More-jwtauth

Latest version: v0.11

Safety actively analyzes 681935 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 2

0.12

-----------------

- Nothing changed yet.

0.11

-----------------

- Remove support for Python 3.3 and add support for Python 3.6.
- Upgrade PyJWT to version 1.5.3 and cryptography to version 2.1.4.

0.10

-----------------

- **Breaking:** Add request parameter to refresh_nonce_handler (see issue `8`_).

.. _8: https://github.com/morepath/more.jwtauth/issues/8

0.9

----------------

- **New:** Add an API to refresh the JWT token (see issue `6`_).

This implement adding 4 new settings:

* ``allow_refresh``: Enables the token refresh API when True.
* ``refresh_delta``: The time delta in which the token can be refreshed
considering the leeway.
* ``refresh_nonce_handler``: Dotted path to callback function, which receives
the userid as argument and returns a nonce which will be validated before
refreshing.
* ``verify_expiration_on_refresh``: If False, expiration_delta for the JWT
token will not be checked during refresh.
Otherwise you can refresh the token only if it's not yet expired.

It also adds 2 claims to the token when refreshing is enabled:

* ``refresh_until``: Timestamp until which the token can be refreshed.
* ``nonce``: The nonce which was returned by ``refresh_nonce_handler``.

For details see README.rst.

- **Removed:** The ``verify_expiration`` setting has been removed as it was
mainly for custom handling of token refreshing, which is now obsolente.

- Pass algorithm explicit to ``jwt.decode()`` to avoid some vulnerabilities.
For details see the blog post by Tim McLean about some
"`Critical vulnerabilities in JSON Web Token libraries`_".

- Allow expiration_delta and leeway as number of seconds in addition to
datetime.timedelta.

- Some code cleanup and refactoring.

.. _6: https://github.com/morepath/more.jwtauth/issues/6
.. _Critical vulnerabilities in JSON Web Token libraries:
https://www.chosenplaintext.ca/2015/03/31/jwt-algorithm-confusion.html

0.8

----------------

- We now use virtualenv and pip instead of buildout to set up the
development environment. A development section has been
added to the README accordingly.
- Review and optimize the tox configuration.
- Upgrade to PyJWT 1.4.2 and Cryptography 1.5.2.

0.7

----------------

- Upgrade to Morepath 0.15.
- Upgrade to PyJWT 1.4.1 and Cryptography 1.4.
- Add testenv for Python 3.5 and make it the default test environment.
- Change author to "Morepath developers".
- Clean up classifiers.

Page 1 of 2

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.