ChangeLog

CHANGES
=======

19.0.0
------

* Add release notes for version 19.0.0
* Sem-Ver: api-break Change the default token lifetime to be 1 minute - it was previously 1 hour

18.0.1
------

* Add release notes for version 18.0.1
* Sem-Ver: bugfix Update package classifier information to include all supported python versions

18.0.0
------

* Add release notes for version 18.0.0
* Sem-Ver: bugfix Update CacheControl from version 0.12.14 to 0.13.1
* Sem-Ver: bugfix use aiohttp version 3.9.1 for testing
* Sem-Ver: bugfix use Django versions from 3.2.9 before 5.0.0 for testing
* Sem-Ver: bugfix use flask versions from 2.0.3 before 2.4.0 for testing
* Sem-Ver: api-break Drop support for python 3.6 & 3.7 as they have been end of life for a while
* Sem-Ver: feature add support for python 3.11
* Sem-Ver: bugfix Fix the flask tests for python 3.11

17.0.1
------

* Add release notes for version 17.0.1
* Sem-Ver: bugfix Update CacheControl from version 0.12.11 to 0.12.14
* Sem-Ver: bugfix Support ASAP\_VALID\_AUDIENCE being a list so that multiple auds can be accepted

17.0.0
------

* Add release notes for version 17.0.0
* Sem-Ver: bugfix Use ubuntu 20.04 in ci so that we can test against python 3.6
* Sem-Ver: api-break Have PyJWT specify the version ranges for the cryptography library

16.0.0
------

* Add release notes for version 16.0.0
* Sem-Ver: bugfix Update pycodestyle and flake8 in the ci build to version 2.9.1 & 5.0.4 respectively
* Sem-Ver: bugfix use aiohttp version 3.8.3 for testing
* Sem-Ver: bugfix use flask versions >= 2.0.3 < 2.3.0 for testing
* Sem-Ver: api-break upgrade cryptography from using a version >= 3.3.2 < 38.0.0 to using a version >= 3.3.2 < 39.0.0

15.0.1
------

* Add release notes for version 15.0.1
* Sem-Ver: bugfix Fix two possible memory leaks related to the use of lru\_cache on methods

15.0.0
------

* Add release notes for version 15.0.0
* Sem-Ver: bugfix Update the CodeQL configuration with regards to the new name of the default branch (main)
* Sem-Ver: bugfix Use aiohttp version 3.8.1 for testing
* Sem-Ver: bugfix use flask versions >= 2.0.3 < 2.2.0 for testing
* Sem-Ver: bugfix Use pytest versions < 8.0.0 for testing
* Sem-Ver: api-break upgrade cachecontrol from version 0.12.10 to 0.12.11
* Sem-Ver: api-break upgrade cryptography from using a version >= 3.3.2 < 37.0.0 to using a version >= 3.3.2 < 38.0.0

14.0.1
------

* Add release notes for version 14.0.1 and update the AUTHORS file
* Sem-Ver: bugfix The wsgi tests dir was missing a \_\_init\_\_.py file
* Sem-Ver: bugfix upgrade pyjwt to use a version >= 2.4.0 < 3.0.0
* Sem-Ver: bugfix Update the atlassian-httptest test dep to version 1.0.0

14.0.0
------

* Add release notes for version 14.0.0
* Sem-Ver: bugfix Stop testing with PyJWT < 2.0.0
* Sem-Ver: bugfix Move away from using asynctest in python versions where unittest async utils are available (3.8 and above)
* Sem-Ver: feature add support for python 3.10
* Sem-Ver: bugfix upgrade the version of Django used for testing to be >= 3.2.9 and < 3.3.0
* Sem-Ver: bugfix upgrade the version of Flask used for testing to be >= 2.0.3 and < 2.1.0. Note: As part of this we no longer pin specific versions of Jinja2, itsdangerous or MarkupSafe
* Sem-Ver: bugfix Switch from using nose to pytest for running tests
* Sem-Ver: bugfix Remove travis ci
* Sem-Ver: api-break upgrade cryptography from using a version >= 3.3.2 < 36.0.0 to using a version >= 3.3.2 < 37.0.0
* Sem-Ver: api-break upgrade cachecontrol from version 0.12.6 to 0.12.10
* Sem-Ver: bugfix Enable codeql analysis

13.0.0
------

* Add release notes for version 13.0.0
* Sem-Ver: api-break upgrade pyjwt from using a version >= 1.5.2 < 2.2.0 to using a version >= 2.2.0 < 2.3.0
* Sem-Ver: bugfix change description-file to be description\_file

