v5.0.0

Notable new features in v5.0.0:

• Support for ECDSA and EdDSA algorithms:
  • ES256
  • ES384
  • ES512
  • Ed25519
  • Ed448
• Allow padding characters (even though non-standard) so e.g. AWS ALB JWTs can be verified with this library (however work is still underway to make that easier still, see #176 )
• The default response timeout of the JWKS fetcher was increased from 1500 ms. to 3000 ms. because multiple users reported the previous 1500 ms. being too low--they were hitting timeouts too often. We believe the 3000 ms. is a better, more reasonable, default value.

Breaking changes

This release includes breaking changes, hence moving to major version 5.0.0:

• Dropped support for Node.js 14, now 16 is the minimum.
• The fetchJson interface was changed and renamed to fetch. Thus the JsonFetcher was renamed to Fetcher, and corresponding changes were made in the SimpleJwksCache see #167. So, this affects users who were using the SimpleJsonFetcher, potentially to increase the response timeout (maybe that's no longer needed now, as we raised the default value from 1500 ms. to 3000 ms.).
• It is now allowed to use an explicit null as issuer when creating the verifier, to cater for issuers that create JWTs without iss field (which is non-standard): see #183 . Previously, you couldn't create a verifier for issuer null and JWTs without iss field would always throw JwtInvalidIssuerError. This change likely is breaking to no-one, but technically this is a breaking change. So if your code was explicitly using JwtInvalidIssuerError (e.g. because you imported it), check if it still TS-compiles and works.
• We renamed the JwtRsaVerifier to JwtVerifier as it handles ECDSA and EdDSA now too but created a top level (immediately deprecated) alias to JwtVerifier so if you do import { JwtRsaVerifier } from "aws-jwt-verifier" that still works. This will break though: import { JwtRsaVerifier } from "aws-jwt-verifier/jwt-rsa" and should become import { JwtVerifier } from "aws-jwt-verifier/jwt-verifier" (if for some reason you were importing like that and not from top-level).

What's Changed

• Bump vite from 4.5.2 to 4.5.3 in /tests/vite-app by @dependabot in #157
• Bump ws from 7.5.7 to 7.5.10 in /tests/cognito by @dependabot in #161
• Bump braces from 3.0.2 to 3.0.3 by @dependabot in #160
• Bump braces from 3.0.2 to 3.0.3 in /tests/vite-app by @dependabot in #162
• Bump braces from 3.0.2 to 3.0.3 in /tests/cognito by @dependabot in #163
• Support for ES256/ES384/ES512 by @ottokruse in #164
• Bump webpack from 5.88.2 to 5.94.0 in /tests/vite-app by @dependabot in #172
• Refactor fetching to support fetching non-JSON JWKS by @ottokruse in #167
• Bump vite from 5.3.2 to 5.3.6 in /tests/vite-app by @dependabot in #174
• Bump rollup from 4.18.0 to 4.22.4 in /tests/vite-app by @dependabot in #175
• fix/ecdsa verification to use raw signature format per jwa spec by @ottokruse in #179
• Add (very) minimal support for AWS ALB by @ottokruse in #180
• fix: actually use custom error object by @ottokruse in #182
• Feat/eddsa support by @ottokruse in #181
• feat: Allow issuer null by @ottokruse in #183
• v5.0.0 by @ottokruse in #184

Full Changelog: v4.0.1...v5.0.0

v4.0.1

What's Changed

• Bump vite from 2.9.13 to 2.9.16 in /tests/vite-app by @dependabot in #124
• Bump fast-xml-parser and @aws-sdk/client-cognito-identity-provider in /tests/cognito by @dependabot in #125
• Bump tough-cookie from 4.0.0 to 4.1.3 in /tests/cognito by @dependabot in #129
• Bump fast-xml-parser and @aws-sdk/client-cognito-identity-provider in /tests/cognito by @dependabot in #130
• Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #131
• Bump word-wrap from 1.2.3 to 1.2.4 in /tests/cognito by @dependabot in #132
• update cypress (v9 to v12), vite (v2 to v4) by @hakanson in #134
• fix: pin build to npm v9 by @hakanson in #143
• Bump postcss from 8.4.27 to 8.4.31 in /tests/vite-app by @dependabot in #139
• Bump @cypress/request and cypress in /tests/vite-app by @dependabot in #144
• Bump @babel/traverse from 7.15.4 to 7.23.2 in /tests/cognito by @dependabot in #140
• Bump @babel/traverse from 7.22.10 to 7.23.2 in /tests/vite-app by @dependabot in #142
• Bump @babel/traverse from 7.20.12 to 7.23.2 by @dependabot in #141
• Add sub claim to JWT standard fields by @kaira in #148
• Bump vite from 4.4.9 to 4.4.12 in /tests/vite-app by @dependabot in #150
• Bump vite from 4.4.12 to 4.5.2 in /tests/vite-app by @dependabot in #153
• Fix MSB 1 leading to negative modulus in bun by @ottokruse in #155
• Bump to v4.0.1 for npm release by @ottokruse in #156

