All notable changes to this project will be documented in this file.
- BREAKING:
jwt.verify
now requires analgorithm
parameter, andjws.createVerify
requires analgorithm
option. The"alg"
field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted byjwt.verify
. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.
2.0.0 - 2015-01-30
-
BREAKING: Default payload encoding changed from
binary
toutf8
.utf8
is a is a more sensible default thanbinary
because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48
) -
Code reorganization, thanks @fearphage! (
7880050
)
- Option in all relevant methods for
encoding
. For those few users that might be depending on abinary
encoding of the messages, this is for them. (6b6de48
)