12.0.0
------

* Add release notes for version 12.0.0
* Sem-Ver: feature Add support for python 3.9
* Sem-Ver: api-break upgrade cryptography from using a version >= 3.3.2 < 3.5.0 to use a version >= 3.3.2 and < 36.0.0

11.0.1
------

* Add release notes for version 11.0.1
* Sem-Ver: bugfix Add some missing package metadata information

11.0.0
------

* Sem-Ver: bugfix The aiohttp public key retriever incorrectly provided a proxies argument when it needed to provide a proxy argument
* Sem-Ver: feature Implement public key object caching
* Sem-Ver: api-break upgrade cryptography from using a version >= 3.3.1 < 3.4.0 to use a version >= 3.3.2 and < 3.5.0
* Sem-Ver: bugfix upgrade PyJWT from using a version >= 1.5.2 < 2.1.0 to use a version >= 1.5.2 and < 2.2.0
* Sem-Ver: bugfix Update the version of aiohttp used in testing from 3.6.2 to 3.7.4

10.1.0
------

* Add release notes for version 10.1.0
* Sem-Ver: feature Add support for using PyJWT 2.0.x

10.0.0
------

* Add release notes for version 10.0.0
* Sem-Ver: api-break Drop support for python 3.5 as part of upgrading cryptography from using a version >= 3.2.1 < 3.3.0 to use a version >= 3.3.1 and < 3.4.0

9.0.0
-----

* Add release notes for version 9.0.0
* Sem-Ver: feature Add support for python 3.8
* Sem-Ver: bugfix Add github actions for CI
* Sem-Ver: api-break Drop support for python 2.7

8.0.2
-----

* Add release notes for version 8.0.2
* Sem-Ver: bugfix upgrade cryptography from using a version >= 3.1.0 < 3.2.0 to use a version >= 3.2.1 and < 3.3.0

8.0.1
-----

* Add release notes for version 8.0.1
* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.8.0 < 2.9.0 to use a version >= 3.1.0 and < 3.2.0

8.0.0
-----

* Add release notes for version 8.0.0
* Sem-Ver: api-break Optimise the standard requests session based public key retrieval by obtaining proxy information from the environment once per a public key server and setting session.trust\_env to False. As a result of this change retrieving the same public key, with caching enabled, 10,000 times takes ~ 6 seconds instead of ~ 14 seconds
* Sem-Ver: bugfix For python 2.7 and 3.5 testing we need to pin itsdangerous to a version < 2.0.0

7.1.0
-----

* Add release notes for version 7.1.0
* Sem-Ver: bugfix When a connection error is encountered while attempting to fetch public keys in HTTPSMultiRepositoryPublicKeyRetriever continue to attempt key retrieval using other retrievers
* Sem-Ver: feature Add a handle\_retrieval\_exception method to the HTTPSMultiRepositoryPublicKeyRetriever class
* Sem-Ver: bugfix In CI move to using setup.py nosetests as setup.py test has been deprecated
* Sem-Ver: bugfix Run flake8 in ci
* Sem-Ver: bugfix Flake8 fix up - add an explicit check that the aud claim has been provided. This is not a breaking change because even if verify\_jwt was to use an audience value of None & a jwt did not have an aud claim, a KeyError would be raised
* Sem-Ver: bugfix Fix some issues that flake8 detected
* Sem-Ver: bugfix Fix up the name of the None algorithm auth signer
* Sem-Ver: bugfix For python 2.7 and 3.5 testing we need to pin MarkupSafe to a version < 2.0.0
* Sem-Ver: bugfix Add an explicit test for how none algorithm jwt are handled

7.0.0
-----

* Add release notes for version 7.0.0
* Sem-Ver: feature Log information on general exceptions in addition to specific exceptions
* Sem-Ver: bugfix Fix some issues that flake8 detected
* Sem-Ver: api-break Disable jti uniqueness checking by default
* Sem-Ver: bugfix Reduce the backend verifier cache max size from 130 to 20
* Sem-Ver: feature Add support to the various frameworks for being able to specify to not check jti uniqueness
* Sem-Ver: feature Cache Backend verifiers
* Sem-Ver: feature Add logging to the framework asap token checking code
* Sem-Ver: bugfix Catch SubjectDoesNotMatchIssuerException in the frameworks
* Sem-Ver: feature Add a SubjectDoesNotMatchIssuerException for when the subject does not match the issuer
* Sem-Ver: bugfix Catch JtiUniquenessException and respond with a 401 inside \_process\_asap\_token
* Sem-Ver: bugfix Deduplicate the various framework test create\_token methods
* Sem-Ver: bugfix Fix the spelling of the duplicate jti exception (rename JtiUniqunessException to JtiUniquenessException)
* Sem-Ver: feature Allow SettingsDict instances to be hashed
* Sem-Ver: feature Add and use a specific exception, JtiUniqunessException, for when a JTI is used more than once
* Sem-Ver: bugfix Switch the wsgi tests to use unittest assertions

