v5.0.0

Notable new features in v5.0.0:

• Support for ECDSA and EdDSA algorithms:
  • ES256
  • ES384
  • ES512
  • Ed25519
  • Ed448
• Allow padding characters (even though non-standard) so e.g. AWS ALB JWTs can be verified with this library (however work is still underway to make that easier still, see #176 )
• The default response timeout of the JWKS fetcher was increased from 1500 ms. to 3000 ms. because multiple users reported the previous 1500 ms. being too low--they were hitting timeouts too often. We believe the 3000 ms. is a better, more reasonable, default value.

Breaking changes

This release includes breaking changes, hence moving to major version 5.0.0:

• Dropped support for Node.js 14, now 16 is the minimum.
• The fetchJson interface was changed and renamed to fetch. Thus the JsonFetcher was renamed to Fetcher, and corresponding changes were made in the SimpleJwksCache see #167. So, this affects users who were using the SimpleJsonFetcher, potentially to increase the response timeout (maybe that's no longer needed now, as we raised the default value from 1500 ms. to 3000 ms.).
• It is now allowed to use an explicit null as issuer when creating the verifier, to cater for issuers that create JWTs without iss field (which is non-standard): see #183 . Previously, you couldn't create a verifier for issuer null and JWTs without iss field would always throw JwtInvalidIssuerError. This change likely is breaking to no-one, but technically this is a breaking change. So if your code was explicitly using JwtInvalidIssuerError (e.g. because you imported it), check if it still TS-compiles and works.
• We renamed the JwtRsaVerifier to JwtVerifier as it handles ECDSA and EdDSA now too but created a top level (immediately deprecated) alias to JwtVerifier so if you do import { JwtRsaVerifier } from "aws-jwt-verifier" that still works. This will break though: import { JwtRsaVerifier } from "aws-jwt-verifier/jwt-rsa" and should become import { JwtVerifier } from "aws-jwt-verifier/jwt-verifier" (if for some reason you were importing like that and not from top-level).

What's Changed

• Bump vite from 4.5.2 to 4.5.3 in /tests/vite-app by @dependabot in #157
• Bump ws from 7.5.7 to 7.5.10 in /tests/cognito by @dependabot in #161
• Bump braces from 3.0.2 to 3.0.3 by @dependabot in #160
• Bump braces from 3.0.2 to 3.0.3 in /tests/vite-app by @dependabot in #162
• Bump braces from 3.0.2 to 3.0.3 in /tests/cognito by @dependabot in #163
• Support for ES256/ES384/ES512 by @ottokruse in #164
• Bump webpack from 5.88.2 to 5.94.0 in /tests/vite-app by @dependabot in #172
• Refactor fetching to support fetching non-JSON JWKS by @ottokruse in #167
• Bump vite from 5.3.2 to 5.3.6 in /tests/vite-app by @dependabot in #174
• Bump rollup from 4.18.0 to 4.22.4 in /tests/vite-app by @dependabot in #175
• fix/ecdsa verification to use raw signature format per jwa spec by @ottokruse in #179
• Add (very) minimal support for AWS ALB by @ottokruse in #180
• fix: actually use custom error object by @ottokruse in #182
• Feat/eddsa support by @ottokruse in #181
• feat: Allow issuer null by @ottokruse in #183
• v5.0.0 by @ottokruse in #184

Full Changelog: v4.0.1...v5.0.0