New Contributors

• @kaira made their first contribution in #148

Full Changelog: v4.0.0...v4.0.1

v4.0.0

What's Changed

• Bump webpack from 5.70.0 to 5.76.1 in /tests/vite-app by @dependabot in #116
• Document decomposeJwt by @ottokruse in #117
• v4.0.0 by @ottokruse in #118

NOTE: #117 constitutes a breaking change, hence we created new major version v4.0.0, but you will only be impacted by this change, if you were doing this:

import { decomposeJwt } from "aws-jwt-verify/jwt"

That method has been renamed (to make it more clear) and must now be imported like so:

import { decomposeUnverifiedJwt } from "aws-jwt-verify/jwt";

Happy coding!

Full Changelog: v3.4.0...v4.0.0

v3.4.0

What's Changed

• Remove references to window by @Emilcrafter in #110
• Version sub package by @ottokruse in #112
• v3.4.0 by @hakanson in #113

New Contributors

• @Emilcrafter made their first contribution in #110

Full Changelog: v3.3.0...v3.4.0

v3.3.0

What's Changed

• Update dev dependencies by @ottokruse in #94
• Bump loader-utils from 2.0.2 to 2.0.3 in /tests/vite-app by @dependabot in #96
• Bump loader-utils from 2.0.3 to 2.0.4 in /tests/vite-app by @dependabot in #97
• Bump json5 from 2.2.0 to 2.2.3 by @dependabot in #101
• Bump json5 from 2.2.0 to 2.2.3 in /tests/cognito by @dependabot in #103
• Bump json5 from 2.2.1 to 2.2.3 in /tests/vite-app by @dependabot in #102
• Support TS module resolution NodeNext by @ottokruse in #104
• Fix some small code smells by @ottokruse in #105
• v3.3.0 by @ottokruse in #106

Full Changelog: v3.2.0...v3.3.0

v3.2.0

What's Changed

• Updated CDK version by @ottokruse in #76
• Document customization of HTTP options such as response timeout by @ottokruse in #77
• Bump terser from 5.12.1 to 5.14.2 in /tests/vite-app by @dependabot in #79
• Minor typo fix in README.md (#78) by @dakshamdev in #81
• Bump vite from 2.8.6 to 2.9.13 in /tests/vite-app by @dependabot in #85
• Update CloudFront Lambda@Edge in Usage Examples. by @tomiyan in #86
• Update README.md - fix dead link by @jirihofman in #91
• Use alg from JWT header if not specified on JWK by @hakanson in #80
• 3.2.0 by @ottokruse in #92

New Contributors

• @dakshamdev made their first contribution in #81
• @tomiyan made their first contribution in #86
• @jirihofman made their first contribution in #91

Full Changelog: v3.1.0...v3.2.0

v3.1.0

What's Changed

• Sync README.md with implementation: group --> groups by @ottokruse in #65
• Only verify for the JWK at hand, that it is a JWK intended for RSA signatures by @ottokruse in #70
• Documented how to use the generic RSA verifier with Cognito by @ottokruse in #74
• Release v3.1.0 by @ottokruse in #75

Full Changelog: v3.0.0...v3.1.0

v3.0.0

What's Changed

• Dependency update by @ottokruse in #58
• add web compatibility by @hakanson in #60
• Bump minimist from 1.2.5 to 1.2.6 in /tests/cognito by @dependabot in #63
• Bump minimist from 1.2.5 to 1.2.6 by @dependabot in #62
• v3.0.0 by @hakanson in #64

New Contributors

• @hakanson made their first contribution in #60
• @dependabot made their first contribution in #63

Full Changelog: v2.1.3...v3.0.0

v2.1.3

What's Changed

• TypeScript fix (add missing d.ts file to the NPM published package) by @ottokruse in #54

Full Changelog: v2.1.2...v2.1.3

v2.1.2

Reduced bundle size

• Clean up typescript configuration to avoid including types twice (both for ESM and common JS) and instead do it only once. This also resulted in a reduced bundle size for the library distribution.

Upgrades CDK package versions used in integration tests

• CDK packages in test/Cognito for integration tests are upgraded to bump up a dependency used by CDK - VM2 version to 3.9.4 . This is to address dependabot alert for VM2 version 3.9.3

What's Changed

• Clean-up typescript config by @ottokruse in #51
• Upgrade VM2 version by @leelalagudu in #52
• 2.1.2 by @leelalagudu in #53

Full Changelog: v2.1.1...v2.1.2