6.0.0
-----

* Add release notes for version 6.0.0
* Sem-Ver: bugfix For python 2.7 and 3.5 testing we need to pin Jinja2 to a version < 3.0.0
* Sem-Ver: bugfix Update CacheControl from version 0.12.5 to 0.12.6
* Sem-Ver: feature Add support for python 3.7
* Sem-Ver: api-break Drop support for python3.4

5.0.3
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.7.0 < 2.8.0 to use a version >= 2.8.0 and < 2.9.0
* Add an example on how to generate jwt using a data uri private key

5.0.2
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.5.0 < 2.6.0 to use a version >= 2.7.0 and < 2.8.0

5.0.1
-----

* Sem-Ver: bugfix Fix the backend reference in OldStyleASAPMiddleware

5.0.0
-----

* Sem-Ver: api-break Re-use verifiers in the various middlewares and add an optional verifier argument to the _process_asap_token method
* Sem-Ver: api-break Share request sessions across key retriever instances so as to use a common cache

4.1.2
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.4.0 < 2.5.0 to use a version >= 2.5.0 and < 2.6.0
* Sem-Ver: bugfix upgrade the version of Django used for testing to using version 1.11
* Sem-Ver: bugfix upgrade pbr to use a version before 6.0.0
* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.3.0 < 2.4.0 to use a version >= 2.4.0 and < 2.5.0
* Sem-Ver: bugfix upgrade the version of flask used for testing from versions below 0.12 to versions below 1.1.0
* Sem-Ver: bugfix upgrade CacheControl from version 0.12.4 to 0.12.5

4.1.1
-----

*  Sem-Ver: bugfix Django middleware super call

4.1.0
-----

* Sem-Ver: feature Reduce the time taken to generate a jwt by caching loaded private key instances

4.0.2
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.2.1 < 2.3.0 to use a version >= 2.3.0 and < 2.4.0

4.0.1
-----

* Sem-Ver: bugfix When asap is not required and no asap token has been provided return early in _process_asap_token
* Update the changelog with more specific information on has changed with regards to the Django and Flask support

4.0.0
-----

* Sem-Ver: feature Add WSGI middleware
* Sem-Ver: api-break Rework Django and Flask support. As part of this change the Django and Flask support has moved from the `contrib` package to the new `frameworks` package.
* Add a readme to the contrib module

3.6.0
-----

* Sem-Ver: feature Support disabling checking if jwt jti are unique
* Sem-Ver: bugfix The HTTPSMultiRepositoryPublicKeyRetriever should try the next key repository upon encountering a server error (status code >= 500)

3.5.0
-----

* Sem-Ver: feature Support reusing tokens

3.4.0
-----

* Sem-Ver: feature Support specifying if the subject should match the issue in the Django ASAPForwardedMiddleware
* Sem-Ver: feature Support specifying if the subject should match the issue in the Django requires_asap decorator
* Sem-Ver: feature Add support for specifying the subject for JWTAuthSigner to use when generating claims

3.3.1
-----

* Sem-Ver: bugfix Use the raw string notation when specifying the key identifier regex
* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.1.3 < 2.2.0 to use a version >= 2.2.1 and < 2.3.0
* Sem-Ver: bugfix upgrade CacheControl from version 0.12.3 to 0.12.4

3.3.0
-----

* Sem-Ver: feature Add better Django ASAP middleware

3.2.2
-----

* Sem-Ver: bugfix Fix tuple assignment in wrapped exception mechanism.

3.2.1
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 2.0.3 < 2.1.0 to use a version >= 2.1.3 and < 2.2.0
* Sem-Ver: bugfix upgrade CacheControl from version 0.12.1 to 0.12.3

3.2.0
-----

* Sem-Ver: feature Cleanup responses from requires_asap
* Sem-Ver: bugfix Check authorization scheme in requires_asap and also send a WWW-Authenticate header where appropriate
* Sem-Ver: bugfix Clean up the django and flask requires_asap decorators by sharing their code
* Sem-Ver: bugfix HTTPSMultiRepositoryPublicKeyRetriever should raise PublicKeyRetrieverException and not KeyError when a key is not found
* Sem-Ver: bugfix Improvements to the readme file
* Sem-Ver: bugfix Make _seen_jti a ringbuffer and increase its capacity to 1000

