5.0.0 Beta 3

What's Changed

• Change to non-optional function String <-> Data by @zunda-pixel in #156
• Add initialisers to vendor identity tokens by @ptoffy in #150
• 🚨Update verify function parameter to use some JWTAlgorithm by @ptoffy in #152
• 🚨Generic key addition by @ptoffy in #160
• 🚨Make JWTError Sendable by @ptoffy in #162
• 🚨Update swift version and readme for beta 3 by @ptoffy #164

Breaking Changes

• The minimum supported Swift version is now 5.10
• All algorithm specific key addition functions of JWTKeyCollection have been updated to be algorithm agnostic, for example the JWTKeyCollection.addHS256(key: ...) has been renamed to JWTKeyCollection.addHMAC(key: ..., digestAlgorithm: .sha256) etc.
• The JWTPayload's verify function now takes some JWTAlgorithm instead of any JWTAlgorithm
• JWTError.malformedToken was removed in favour of JWTError.malformedToken(reason:)

Full Changelog: 5.0.0-beta.2...5.0.0-beta.3

4.13.4 - Fix RSA memory leak, take 2

What's Changed

Don't allocate new RSA keys when signing by @gwynne in #161

This patch was released by @gwynne

Full Changelog: 4.13.3...4.13.4

4.13.3 - Fix RSA memory leak

What's Changed

Deinitialise correct pointer by @ptoffy in #158

This aims to fix the memory leak reported in #157

This patch was released by @ptoffy

Full Changelog: 4.13.2...4.13.3

5.0.0 Beta 2

What's Changed

• Update CI by @ptoffy in #146
• Add kid param to sign function by @ptoffy in #144
• make JWK.Curve Equatable again by @JaapWijnen in #145
• add curve and parameters properties to ECDSAKey protocol by @JaapWijnen in #143

Full Changelog: 5.0.0-beta.1...5.0.0-beta.2

5.0.0 Beta 1

First beta release of major version 5.

• Remove BoringSSL by @ptoffy @gwynne
• Add Sendable conformance by @ptoffy
• Add PSS algorithm family by @MFranceschi6
• Allow for header, parsing and serialising customisation by @ptoffy
• Replace JWTSigners with JWTKeyCollection by @ptoffy

For all changes check out #107

4.13.2 - Update BoringSSL

What's Changed

Update BoringSSL by @0xTim in #134

Updates BoringSSL to revision 58a318edc892a595a5b043359a5d441869158699

This is the final non-security release of JWTKit v4

This patch was released by @ptoffy

Full Changelog: 4.13.1...4.13.2

4.13.1 - Increase permitted range for crypto-kit dependency

What's Changed

Increase permitted range for crypto-kit dependency by @AndyHeardApps in #98

Currently the crypto-kit package has a permitted version range of 2.0.0 ..< 3.0.0. With the release of crypto-kit 3.0.0, this range is preventing Vapor apps from making use of the latest versions. Increasing the range to 2.0.0 ..< 4.0.0 allows apps to use the latest release without forcing an update.

This patch was released by @0xTim

Full Changelog: 4.13.0...4.13.1

4.13.0 - Add customizable JSON encoders and decoders

Add new, fully source-compatible APIs to JWTSigners and JWTSigner which allow specifying custom JSON encoders and decoders. Also provides the JWTJSONEncoder and JWTJSONDecoder protocols, which allow using alternative JSON implementations.

Custom coders specified for a single JWTSigner affect token parsing and signing performed only by that signer. Custom coders specified on a JWTSigners object will become the default coders for all signers added to that object, unless a given signer already specifies its own custom coders.

The default encoding and decoding implementation provided for JWTUnixEpochClaim (of which ExpirationClaim (exp), IssuedAtClaim (iat), and NotBeforeClaim (nbf) are examples) has been adjusted to encode and decode its Date value directly, rather than performing the explicit conversion to and from a Double. This allows these claims to take advantage of the dateEncodingStrategy and dateDecodingStrategy specified on custom JSON coders. (It also gives a bit of the lie to the name JWTUnixEpochClaim, but it's public API, so I left it alone.)

The default coders in use remain the same: An encoder and decoder which use the .secondsSince1970 date encoding/decoding strategy. As such, neither the new support nor the change to Date-based claims affects how tokens are signed or verified unless custom coders with different strategies are specified (that being, after all, the original need which inspired these changes).

Finally, an .integerSecondsSince1970 date encoding and decoding strategy has been added to the public API for the benefit of interoperation with JWT implementations - such as that used by GitHub - which require the aforementioned date-based claims to specify values as an integer number of seconds. (As GitHub proves, while this is in violation of the definition of NumericDate given by RFC 7519 § 2, which explicitly permits floating-point values, it nonetheless appears in the wild.)

This is a semver-minor release, as it adds new public API (although it has been careful to fully retain source compatibility, at the cost of a goodly amount of silly-looking repetition in the implementation - please, do not ask me if I know what default parameter values are! 😂).

AppleIdentityToken: Adds `real_user_status` claim

This patch was authored by @qalandarov and released by @0xTim.

Adds the missing real_user_status claim which helps detecting if the user is likely a real person. Closes #88

Improve JWKS `find(identifier:type:)`

This patch was authored by @nnsnodnb and released by @0xTim.

Update JWKS find(identifier:type:) to use better Swift algorithms for matching