUSE:Factory checked in at 2020-10-05 19:31:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-jwt (Old) and /work/SRC/openSUSE:Factory/.rubygem-jwt.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-jwt" Mon Oct 5 19:31:56 2020 rev:3 rq:838047 version:2.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-jwt/rubygem-jwt.changes 2019-08-06 15:09:53.683790145 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-jwt.new.4249/rubygem-jwt.changes 2020-10-05 19:32:00.288918149 +0200 @@ -1,0 +2,7 @@ +Fri Sep 25 14:14:33 UTC 2020 - Stephan Kulow <co...@suse.com> + +updated to version 2.2.2 + see installed CHANGELOG.md + + +------------------------------------------------------------------- Old: ---- jwt-2.2.1.gem New: ---- jwt-2.2.2.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-jwt.spec ++++++ --- /var/tmp/diff_new_pack.kX5O2w/_old 2020-10-05 19:32:01.472923143 +0200 +++ /var/tmp/diff_new_pack.kX5O2w/_new 2020-10-05 19:32:01.476923159 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-jwt # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ # Name: rubygem-jwt -Version: 2.2.1 +Version: 2.2.2 Release: 0 %define mod_name jwt %define mod_full_name %{mod_name}-%{version} @@ -32,7 +32,7 @@ BuildRequires: %{ruby >= 2.1} BuildRequires: %{rubygem gem2rpm} BuildRequires: ruby-macros >= 5 -Url: https://github.com/jwt/ruby-jwt +URL: https://github.com/jwt/ruby-jwt Source: https://rubygems.org/gems/%{mod_full_name}.gem Source1: gem2rpm.yml Summary: JSON Web Token implementation in Ruby ++++++ jwt-2.2.1.gem -> jwt-2.2.2.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.travis.yml new/.travis.yml --- old/.travis.yml 2019-05-24 10:58:12.000000000 +0200 +++ new/.travis.yml 2020-08-18 09:11:09.000000000 +0200 @@ -7,14 +7,23 @@ - 2.4 - 2.5 - 2.6 -gemfiles: +gemfile: - gemfiles/standalone.gemfile - gemfiles/rails_5.0.gemfile - gemfiles/rails_5.1.gemfile - gemfiles/rails_5.2.gemfile + - gemfiles/rails_6.0.gemfile script: "bundle exec rspec && bundle exec codeclimate-test-reporter" before_install: - sudo add-apt-repository ppa:chris-lea/libsodium -y - sudo apt-get update -q - sudo apt-get install libsodium-dev -y - gem install bundler + +matrix: + fast_finish: true + exclude: + - gemfile: gemfiles/rails_6.0.gemfile + rvm: 2.3 + - gemfile: gemfiles/rails_6.0.gemfile + rvm: 2.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Appraisals new/Appraisals --- old/Appraisals 2019-05-24 10:58:12.000000000 +0200 +++ new/Appraisals 2020-08-18 09:11:09.000000000 +0200 @@ -12,3 +12,7 @@ appraise 'rails-5.2' do gem 'rails', '~> 5.2.0' end + +appraise 'rails-6.0' do + gem 'rails', '~> 6.0.0' +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md --- old/CHANGELOG.md 2019-05-24 10:58:12.000000000 +0200 +++ new/CHANGELOG.md 2020-08-18 09:11:09.000000000 +0200 @@ -1,6 +1,54 @@ -# Change Log +# Changelog + +## [v2.2.2](https://github.com/jwt/ruby-jwt/tree/v2.2.2) (2020-08-18) + +[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.1...v2.2.2) + +**Implemented enhancements:** + +- JWK does not decode. [\#332](https://github.com/jwt/ruby-jwt/issues/332) +- Inconsistent use of symbol and string keys in args \(exp and alrogithm\). [\#331](https://github.com/jwt/ruby-jwt/issues/331) +- Pin simplecov to \< 0.18 [\#356](https://github.com/jwt/ruby-jwt/pull/356) ([anakinj](https://github.com/anakinj)) +- verifies algorithm before evaluating keyfinder [\#346](https://github.com/jwt/ruby-jwt/pull/346) ([jb08](https://github.com/jb08)) +- Update Rails 6 appraisal to use actual release version [\#336](https://github.com/jwt/ruby-jwt/pull/336) ([smudge](https://github.com/smudge)) +- Update Travis [\#326](https://github.com/jwt/ruby-jwt/pull/326) ([berkos](https://github.com/berkos)) +- Improvement/encode hmac without key [\#312](https://github.com/jwt/ruby-jwt/pull/312) ([JotaSe](https://github.com/JotaSe)) + +**Fixed bugs:** + +- v2.2.1 warning: already initialized constant JWT Error [\#335](https://github.com/jwt/ruby-jwt/issues/335) +- 2.2.1 is no longer raising `JWT::DecodeError` on `nil` verification key [\#328](https://github.com/jwt/ruby-jwt/issues/328) +- Fix algorithm picking from decode options [\#359](https://github.com/jwt/ruby-jwt/pull/359) ([excpt](https://github.com/excpt)) +- Raise error when verification key is empty [\#358](https://github.com/jwt/ruby-jwt/pull/358) ([anakinj](https://github.com/anakinj)) + +**Closed issues:** + +- JWT RSA: is it possible to encrypt using the public key? [\#366](https://github.com/jwt/ruby-jwt/issues/366) +- Example unsigned token that bypasses verification [\#364](https://github.com/jwt/ruby-jwt/issues/364) +- Verify exp claim/field even if it's not present [\#363](https://github.com/jwt/ruby-jwt/issues/363) +- Decode any token [\#360](https://github.com/jwt/ruby-jwt/issues/360) +- \[question\] example of using a pub/priv keys for signing? [\#351](https://github.com/jwt/ruby-jwt/issues/351) +- JWT::ExpiredSignature raised for non-JSON payloads [\#350](https://github.com/jwt/ruby-jwt/issues/350) +- verify\_aud only verifies that at least one aud is expected [\#345](https://github.com/jwt/ruby-jwt/issues/345) +- Sinatra 4.90s TTFB [\#344](https://github.com/jwt/ruby-jwt/issues/344) +- How to Logout [\#342](https://github.com/jwt/ruby-jwt/issues/342) +- jwt token decoding even when wrong token is provided for some letters [\#337](https://github.com/jwt/ruby-jwt/issues/337) +- Need to use `symbolize\_keys` everywhere! [\#330](https://github.com/jwt/ruby-jwt/issues/330) +- eval\(\) used in Forwardable limits usage in iOS App Store [\#324](https://github.com/jwt/ruby-jwt/issues/324) +- HS512256 OpenSSL Exception: First num too large [\#322](https://github.com/jwt/ruby-jwt/issues/322) +- Can we change the separator character? [\#321](https://github.com/jwt/ruby-jwt/issues/321) +- Verifying iat without leeway may break with poorly synced clocks [\#319](https://github.com/jwt/ruby-jwt/issues/319) +- Adding support for 'hd' hosted domain string [\#314](https://github.com/jwt/ruby-jwt/issues/314) +- There is no "typ" header in version 2.0.0 [\#233](https://github.com/jwt/ruby-jwt/issues/233) + +**Merged pull requests:** + +- Fix 'already initialized constant JWT Error' [\#357](https://github.com/jwt/ruby-jwt/pull/357) ([excpt](https://github.com/excpt)) +- Support RSA.import for all Ruby versions. [\#333](https://github.com/jwt/ruby-jwt/pull/333) ([rabajaj0509](https://github.com/rabajaj0509)) +- Removed forwardable dependency [\#325](https://github.com/jwt/ruby-jwt/pull/325) ([anakinj](https://github.com/anakinj)) ## [v2.2.1](https://github.com/jwt/ruby-jwt/tree/v2.2.1) (2019-05-24) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.0...v2.2.1) **Fixed bugs:** @@ -8,7 +56,12 @@ - need to `require 'forwardable'` to use `Forwardable` [\#316](https://github.com/jwt/ruby-jwt/issues/316) - Add forwardable dependency for JWK RSA KeyFinder [\#317](https://github.com/jwt/ruby-jwt/pull/317) ([excpt](https://github.com/excpt)) +**Merged pull requests:** + +- Release 2.2.1 [\#318](https://github.com/jwt/ruby-jwt/pull/318) ([excpt](https://github.com/excpt)) + ## [v2.2.0](https://github.com/jwt/ruby-jwt/tree/v2.2.0) (2019-05-23) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.0.pre.beta.0...v2.2.0) **Closed issues:** @@ -22,6 +75,7 @@ - Release 2.2.0 [\#315](https://github.com/jwt/ruby-jwt/pull/315) ([excpt](https://github.com/excpt)) ## [v2.2.0.pre.beta.0](https://github.com/jwt/ruby-jwt/tree/v2.2.0.pre.beta.0) (2019-03-20) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.1.0...v2.2.0.pre.beta.0) **Implemented enhancements:** @@ -46,17 +100,18 @@ **Fixed bugs:** - Inconsistent handling of payload claim data types [\#282](https://github.com/jwt/ruby-jwt/issues/282) -- Use iat\\_leeway option [\#273](https://github.com/jwt/ruby-jwt/issues/273) - Issued at validation [\#247](https://github.com/jwt/ruby-jwt/issues/247) - Fix bug and simplify segment validation [\#292](https://github.com/jwt/ruby-jwt/pull/292) ([anakinj](https://github.com/anakinj)) -- Removed leeway from verify\\_iat [\#257](https://github.com/jwt/ruby-jwt/pull/257) ([ab320012](https://github.com/ab320012)) + +**Security fixes:** + +- Decoding JWT with ES256 and secp256k1 curve [\#277](https://github.com/jwt/ruby-jwt/issues/277) **Closed issues:** - RS256, public and private keys [\#291](https://github.com/jwt/ruby-jwt/issues/291) - Allow passing current time to `decode` [\#288](https://github.com/jwt/ruby-jwt/issues/288) - Verify exp claim without verifying jwt [\#281](https://github.com/jwt/ruby-jwt/issues/281) -- Decoding JWT with ES256 and secp256k1 curve [\#277](https://github.com/jwt/ruby-jwt/issues/277) - Audience as an array - how to specify? [\#276](https://github.com/jwt/ruby-jwt/issues/276) - signature validation using decode method for JWT [\#271](https://github.com/jwt/ruby-jwt/issues/271) - JWT is easily breakable [\#267](https://github.com/jwt/ruby-jwt/issues/267) @@ -91,6 +146,7 @@ - Fix link format [\#248](https://github.com/jwt/ruby-jwt/pull/248) ([y-yagi](https://github.com/y-yagi)) ## [v2.1.0](https://github.com/jwt/ruby-jwt/tree/v2.1.0) (2017-10-06) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0...v2.1.0) **Implemented enhancements:** @@ -101,13 +157,17 @@ - verify takes 2 params, second being payload closes: \#207 [\#238](https://github.com/jwt/ruby-jwt/pull/238) ([ab320012](https://github.com/ab320012)) - simplified logic for keyfinder [\#237](https://github.com/jwt/ruby-jwt/pull/237) ([ab320012](https://github.com/ab320012)) - Show backtrace if rbnacl-libsodium not loaded [\#231](https://github.com/jwt/ruby-jwt/pull/231) ([buzztaiki](https://github.com/buzztaiki)) +- Support for ED25519 [\#229](https://github.com/jwt/ruby-jwt/pull/229) ([ab320012](https://github.com/ab320012)) **Fixed bugs:** - JWT.encode failing on encode for string [\#235](https://github.com/jwt/ruby-jwt/issues/235) -- The README says it uses an algorithm by default [\#226](https://github.com/jwt/ruby-jwt/issues/226) - Fix string payload issue [\#236](https://github.com/jwt/ruby-jwt/pull/236) ([excpt](https://github.com/excpt)) +**Security fixes:** + +- Add HS256 algorithm to decode default options [\#228](https://github.com/jwt/ruby-jwt/pull/228) ([marcoadkins](https://github.com/marcoadkins)) + **Closed issues:** - Change from 1.5.6 to 2.0.0 and appears a "Completed 401 Unauthorized" [\#240](https://github.com/jwt/ruby-jwt/issues/240) @@ -119,17 +179,14 @@ - Update README.md [\#242](https://github.com/jwt/ruby-jwt/pull/242) ([excpt](https://github.com/excpt)) - Update ebert configuration [\#232](https://github.com/jwt/ruby-jwt/pull/232) ([excpt](https://github.com/excpt)) - added algos/strategy classes + structs for inputs [\#230](https://github.com/jwt/ruby-jwt/pull/230) ([ab320012](https://github.com/ab320012)) -- Add HS256 algorithm to decode default options [\#228](https://github.com/jwt/ruby-jwt/pull/228) ([madkin10](https://github.com/madkin10)) ## [v2.0.0](https://github.com/jwt/ruby-jwt/tree/v2.0.0) (2017-09-03) -[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0.beta1...v2.0.0) -**Implemented enhancements:** - -- Support for ED25519 [\#229](https://github.com/jwt/ruby-jwt/pull/229) ([ab320012](https://github.com/ab320012)) +[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0.beta1...v2.0.0) **Fixed bugs:** +- The README says it uses an algorithm by default [\#226](https://github.com/jwt/ruby-jwt/issues/226) - Support versions outside 2.1 [\#209](https://github.com/jwt/ruby-jwt/issues/209) - Verifying expiration without leeway throws exception [\#206](https://github.com/jwt/ruby-jwt/issues/206) - Ruby interpreter warning [\#200](https://github.com/jwt/ruby-jwt/issues/200) @@ -156,9 +213,9 @@ - Allow configuration of multiple acceptable issuers [\#210](https://github.com/jwt/ruby-jwt/pull/210) ([ojab](https://github.com/ojab)) - Enforce `exp` to be an `Integer` [\#205](https://github.com/jwt/ruby-jwt/pull/205) ([lucasmazza](https://github.com/lucasmazza)) - ruby 1.9.3 support message upd [\#204](https://github.com/jwt/ruby-jwt/pull/204) ([maokomioko](https://github.com/maokomioko)) -- Guard against partially loaded RbNaCl when failing to load libsodium [\#202](https://github.com/jwt/ruby-jwt/pull/202) ([Dorian](https://github.com/Dorian)) ## [v2.0.0.beta1](https://github.com/jwt/ruby-jwt/tree/v2.0.0.beta1) (2017-02-27) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.6...v2.0.0.beta1) **Implemented enhancements:** @@ -178,9 +235,9 @@ - ruby-jwt::raw\_to\_asn1: Fails for signatures less than byte\_size [\#155](https://github.com/jwt/ruby-jwt/issues/155) - The