3.1.0
-----

* Sem-Ver: feature Add Django middleware to auth forwarded clients
* Sem-Ver: bugfix upgrade cryptography from using a version >= 1.8.1 < 1.9.0 to use a version >= 2.0.3 and < 2.1.0

3.0.1
-----

* Sem-Ver: bugfix upgrade PyJWT from version 1.4.2 to use a version >= 1.5.2 but less than 2.0.0

3.0.0
-----

* Sem-Ver: feature Add a new HTTPSMultiRepositoryPublicKeyRetriever class which allows using multiple public key repositories.
* Sem-Ver: feature Add and use library specific exceptions instead of using ValueError
* Sem-Ver: api-break Add support for customising the value of the leeway used in the django and flask contrib code through the ASAP_VALID_LEEWAY setting & switch to a default leeway of 0 seconds

2.11.2
------

* Sem-Ver: bugfix Fix the requires_asap decorator for python 3 by forcing the HTTP_AUTHORIZATION header into bytes before parsing it

2.11.1
------

* Sem-Ver: bugfix Fix the default value for the auth header used in the Django requires_asap decorator to work in Python 3
* Sem-Ver: bugfix Warn when an import error occurs when importing aiohttp so that the tests do not fail in python >= 3.5 when aiohttp is not installed

2.11.0
------

* Sem-Ver: feature Provide aiohttp support

2.10.2
------

* Sem-Ver: bugfix Fix the decorator for Django (#38)

2.10.1
------

* Sem-Ver: bugfix upgrade cryptography from using a version >= 1.5.0 < 1.6.0 to use a version >= 1.8.1 and < 1.9.0
* Sem-Ver: bugfix upgrade CacheControl from version 0.11.6 to 0.12.1

2.10.0
------

* Sem-Ver: feature support passing in additional claims to contrib.requests.JWTAuth

2.9.0
-----

* Sem-Ver: feature add Django support - BBCDEV-4046.

2.8.1
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 1.3.0 < 1.4.0 to use a version >= 1.5.0 and < 1.6.0

2.8.0
-----

* Sem-Ver: feature Added ASAP_KEY_RETRIEVER_CLASS to simplify Flask testing
* Sem-Ver: bugfix HTTPSPublicKeyRetriever should raise a ValueError if the base_url is None.
* Sem-Ver: bugfix Fix an issue where Flask config values were not referenced properly

2.7.0
-----

* Sem-Ver: feature add to contrib flask_app that provides a @requires_asap decorator
* Sem-Ver: bugfix upgrade PyJWT from version 1.4.0 to 1.4.2

2.6.0
-----

* Sem-Ver: feature support passing through kwargs for the signer created in create_jwt_auth
* Generate a universal wheel

2.5.2
-----

* Sem-Ver: bugfix make the DataUriPrivateKeyRetriever able to be used with a signer to generate jwt
* Sem-Ver: bugfix support content-type headers that contain parameters in addition to the media-type.

2.5.1
-----

* Sem-Ver: bugfix upgrade cryptography from using a version >= 1.2.2 < 1.3.0 to use a version >= 1.3.0 and < 1.4.0

2.5.0
-----

* Add support for obtaining a key identifier and private key from a data uri.
* Standardise the PrivateKeyRepository classes and add docstring to the FilePrivateKeyRepository class
* Sem-Ver: bugfix upgrade CacheControl from version 0.11.5 to 0.11.6
* Sem-Ver: bugfix upgrade cryptography from version 1.2.2 to use a version >= 1.2.2 and < 1.3.0

2.4.0
-----

* Support providing additional_claims when generating a jwt.
* Update the location of the asap specification
* Rearranged the README and added badge for pypi

2.3.0
-----

* Added atlassian_jwt_auth.contrib.requests.JWTAuth
* Move test requirements out of setup.py and into test-requirements.txt
* Update pbr from version 1.0.1 to 1.8.1
* Support python 3.5.

2.2.0
-----

* Sem-Ver: bugfix upgrade cryptography from version 1.1.1 to 1.2.1
* Add the ability to accept JWT where the subject does not match the issuer

2.1.1
-----

* Sem-Ver: bugfix upgrade cryptography from version 1.1 to 1.1.1
* Sem-Ver: bugfix use a version of requests >= 2.8.1 but less than 3.0.0.

