forgejo/vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md
Fabian Zaremba 2e7ccecfe6 Git LFS support v2 (#122)
* Import github.com/git-lfs/lfs-test-server as lfs module base

Imported commit is 3968aac269a77b73924649b9412ae03f7ccd3198

Removed:

Dockerfile CONTRIBUTING.md mgmt* script/ vendor/ kvlogger.go
.dockerignore .gitignore README.md

* Remove config, add JWT support from github.com/mgit-at/lfs-test-server

Imported commit f0cdcc5a01599c5a955dc1bbf683bb4acecdba83

* Add LFS settings

* Add LFS meta object model

* Add LFS routes and initialization

* Import github.com/dgrijalva/jwt-go into vendor/

* Adapt LFS module: handlers, routing, meta store

* Move LFS routes to /user/repo/info/lfs/*

* Add request header checks to LFS BatchHandler / PostHandler

* Implement LFS basic authentication

* Rework JWT secret generation / load

* Implement LFS SSH token authentication with JWT

Specification: https://github.com/github/git-lfs/tree/master/docs/api

* Integrate LFS settings into install process

* Remove LFS objects when repository is deleted

Only removes objects from content store when deleted repo is the only
referencing repository

* Make LFS module stateless

Fixes bug where LFS would not work after installation without
restarting Gitea

* Change 500 'Internal Server Error' to 400 'Bad Request'

* Change sql query to xorm call

* Remove unneeded type from LFS module

* Change internal imports to code.gitea.io/gitea/

* Add Gitea authors copyright

* Change basic auth realm to "gitea-lfs"

* Add unique indexes to LFS model

* Use xorm count function in LFS check on repository delete

* Return io.ReadCloser from content store and close after usage

* Add LFS info to runWeb()

* Export LFS content store base path

* LFS file download from UI

* Work around git-lfs client issue with unauthenticated requests

Returning a dummy Authorization header for unauthenticated requests
lets git-lfs client skip asking for auth credentials
See: https://github.com/github/git-lfs/issues/1088

* Fix unauthenticated UI downloads from public repositories

* Authentication check order, Finish LFS file view logic

* Ignore LFS hooks if installed for current OS user

Fixes Gitea UI actions for repositories tracking LFS files.
Checks for minimum needed git version by parsing the semantic version
string.

* Hide LFS metafile diff from commit view, marking as binary

* Show LFS notice if file in commit view is tracked

* Add notbefore/nbf JWT claim

* Correct lint suggestions - comments for structs and functions

- Add comments to LFS model
- Function comment for GetRandomBytesAsBase64
- LFS server function comments and lint variable suggestion

* Move secret generation code out of conditional

Ensures no LFS code may run with an empty secret

* Do not hand out JWT tokens if LFS server support is disabled
2016-12-26 09:16:37 +08:00

5.8 KiB

jwt-go Version History

3.0.0

  • Compatibility Breaking Changes: See MIGRATION_GUIDE.md for tips on updating your code
    • Dropped support for []byte keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
    • ParseFromRequest has been moved to request subpackage and usage has changed
    • The Claims property on Token is now type Claims instead of map[string]interface{}. The default value is type MapClaims, which is an alias to map[string]interface{}. This makes it possible to use a custom type when decoding claims.
  • Other Additions and Changes
    • Added Claims interface type to allow users to decode the claims into a custom type
    • Added ParseWithClaims, which takes a third argument of type Claims. Use this function instead of Parse if you have a custom type you'd like to decode into.
    • Dramatically improved the functionality and flexibility of ParseFromRequest, which is now in the request subpackage
    • Added ParseFromRequestWithClaims which is the FromRequest equivalent of ParseWithClaims
    • Added new interface type Extractor, which is used for extracting JWT strings from http requests. Used with ParseFromRequest and ParseFromRequestWithClaims.
    • Added several new, more specific, validation errors to error type bitmask
    • Moved examples from README to executable example files
    • Signing method registry is now thread safe
    • Added new property to ValidationError, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)

2.7.0

This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.

  • Added new option -show to the jwt command that will just output the decoded token without verifying
  • Error text for expired tokens includes how long it's been expired
  • Fixed incorrect error returned from ParseRSAPublicKeyFromPEM
  • Documentation updates

2.6.0

  • Exposed inner error within ValidationError
  • Fixed validation errors when using UseJSONNumber flag
  • Added several unit tests

2.5.0

  • Added support for signing method none. You shouldn't use this. The API tries to make this clear.
  • Updated/fixed some documentation
  • Added more helpful error message when trying to parse tokens that begin with BEARER

2.4.0

  • Added new type, Parser, to allow for configuration of various parsing parameters
    • You can now specify a list of valid signing methods. Anything outside this set will be rejected.
    • You can now opt to use the json.Number type instead of float64 when parsing token JSON
  • Added support for Travis CI
  • Fixed some bugs with ECDSA parsing

2.3.0

  • Added support for ECDSA signing methods
  • Added support for RSA PSS signing methods (requires go v1.4)

2.2.0

  • Gracefully handle a nil Keyfunc being passed to Parse. Result will now be the parsed token and an error, instead of a panic.

2.1.0

Backwards compatible API change that was missed in 2.0.0.

  • The SignedString method on Token now takes interface{} instead of []byte

2.0.0

There were two major reasons for breaking backwards compatibility with this update. The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations. There will likely be no required code changes to support this change.

The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods. Not all keys used for all signing methods have a single standard on-disk representation. Requiring []byte as the type for all keys proved too limiting. Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys. Backwards compatibilty has been maintained for passing []byte to the RSA signing methods, but they will also accept *rsa.PublicKey and *rsa.PrivateKey.

It is likely the only integration change required here will be to change func(t *jwt.Token) ([]byte, error) to func(t *jwt.Token) (interface{}, error) when calling Parse.

  • Compatibility Breaking Changes
    • SigningMethodHS256 is now *SigningMethodHMAC instead of type struct
    • SigningMethodRS256 is now *SigningMethodRSA instead of type struct
    • KeyFunc now returns interface{} instead of []byte
    • SigningMethod.Sign now takes interface{} instead of []byte for the key
    • SigningMethod.Verify now takes interface{} instead of []byte for the key
  • Renamed type SigningMethodHS256 to SigningMethodHMAC. Specific sizes are now just instances of this type.
    • Added public package global SigningMethodHS256
    • Added public package global SigningMethodHS384
    • Added public package global SigningMethodHS512
  • Renamed type SigningMethodRS256 to SigningMethodRSA. Specific sizes are now just instances of this type.
    • Added public package global SigningMethodRS256
    • Added public package global SigningMethodRS384
    • Added public package global SigningMethodRS512
  • Moved sample private key for HMAC tests from an inline value to a file on disk. Value is unchanged.
  • Refactored the RSA implementation to be easier to read
  • Exposed helper methods ParseRSAPrivateKeyFromPEM and ParseRSAPublicKeyFromPEM

1.0.2

  • Fixed bug in parsing public keys from certificates
  • Added more tests around the parsing of keys for RS256
  • Code refactoring in RS256 implementation. No functional changes

1.0.1

  • Fixed panic if RS256 signing method was passed an invalid key

1.0.0

  • First versioned release
  • API stabilized
  • Supports creating, signing, parsing, and validating JWT tokens
  • Supports RS256 and HS256 signing methods