leeway parameter is applies to all time based verifications [\#129](https://github.com/jwt/ruby-jwt/issues/129) -- Add options for claim-specific leeway [\#187](https://github.com/jwt/ruby-jwt/pull/187) ([EmilioCristalli](https://github.com/EmilioCristalli)) - Make algorithm option required to verify signature [\#184](https://github.com/jwt/ruby-jwt/pull/184) ([EmilioCristalli](https://github.com/EmilioCristalli)) - Validate audience when payload is a scalar and options is an array [\#183](https://github.com/jwt/ruby-jwt/pull/183) ([steti](https://github.com/steti)) +- Fix: exp claim check [\#161](https://github.com/jwt/ruby-jwt/pull/161) ([excpt](https://github.com/excpt)) **Closed issues:** @@ -207,6 +264,7 @@ - Fixed a typo in a spec name [\#169](https://github.com/jwt/ruby-jwt/pull/169) ([mingan](https://github.com/mingan)) ## [v1.5.6](https://github.com/jwt/ruby-jwt/tree/v1.5.6) (2016-09-19) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.5...v1.5.6) **Fixed bugs:** @@ -219,6 +277,7 @@ - Fix rubocop code smells [\#167](https://github.com/jwt/ruby-jwt/pull/167) ([excpt](https://github.com/excpt)) ## [v1.5.5](https://github.com/jwt/ruby-jwt/tree/v1.5.5) (2016-09-16) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.4...v1.5.5) **Implemented enhancements:** @@ -232,13 +291,16 @@ - Audience Claim broken? [\#151](https://github.com/jwt/ruby-jwt/issues/151) - 1.5.3 breaks compatibility with 1.5.2 [\#133](https://github.com/jwt/ruby-jwt/issues/133) - Version 1.5.3 breaks 1.9.3 compatibility, but not documented as such [\#132](https://github.com/jwt/ruby-jwt/issues/132) -- Fix: exp claim check [\#161](https://github.com/jwt/ruby-jwt/pull/161) ([excpt](https://github.com/excpt)) + +**Security fixes:** + +- \[security\] Signature verified after expiration/sub/iss checks [\#153](https://github.com/jwt/ruby-jwt/issues/153) +- Signature validation before claim verification [\#160](https://github.com/jwt/ruby-jwt/pull/160) ([excpt](https://github.com/excpt)) **Closed issues:** - Rendering Json Results in JWT::DecodeError [\#162](https://github.com/jwt/ruby-jwt/issues/162) - PHP Libraries [\#154](https://github.com/jwt/ruby-jwt/issues/154) -- \[security\] Signature verified after expiration/sub/iss checks [\#153](https://github.com/jwt/ruby-jwt/issues/153) - Is ruby-jwt thread-safe? [\#150](https://github.com/jwt/ruby-jwt/issues/150) - JWT 1.5.3 [\#143](https://github.com/jwt/ruby-jwt/issues/143) - gem install v 1.5.3 returns error [\#141](https://github.com/jwt/ruby-jwt/issues/141) @@ -249,17 +311,15 @@ - Bump version [\#165](https://github.com/jwt/ruby-jwt/pull/165) ([excpt](https://github.com/excpt)) - Improve error message for exp claim in payload [\#164](https://github.com/jwt/ruby-jwt/pull/164) ([excpt](https://github.com/excpt)) - Fix \#151 and code refactoring [\#163](https://github.com/jwt/ruby-jwt/pull/163) ([excpt](https://github.com/excpt)) -- Signature validation before claim verification [\#160](https://github.com/jwt/ruby-jwt/pull/160) ([excpt](https://github.com/excpt)) - Create specs for README.md examples [\#159](https://github.com/jwt/ruby-jwt/pull/159) ([excpt](https://github.com/excpt)) - Tiny Readme Improvement [\#156](https://github.com/jwt/ruby-jwt/pull/156) ([b264](https://github.com/b264)) - Added test execution to Rakefile [\#147](https://github.com/jwt/ruby-jwt/pull/147) ([jabbrwcky](https://github.com/jabbrwcky)) -- Add more bling bling to the site [\#146](https://github.com/jwt/ruby-jwt/pull/146) ([excpt](https://github.com/excpt)) - Bump version [\#145](https://github.com/jwt/ruby-jwt/pull/145) ([excpt](https://github.com/excpt)) -- Add first content and basic layout [\#144](https://github.com/jwt/ruby-jwt/pull/144) ([excpt](https://github.com/excpt)) - Add a changelog file [\#142](https://github.com/jwt/ruby-jwt/pull/142) ([excpt](https://github.com/excpt)) - Return decoded\_segments [\#139](https://github.com/jwt/ruby-jwt/pull/139) ([akostrikov](https://github.com/akostrikov)) ## [v1.5.4](https://github.com/jwt/ruby-jwt/tree/v1.5.4) (2016-03-24) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.3...v1.5.4) **Closed issues:** @@ -274,6 +334,7 @@ - iat can be a float value [\#134](https://github.com/jwt/ruby-jwt/pull/134) ([llimllib](https://github.com/llimllib)) ## [v1.5.3](https://github.com/jwt/ruby-jwt/tree/v1.5.3) (2016-02-24) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.2...v1.5.3) **Implemented enhancements:** @@ -305,6 +366,7 @@ - Fix error misspelling [\#112](https://github.com/jwt/ruby-jwt/pull/112) ([kat3kasper](https://github.com/kat3kasper)) ## [jwt-1.5.2](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.2) (2015-10-27) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.1...jwt-1.5.2) **Implemented enhancements:** @@ -342,6 +404,7 @@ - nbf check allows exact time matches. [\#88](https://github.com/jwt/ruby-jwt/pull/88) ([aj-michael](https://github.com/aj-michael)) ## [jwt-1.5.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.1) (2015-06-22) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.0...jwt-1.5.1) **Implemented enhancements:** @@ -353,7 +416,6 @@ - ECDSA signature verification fails for valid tokens [\#84](https://github.com/jwt/ruby-jwt/issues/84) - Shouldn't verification of additional claims, like iss, aud etc. be enforced when in options? [\#81](https://github.com/jwt/ruby-jwt/issues/81) -- Fix either README or source code [\#78](https://github.com/jwt/ruby-jwt/issues/78) - decode fails with 'none' algorithm and verify [\#75](https://github.com/jwt/ruby-jwt/issues/75) **Closed issues:** @@ -369,6 +431,7 @@ - Force verification of "iss" and "aud" claims [\#82](https://github.com/jwt/ruby-jwt/pull/82) ([lwe](https://github.com/lwe)) ## [jwt-1.5.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.0) (2015-05-09) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.4.1...jwt-1.5.0) **Implemented enhancements:** @@ -386,6 +449,7 @@ - Fixed some examples to make them copy-pastable [\#72](https://github.com/jwt/ruby-jwt/pull/72) ([jer](https://github.com/jer)) ## [jwt-1.4.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.4.1) (2015-03-12) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.4.0...jwt-1.4.1) **Fixed bugs:** @@ -397,8 +461,10 @@ - Fix \#66 \#68 [\#69](https://github.com/jwt/ruby-jwt/pull/69) ([excpt](https://github.com/excpt)) - When throwing errors, mention expected/received values [\#65](https://github.com/jwt/ruby-jwt/pull/65) ([rolodato](https://github.com/rolodato)) +- Add 'iss' support for ruby-jwt [\#61](https://github.com/jwt/ruby-jwt/pull/61) ([ZhangHanDong](https://github.com/ZhangHanDong)) ## [jwt-1.4.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.4.0) (2015-03-10) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.3.0...jwt-1.4.0) **Closed issues:** @@ -410,10 +476,10 @@ - Release 1.4.0 [\#64](https://github.com/jwt/ruby-jwt/pull/64) ([excpt](https://github.com/excpt)) - Update README.md and remove dead code [\#63](https://github.com/jwt/ruby-jwt/pull/63) ([excpt](https://github.com/excpt)) - Add 'iat/ aud/ sub/ jti' support for ruby-jwt [\#62](https://github.com/jwt/ruby-jwt/pull/62) ([ZhangHanDong](https://github.com/ZhangHanDong)) -- Add 'iss' support for ruby-jwt [\#61](https://github.com/jwt/ruby-jwt/pull/61) ([ZhangHanDong](https://github.com/ZhangHanDong)) - Clarify .encode API in README [\#60](https://github.com/jwt/ruby-jwt/pull/60) ([jbodah](https://github.com/jbodah)) ## [jwt-1.3.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.3.0) (2015-02-24) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.2.1...jwt-1.3.0) **Closed issues:** @@ -429,9 +495,9 @@ - raise verification error for signiture verification [\#58](https://github.com/jwt/ruby-jwt/pull/58) ([punkle](https://github.com/punkle)) - Added support for not before claim verification [\#56](https://github.com/jwt/ruby-jwt/pull/56) ([punkle](https://github.com/punkle)) -- Preperations for version 2.x [\#49](https://github.com/jwt/ruby-jwt/pull/49) ([excpt](https://github.com/excpt)) ## [jwt-1.2.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.1) (2015-01-22) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.2.0...jwt-1.2.1) **Closed issues:** @@ -444,6 +510,7 @@ - Accept expiration claims as string [\#53](https://github.com/jwt/ruby-jwt/pull/53) ([yarmand](https://github.com/yarmand)) ## [jwt-1.2.