All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
Changes for the upcoming release can be found in the changelog.d
directory in
this repository.
Do NOT add changelog entries here! This changelog is managed by towncrier and is compiled at release time.
.. towncrier release notes start
- If the authentication header cant be parsed, fall back to cookies or allow other handlers. (#71)
- Improve error handling for invalid tokens. (#77)
- Default to including a token ID claim (
jti
) in all tokens. For tokens resulting from refresh, also include the token ID of the original token in the chain of refreshes asorig_jti
. (#69)
- Add explanation for blacklisting feature to the documentation. (#61)
- When the Authorization header is sent with a different prefix other than default it raises error. It should return None and continue toward the other authentication middleware. (#65)
- Added a section about protecting views properly using the appropriate decorator for function based view and variable for class based views. (#67)
- Allow use without blacklist app being installed. (#51)
- Fix Python 2 regression in model translations not being unicode aware, and use lazy gettext in the models so they can be imported before the translation system has been is initialised. (#54)
- Use
got_or_create
on blacklist token creation instead of a database uniqueness on the token parameter to make blacklist functionality work on MySQL. (#58)
- Use DRF's JSON encoder for JWT tokens, to allow for encoding e.g. users that have UUID primary keys. (#50)
- Run
mkdocs
with Python 3.6 until it adds support for newer versions of Python. (#49)
-
-
Support multiple algorithms and keys
Existing code made key rollovers or algorithm changes hard and basically required a breaking change: Once any of
JWT_ALGORITHM
,JWT_SECRET_KEY
, orJWT_PRIVATE_KEY
/JWT_PUBLIC_KEY
were changed, existing tokens were rendered invalid.We now support
JWT_ALGORITHM
,JWT_SECRET_KEY
, andJWT_PUBLIC_KEY
optionally being a list, where all members are accepted as valid.When
JWT_SECRET_KEY
is a list, the first member is used for signing and all others are accepted for verification. -
Support multiple keys with key ids
We also support identifing keys by key id (
kid
header): When a JWT carries a key id, we can identify immediately if it is known and only need to make at most one verification attempt.To configure keys with ids,
JWT_SECRET_KEY
,JWT_PRIVATE_KEY
andJWT_PUBLIC_KEY
can now also be a dict in the form{ "kid1": key1, "kid2": key2, ... }
When a JWT does not carry a key id (
kid
header), the default is to fall back to trying all keys if keys are named (defined as a dict). SettingJWT_INSIST_ON_KID: True
avoids this fallback and requires any JWT to be validated to carry a key id if key IDs are usedNOTE: For python < 3.7, use a
collections.OrderedDict
object instead of a dict -
Require cryptographic dependencies of PyJWT
We changed the PyJWT requirement to include support for RSA by default. This was done to improve the user experience, but will lead to cryptography support be installed where not already present.
See: https://pyjwt.readthedocs.io/en/latest/installation.html#cryptographic-dependencies-optional (#33)
-
- Fix deprecation warnings in Django 3 caused by imports of
ugettext
andforce_text
. (#45) - Remove the tests that reload the settings module.
For some reason,
pytest
'smonkeypatch
was failing to mock settings when executed after these tests. Since these tests tested runtime behavior that would have been caught by users on startup anyway, it's easier to remove them than fix them. (#48)
- Add the manual deploy stage until te Travis build is fixed (#48)
- Added new encrypted PyPI API token for travis deployment. (#39)
- Fixed issues when the
JWT_GET_USER_SECRET_KEY
method is overridden,- If the payload contains a non-existent user, a validation error will be raised (same as when the method is not overridden).
- The
jwt_get_secret_key
will now use theJWT_PAYLOAD_GET_USERNAME_HANDLER
configuration. (#41)
- Added check in authentication if blacklist app is installed before checking if any Blacklisted tokens exist (#35)
- Security: Disallow refresh token for blacklisted tokens. (#37)
- Blacklisting allows the user to blacklist his own token. (#27)
- Drop support for Python 3.3 and 3.4 (#27)
- changed occurrences of
smart_text
tosmart_str
since it was deprecated in Django 3.X (#28)
-
Impersonation allows the service to perform actions on the client’s behalf. A typical use case would be troubleshooting. We can act like the user who submitted an issue without requiring its login credentials. (#26)
-
added
JWT_AUTH_COOKIE_*
settings paralleling Django'sSESSION_COOKIE_*
which are used forJWT_AUTH_COOKIE
andJWT_IMPERSONATION_COOKIE
This changes the default
Secure
attribute fromFalse
toTrue
. Users wishing to use JWT cookies over http (as in no TLS/SSL) need to setJWT_AUTH_COOKIE_SECURE
toFalse.
This change is intentional to follow common best common practice.
With Django versions >= 2.1.0, the
Samesite
attribute is set toLax
by default. (#29)
- Document compatibility with Python 3.7. (#23)
- Add support for Django 3.0, Python 3.8 and
djangorestframework
3.11 (#24)
-
- Run the test suite against the
demo
project. The same project can be used for local development as well. - Add the
serve
environment totox
that starts thedemo
project's development server. To use it, run:$ tox -e serve
(#24)
- Run the test suite against the
- Remove serialization on response data in
BaseJSONWebTokenAPIView
because it breaks custom response payload handlers which add extra data to the response payload. This change aligns this fork more closely with the original and makes it easier to use this fork as a drop-in replacement for the original. Also change the ReponsePayload from anamedtuple
to a dictionary becausenamedtuple
is not JSON serializable (#22)
-
- Added support for djangorestframework 3.10 (#18)
- Allow control of setting the
user_id
in the payload withJWT_PAYLOAD_INCLUDE_USER_ID
. (#20)
- Use pk to get profile's id in
rest_framework_jwt.utils.jwt_create_payload
. (#15)
- Pass
request
todjango.contrib.auth.authenticate
. (#14)
- Added
on_delete
totests.models.UserProfile.user
required by Django 2.2, and added Django 2.x, Python 3.7 and djangorestframework 3.9 to the support matrix. (#9)
No significant changes.
- Fixed inconsistent View names. (#7)
- Updated docs. Drop support for Django < 1.8 and DRF < 3.7.x. (#6)
- Switch to Travis CI build stages (#3)
- Project restructuring according to SDS code style and conventions. (#2)