2.1.0
-----

* Sem-Ver: feature - Pass leeway param through to jwt.decode

2.0.0
-----

* Make use of new require_iat and require_exp options that PyJWT now accepts
* Sem-Ver: bugfix update the PyJWT dep from 1.3.0 to 1.4.0
* Sem-Ver: bugfix update the cryptography dep from 0.9.1 to 1.0.2
* Update the AUTHORS and the ChangeLog files
* Make the private key repository scanning actually work
* Clean up imports to follow google python style guides
* Support scanning for key file each time generate_jwt is called
* Sem-Ver: bugfix - update the build location information to reflect the build status of the master branch
* Sem-Ver: bugfix - update the build location information
* Sem-Ver: bugfix - update the installation instructions
* release 1.0.8

1.0.8
-----

* add the generated pbr changelog file changes in
* Add authors file

1.0.7
-----

* Add CI build information to the readme file
* Merged in update_cryptography_from_0.9_to_0.9.1 (pull request #4)
* Merged in use_supported_jwt_api_to_get_header (pull request #3)
* Use the new pyjwt api to get an verified header instead of calling their internal API
* update cryptography from 0.9 to 0.9.1
* Use pbr for setup configuration
* Add a mostly-generated Changelog file

1.0.6
-----

* Release version 1.0.6
* Merged in update_dependencies_28_05_2015 (pull request #2)
* Update PyJWT from version 1.1.0 to 1.3.0
* Upgrade CacheControl from version 0.11.2 to 0.11.5
* Upgrade cryptography from 0.8.2 to 0.9

1.0.5
-----

* release 1.0.5
* Merged in add_caching_for_key_retriever (pull request #1)
* update requests from 2.6.0 to 2.7.0
* Add caching to public key retrieval requests via cachecontrol

1.0.4
-----

* specify the version in setup.py from __init__.py - which now contains a __version__ field

1.0.3
-----

* bump the version to 1.0.3
* rename the private _key field of the JWTAuthSigner class to _private_key_pem
* s/signed_claims/a_jwt/ in the test code
* http headers are case insensitive - so the content-type check should be done in a case insensitive fashion
* pass through requests_kwargs through to public_key_retriever.retrieve(...)
* extract the key_id obtaining code from the jwt header out into a function
* s/verify_claims/verify_jwt/
* s/get_signed_claims/generate_jwt/
* s/_get_claims/_generate_claims/
* rename the JWTAuthSigner 'key' parameter to 'private_key_pem'
* update the readme with example use of the package
* set the pep8 version to 1.6.2 in the travis-ci file
* Add a travis-ci yaml file

0.0.2
-----

* release 0.0.2
* s/assertNotEquals/assertNotEqual/
* add support for python 2.7.X
* README.md edited online with Bitbucket

0.0.1
-----

* Make HTTPSPublicKeyRetriever take in and pass through keyword arguments for the requests.get(.
* remove the unused get_new_rsa_private_key_in_pem_format import from test_verifier
* pep8 fix ups
* update the test_signer code to use the new mixins
* Update the test_verifier code
* s/get_new_private_key/get_new_private_key_in_pem_format/ in the mixin classes
* Add JWTAuthVerifierRSATest and JWTAuthVerifierECDSATest classes which used the new mixins. Also rename TestJWTAuthVerifier to BaseJWTAuthVerifierTest
* Add some jwt algorithm mixins
* Make the KeyIdentifier.key_id field a property
* pep8 fix up
* Add a test to check that an jwt with a jti that has already been used is rejected
* update the jti rejection message
* wording change
* minor change to test_verify_claims_with_jwt_lasting_gt_max_time
* Add a test to check that jwt with lifetimes longer than the allowed maximum by the specification are rejected
* add a test to cover when claims['iss'] != claims['sub']
* if a key identifier does not contain a / then check if the key_id is equal to the claims issuer in verify_claims
* add a test to cover that if key_identifier does not start with issuer then an error is raised in verify_claims
* remove the superfluous 'the' in the issuer does not own the supplied public key message
* re-factor the TestJWTAuthVerifier class
* use the utils.get_example_jwt_auth_signer method in test_signer
* Add get_example_jwt_auth_signer to tests/utils
* Add a test for the JWTAuthVerifier
* Add a get_public_key_pem_for_private_key_pem to tests/utils
* create the JWTAuthSigner instance in get_example_jwt_auth_signer with key as a non-keyword style argument
* s/jws/a_jwt/ in verify_claims
* restructure the tests
* Use nose for running tests
* Add a test for JWTAuthSigner.get_signed_claims
* Set test_suite in setup.py
* Add a test to check that the jti changes between _get_claims calls
* use the timestamp of now in the jti instead of the string representation of the datetime object
* Add some tests
* Extract and fix getting the time in signer.py
* Fix up some minor errors in signer.py
* remove the unused os import from setup.py
* '..' is not permitted in a key identifier
* validate_key_identifier should never of taken in 'self' it only needs a key identifier
* add a setup.py file
* Add completely untested code
* init