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.0) (2014-11-24) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.13...jwt-1.2.0) **Closed issues:** @@ -456,6 +523,7 @@ - rspec 3 breaks passing tests [\#44](https://github.com/jwt/ruby-jwt/pull/44) ([zshannon](https://github.com/zshannon)) ## [jwt-0.1.13](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.13) (2014-05-08) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.0.0...jwt-0.1.13) **Closed issues:** @@ -465,6 +533,7 @@ - Update gem to get latest changes [\#36](https://github.com/jwt/ruby-jwt/issues/36) ## [jwt-1.0.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.0.0) (2014-05-07) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.11...jwt-1.0.0) **Closed issues:** @@ -481,6 +550,7 @@ - Travis - Add Ruby 2.0.0, 2.1.0, Rubinius [\#30](https://github.com/jwt/ruby-jwt/pull/30) ([petergoldstein](https://github.com/petergoldstein)) ## [jwt-0.1.11](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.11) (2014-01-17) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.10...jwt-0.1.11) **Closed issues:** @@ -493,6 +563,7 @@ - fixed urlsafe base64 encoding [\#29](https://github.com/jwt/ruby-jwt/pull/29) ([tobscher](https://github.com/tobscher)) ## [jwt-0.1.10](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.10) (2014-01-10) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.8...jwt-0.1.10) **Closed issues:** @@ -510,6 +581,7 @@ - Don't leave errors in OpenSSL.errors when there is a decoding error. [\#19](https://github.com/jwt/ruby-jwt/pull/19) ([lowellk](https://github.com/lowellk)) ## [jwt-0.1.8](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.8) (2013-03-14) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.7...jwt-0.1.8) **Merged pull requests:** @@ -518,6 +590,7 @@ - Verify if verify is truthy \(not just true\) [\#17](https://github.com/jwt/ruby-jwt/pull/17) ([threedaymonk](https://github.com/threedaymonk)) ## [jwt-0.1.7](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.7) (2013-03-07) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.6...jwt-0.1.7) **Merged pull requests:** @@ -525,6 +598,7 @@ - Catch MultiJson::LoadError and reraise as JWT::DecodeError [\#16](https://github.com/jwt/ruby-jwt/pull/16) ([rwygand](https://github.com/rwygand)) ## [jwt-0.1.6](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.6) (2013-03-05) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.5...jwt-0.1.6) **Merged pull requests:** @@ -533,6 +607,7 @@ - Use StandardError as parent for DecodeError [\#13](https://github.com/jwt/ruby-jwt/pull/13) ([Oscil8](https://github.com/Oscil8)) ## [jwt-0.1.5](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.5) (2012-07-20) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.4...jwt-0.1.5) **Closed issues:** @@ -545,9 +620,11 @@ - Oops. :-\) [\#11](https://github.com/jwt/ruby-jwt/pull/11) ([sporkmonger](https://github.com/sporkmonger)) - Fix issue with signature verification in JRuby [\#10](https://github.com/jwt/ruby-jwt/pull/10) ([sporkmonger](https://github.com/sporkmonger)) - Depend on MultiJson [\#9](https://github.com/jwt/ruby-jwt/pull/9) ([lautis](https://github.com/lautis)) +- Allow for custom headers on encode and decode [\#8](https://github.com/jwt/ruby-jwt/pull/8) ([dgrijalva](https://github.com/dgrijalva)) - Missing development dependency for echoe gem. [\#6](https://github.com/jwt/ruby-jwt/pull/6) ([sporkmonger](https://github.com/sporkmonger)) ## [jwt-0.1.4](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.4) (2011-11-11) + [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.3...jwt-0.1.4) **Merged pull requests:** @@ -555,16 +632,18 @@ - Fix for RSA verification [\#5](https://github.com/jwt/ruby-jwt/pull/5) ([jordan-brough](https://github.com/jordan-brough)) ## [jwt-0.1.3](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.3) (2011-06-30) + +[Full Changelog](https://github.com/jwt/ruby-jwt/compare/10d7492ea325c65fce41191c73cd90d4de494772...jwt-0.1.3) + **Closed issues:** - signatures calculated incorrectly \(hexdigest instead of digest\) [\#1](https://github.com/jwt/ruby-jwt/issues/1) **Merged pull requests:** -- Allow for custom headers on encode and decode [\#8](https://github.com/jwt/ruby-jwt/pull/8) ([dgrijalva](https://github.com/dgrijalva)) - Bumped