All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
Changes for the upcoming release can be found in the changelog.d directory in
this repository.
Do NOT add changelog entries here! This changelog is managed by towncrier and is compiled at release time.
.. towncrier release notes start
- Fixed usage of deprecated functions for python 3.10, djangorestframework 3.13, and django 4.0 (#107)
- Fix broken migration for 'blacklisted' token ids. The migration released in v1.18.0 would fail if you had any existing blacklisted tokens. (#94)
- Adds PyJWT 2.x support. Note that this is only supported on Python 3.6+ as PyJWT 2.x only supports that. PyJWT 1.x is also still supported and continues to work on the same set of Python versions as before. (#91)
- Apply 'blacklist' to any token from the same line of refreshed tokens as any invalidated token, where token ids are available. Avoid storing whole auth tokens when JWT_TOKEN_ID setting is set to 'require'. Please see notes in docs on migrating from JWT_TOKEN_ID 'allow' (the default) to 'require' (recommended). (#84)
- Improve error handling for tokens with an unrecognized key identifier (
kid). (#78) - Fixed JWT creation status codes from 200 to 201 (#80)
- Add obtain_token management command (#62)
- If the authentication header cant be parsed, fall back to cookies or allow other handlers. (#71)
- Improve error handling for invalid tokens. (#77)
- Default to including a token ID claim (
jti) in all tokens. For tokens resulting from refresh, also include the token ID of the original token in the chain of refreshes asorig_jti. (#69)
- Add explanation for blacklisting feature to the documentation. (#61)
- When the Authorization header is sent with a different prefix other than default it raises error. It should return None and continue toward the other authentication middleware. (#65)
- Added a section about protecting views properly using the appropriate decorator for function based view and variable for class based views. (#67)
- Allow use without blacklist app being installed. (#51)
- Fix Python 2 regression in model translations not being unicode aware, and use lazy gettext in the models so they can be imported before the translation system has been is initialised. (#54)
- Use
got_or_createon blacklist token creation instead of a database uniqueness on the token parameter to make blacklist functionality work on MySQL. (#58)
- Use DRF's JSON encoder for JWT tokens, to allow for encoding e.g. users that have UUID primary keys. (#50)
- Run
mkdocswith Python 3.6 until it adds support for newer versions of Python. (#49)
-
-
Support multiple algorithms and keys
Existing code made key rollovers or algorithm changes hard and basically required a breaking change: Once any of
JWT_ALGORITHM,JWT_SECRET_KEY, orJWT_PRIVATE_KEY/JWT_PUBLIC_KEYwere changed, existing tokens were rendered invalid.We now support
JWT_ALGORITHM,JWT_SECRET_KEY, andJWT_PUBLIC_KEYoptionally being a list, where all members are accepted as valid.When
JWT_SECRET_KEYis a list, the first member is used for signing and all others are accepted for verification. -
Support multiple keys with key ids
We also support identifing keys by key id (
kidheader): When a JWT carries a key id, we can identify immediately if it is known and only need to make at most one verification attempt.To configure keys with ids,
JWT_SECRET_KEY,JWT_PRIVATE_KEYandJWT_PUBLIC_KEYcan now also be a dict in the form{ "kid1": key1, "kid2": key2, ... }When a JWT does not carry a key id (
kidheader), the default is to fall back to trying all keys if keys are named (defined as a dict). SettingJWT_INSIST_ON_KID: Trueavoids this fallback and requires any JWT to be validated to carry a key id if key IDs are usedNOTE: For python < 3.7, use a
collections.OrderedDictobject instead of a dict -
Require cryptographic dependencies of PyJWT
We changed the PyJWT requirement to include support for RSA by default. This was done to improve the user experience, but will lead to cryptography support be installed where not already present.
See: https://pyjwt.readthedocs.io/en/latest/installation.html#cryptographic-dependencies-optional (#33)
-
- Fix deprecation warnings in Django 3 caused by imports of
ugettextandforce_text. (#45) - Remove the tests that reload the settings module.
For some reason,
pytest'smonkeypatchwas failing to mock settings when executed after these tests. Since these tests tested runtime behavior that would have been caught by users on startup anyway, it's easier to remove them than fix them. (#48)
- Add the manual deploy stage until te Travis build is fixed (#48)
- Added new encrypted PyPI API token for travis deployment. (#39)
- Fixed issues when the
JWT_GET_USER_SECRET_KEYmethod is overridden,- If the payload contains a non-existent user, a validation error will be raised (same as when the method is not overridden).
- The
jwt_get_secret_keywill now use theJWT_PAYLOAD_GET_USERNAME_HANDLERconfiguration. (#41)
- Added check in authentication if blacklist app is installed before checking if any Blacklisted tokens exist (#35)
- Security: Disallow refresh token for blacklisted tokens. (#37)
- Blacklisting allows the user to blacklist his own token. (#27)
- Drop support for Python 3.3 and 3.4 (#27)
- changed occurrences of
smart_texttosmart_strsince it was deprecated in Django 3.X (#28)
-
Impersonation allows the service to perform actions on the client’s behalf. A typical use case would be troubleshooting. We can act like the user who submitted an issue without requiring its login credentials. (#26)
-
added
JWT_AUTH_COOKIE_*settings paralleling Django'sSESSION_COOKIE_*which are used forJWT_AUTH_COOKIEandJWT_IMPERSONATION_COOKIEThis changes the default
Secureattribute fromFalsetoTrue. Users wishing to use JWT cookies over http (as in no TLS/SSL) need to setJWT_AUTH_COOKIE_SECUREtoFalse.This change is intentional to follow common best common practice.
With Django versions >= 2.1.0, the
Samesiteattribute is set toLaxby default. (#29)
- Document compatibility with Python 3.7. (#23)
- Add support for Django 3.0, Python 3.8 and
djangorestframework3.11 (#24)
-
- Run the test suite against the
demoproject. The same project can be used for local development as well. - Add the
serveenvironment totoxthat starts thedemoproject's development server. To use it, run:$ tox -e serve(#24)
- Run the test suite against the
- Remove serialization on response data in
BaseJSONWebTokenAPIViewbecause it breaks custom response payload handlers which add extra data to the response payload. This change aligns this fork more closely with the original and makes it easier to use this fork as a drop-in replacement for the original. Also change the ReponsePayload from anamedtupleto a dictionary becausenamedtupleis not JSON serializable (#22)
-
- Added support for djangorestframework 3.10 (#18)
- Allow control of setting the
user_idin the payload withJWT_PAYLOAD_INCLUDE_USER_ID. (#20)
- Use pk to get profile's id in
rest_framework_jwt.utils.jwt_create_payload. (#15)
- Pass
requesttodjango.contrib.auth.authenticate. (#14)
- Added
on_deletetotests.models.UserProfile.userrequired by Django 2.2, and added Django 2.x, Python 3.7 and djangorestframework 3.9 to the support matrix. (#9)
No significant changes.
- Fixed inconsistent View names. (#7)
- The default configuration of
JWT_AUTH_HEADER_PREFIXwas changed fromJWTtoBearer. Add"JWT_AUTH_HEADER_PREFIX": "JWT",to yourJWT_AUTHif want to keep the previous behavior.
- Updated docs. Drop support for Django < 1.8 and DRF < 3.7.x. (#6)
- Switch to Travis CI build stages (#3)
- Project restructuring according to SDS code style and conventions. (#2)