More.jwtauth

----------------

- **New:** Add an API to refresh the JWT token (see issue `6`_).

This implement adding 4 new settings:

* ``allow_refresh``: Enables the token refresh API when True.
* ``refresh_delta``: The time delta in which the token can be refreshed
considering the leeway.
* ``refresh_nonce_handler``: Dotted path to callback function, which receives
the userid as argument and returns a nonce which will be validated before
refreshing.
* ``verify_expiration_on_refresh``: If False, expiration_delta for the JWT
token will not be checked during refresh.
Otherwise you can refresh the token only if it's not yet expired.

It also adds 2 claims to the token when refreshing is enabled:

* ``refresh_until``: Timestamp until which the token can be refreshed.
* ``nonce``: The nonce which was returned by ``refresh_nonce_handler``.

For details see README.rst.

- **Removed:** The ``verify_expiration`` setting has been removed as it was
mainly for custom handling of token refreshing, which is now obsolete.

- Pass algorithm explicit to ``jwt.decode()`` to avoid some vulnerabilities.
For details see the blog post by Tim McLean about some
"`Critical vulnerabilities in JSON Web Token libraries`_".

- Allow expiration_delta and leeway as number of seconds in addition to
datetime.timedelta.

- Some code cleanup and refactoring.

.. _6: https://github.com/morepath/more.jwtauth/issues/6
.. _Critical vulnerabilities in JSON Web Token libraries:
https://www.chosenplaintext.ca/2015/03/31/jwt-algorithm-confusion.html

----------------

- We now use virtualenv and pip instead of buildout to set up the
development environment. A development section has been
added to the README accordingly.
- Review and optimize the tox configuration.
- Upgrade to PyJWT 1.4.2 and Cryptography 1.5.2.

----------------

- Upgrade to Morepath 0.15.
- Upgrade to PyJWT 1.4.1 and Cryptography 1.4.
- Add testenv for Python 3.5 and make it the default test environment.
- Change author to "Morepath developers".
- Clean up classifiers.

----------------

- Make Cryptography optional.

**Breaking Change:** For using other algorithms than HMAC you now need
to install the ``crypto`` dependencies explicitly. Read the note in the
Requirements section and the new Installation section of README.rst.

- Add an Installation section to the README.
- Refactor the cryptography test suite.

----------------

- Adding some tests.
- Increase coverage to 100%.
- Add travis-ci and tox integration.
- Some clean-up.
- Upgrade to Morepath 0.14.
- Some improvements to the setup and release workflow.

----------------

- Upgrade to Morepath 0.13.2 and update the tests.
- Upgrade PyJWT to 1.3.0 and cryptography to 1.3.1.
- Make it a PyPI package and release it. Fixes Issue 1.