a version and added a .gemspec using rake build\_gemspec [\#3](https://github.com/jwt/ruby-jwt/pull/3) ([zhitomirskiyi](https://github.com/zhitomirskiyi)) - Added RSA support [\#2](https://github.com/jwt/ruby-jwt/pull/2) ([zhitomirskiyi](https://github.com/zhitomirskiyi)) -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2019-05-24 10:58:12.000000000 +0200 +++ new/README.md 2020-08-18 09:11:09.000000000 +0200 @@ -85,6 +85,21 @@ # {"alg"=>"HS256"} # header # ] puts decoded_token + +# Without secret key +token = JWT.encode payload, nil, 'HS256' + +# eyJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.pVzcY2dX8JNM3LzIYeP2B1e1Wcpt1K3TWVvIYSF4x-o +puts token + +decoded_token = JWT.decode token, nil, true, { algorithm: 'HS256' } + +# Array +# [ +# {"data"=>"test"}, # payload +# {"alg"=>"HS256"} # header +# ] +puts decoded_token ``` Note: If [RbNaCl](https://github.com/cryptosphere/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl enforces a maximum key size of 32 bytes for these algorithms. @@ -460,7 +475,7 @@ rescue JWT::JWKError # Handle problems with the provided JWKs rescue JWT::DecodeError - # Handle other decode related issues e.g. no kid in header, no matching public key found etc. + # Handle other decode related issues e.g. no kid in header, no matching public key found etc. end ``` Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jwt/algos/hmac.rb new/lib/jwt/algos/hmac.rb --- old/lib/jwt/algos/hmac.rb 2019-05-24 10:58:12.000000000 +0200 +++ new/lib/jwt/algos/hmac.rb 2020-08-18 09:11:09.000000000 +0200 @@ -7,6 +7,7 @@ def sign(to_sign) algorithm, msg, key = to_sign.values + key ||= '' authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key) if authenticator && padded_key authenticator.auth(padded_key, msg.encode('binary')) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jwt/decode.rb new/lib/jwt/decode.rb --- old/lib/jwt/decode.rb 2019-05-24 10:58:12.000000000 +0200 +++ new/lib/jwt/decode.rb 2020-08-18 09:11:09.000000000 +0200 @@ -33,12 +33,12 @@ private def verify_signature - @key = find_key(&@keyfinder) if @keyfinder - @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks] - raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty? raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header? + @key = find_key(&@keyfinder) if @keyfinder + @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks] + Signature.verify(header['alg'], @key, signing_input, @signature) end @@ -47,10 +47,17 @@ end def allowed_algorithms - if @options.key?(:algorithm) + # Order is very important - first check for string keys, next for symbols + if @options.key?('algorithm') + [@options['algorithm']] + elsif @options.key?(:algorithm) [@options[:algorithm]] - else + elsif @options.key?('algorithms') + @options['algorithms'] || [] + elsif @options.key?(:algorithms) @options[:algorithms] || [] + else + [] end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jwt/error.rb new/lib/jwt/error.rb --- old/lib/jwt/error.rb 2019-05-24 10:58:12.000000000 +0200 +++ new/lib/jwt/error.rb 2020-08-18 09:11:09.000000000 +0200 @@ -1,20 +1,20 @@ # frozen_string_literal: true module JWT - EncodeError = Class.new(StandardError) - DecodeError = Class.new(StandardError) - RequiredDependencyError = Class.new(StandardError) + class EncodeError < StandardError; end + class DecodeError < StandardError; end + class RequiredDependencyError < StandardError; end - VerificationError = Class.new(DecodeError) - ExpiredSignature = Class.new(DecodeError) - IncorrectAlgorithm = Class.new(DecodeError) - ImmatureSignature = Class.new(DecodeError) - InvalidIssuerError = Class.new(DecodeError) - InvalidIatError = Class.new(DecodeError) - InvalidAudError = Class.new(DecodeError) - InvalidSubError = Class.new(DecodeError) - InvalidJtiError = Class.new(DecodeError) - InvalidPayload = Class.new(DecodeError) + class VerificationError < DecodeError; end + class ExpiredSignature < DecodeError; end + class IncorrectAlgorithm < DecodeError; end + class ImmatureSignature < DecodeError; end + class InvalidIssuerError < DecodeError; end + class InvalidIatError < DecodeError; end + class InvalidAudError < DecodeError; end + class InvalidSubError < DecodeError; end + class InvalidJtiError < DecodeError; end + class InvalidPayload < DecodeError; end - JWKError = Class.new(DecodeError) + class JWKError < DecodeError; end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jwt/jwk/rsa.rb new/lib/jwt/jwk/rsa.rb --- old/lib/jwt/jwk/rsa.rb 2019-05-24 10:58:12.000000000 +0200 +++ new/lib/jwt/jwk/rsa.rb 2020-08-18 09:11:09.000000000 +0200 @@ -1,16 +1,10 @@ # frozen_string_literal: true -require 'forwardable' - module JWT module JWK class RSA - extend Forwardable - attr_reader :keypair - def_delegators :keypair, :private?, :public_key - BINARY = 2 KTY = 'RSA'.freeze @@ -20,6 +14,14 @@ @keypair = keypair end + def private? + keypair.private? + end + + def public_key + keypair.public_key + end + def kid sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n), OpenSSL::ASN1::Integer.new(public_key.e)]) @@ -37,9 +39,14 @@ def self.import(jwk_data) imported_key = OpenSSL::PKey::RSA.new - imported_key.set_key(OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY), - OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY), - nil) + if imported_key.respond_to?(:set_key) + imported_key.set_key(OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY), + OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY), + nil) + else + imported_key.n = OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY) + imported_key.e = OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY) + end self.new(imported_key) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jwt/signature.rb new/lib/jwt/signature.rb --- old/lib/jwt/signature.rb 2019-05-24 10:58:12.000000000 +0200 +++ new/lib/jwt/signature.rb 2020-08-18 09:11:09.000000000 +0200 @@ -38,6 +38,8 @@ end def verify(algorithm, key, signing_input, signature) + raise JWT::DecodeError, 'No verification key available' unless key + algo = ALGOS.find do |alg| alg.const_get(:SUPPORTED).include? algorithm end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/jwt/version.rb new/lib/jwt/version.rb --- old/lib/jwt/version.rb 2019-05-24 10:58:12.000000000 +0200 +++ new/lib/jwt/version.rb 2020-08-18 09:11:09.000000000 +0200 @@ -14,11 +14,11 @@ # minor version MINOR = 2 # tiny version - TINY = 1 + TINY = 2 # alpha, beta, etc. tag PRE = nil # Build version string - STRING = [[MAJOR, MINOR, TINY].compact.join('.'), PRE].compact.join('-') + STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2019-05-24 10:58:12.000000000 +0200 +++ new/metadata 2020-08-18 09:11:09.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: jwt version: !ruby/object:Gem::Version - version: 2.2.1 + version: 2.2.2 platform: ruby authors: - Tim Rudat -autorequire: +autorequire: bindir: bin cert_chain: [] -date: 2019-05-24 00:00:00.000000000 Z +date: 2020-08-18 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: appraisal @@ -70,16 +70,16 @@ name: simplecov requirement: !ruby/object:Gem::Requirement requirements: - - - ">=" + - - "<" - !ruby/object:Gem::Version - version: '0' + version: '0.18' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ">=" + - - "<" - !ruby/object:Gem::Version - version: '0' + version: '0.18' - !ruby/object:Gem::Dependency name: simplecov-json requirement: !ruby/object:Gem::Requirement @@ -196,7 +196,7 @@ licenses: - MIT metadata: {} -post_install_message: +post_install_message: rdoc_options: [] require_paths: - lib @@ -211,8 +211,8 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubygems_version: 3.0.3 -signing_key: +rubygems_version: 3.1.2 +signing_key: specification_version: 4 summary: JSON Web Token implementation in Ruby test_files: [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ruby-jwt.gemspec new/ruby-jwt.gemspec --- old/ruby-jwt.gemspec 2019-05-24 10:58:12.000000000 +0200 +++ new/ruby-jwt.gemspec 2020-08-18 09:11:09.000000000 +0200 @@ -24,7 +24,7 @@ spec.add_development_dependency 'bundler' spec.add_development_dependency 'rake' spec.add_development_dependency 'rspec' - spec.add_development_dependency 'simplecov' + spec.add_development_dependency 'simplecov', '< 0.18' spec.add_development_dependency 'simplecov-json' spec.add_development_dependency 'codeclimate-test-reporter' spec.add_development_dependency 'codacy-coverage'