What's Changed

• Upgrade PyJWT by @ahopkins in https://github.com/ahopkins/sanic-jwt/pull/227

Full Changelog: https://github.com/ahopkins/sanic-jwt/compare/v1.7.0...v1.8.0

Added

• #213 Add samesite cookie option
• #214 Compat with Sanic 21.3+
• #189, #217 Documentation updates

Added

• Upgrade PyJWT to v2 and add support

Added

• Instant configuration into scoped decorator for inline config changes outside of protected.

Added

• Support for False and None scopes.

Changed

• Use request.args instead of request.query_args to resolve Depracation Warning.

Added

• #40. Page redirection for static page protection
• Support to be able to individually protect class-based view methods without the decorators property

Changed

• #148. Exception message on refresh token intialization

Fixed

• #147. protected decorator properly applied to built in views when initialized on a blueprint

Fixed

• #144 Security bug resolved on empty tokens

Added

• Custom claims
• Extra payload validation
• Configuration option: SANIC_JWT_DO_PROTECTION

Changed

• Invalid tokens now 401 instead of 403

Fixed

• Bug with _do_protect in @scoped decorator

Changed

• Exception handling to consistently have a exception and reasons key
• reasons in exception handling to be consistently formatted
• 400 responses for debug turned off, and 401 when turned on

Fixed

• #110. Preflight methods now properly handled
• #114. Proper use of utils.call to allow for sync and async retrieve_user functions
• #116. Proper error reporting on malformed tokens
• #118. Proper error reporting on expired token for /auth/me and /auth/refresh by applying @protected decorators

Added

• Ability to send authorization tokens via query string parameters

Changed

• Method of passing rquest object args and kwargs to scope handler

Added

• New handler method: override_scope_validator
• New handler method: destructure_scopes
• New decorator method: inject_user
• Decorator methods copied to Initialize class for convenience
• New convenience method for extracting user_id from request
• Feature for decoupling authentication mode for microservices
• Ability to have custom generated refresh tokens
• Subclasses are tested for consistency on Initialize

Changed

• Authentication.is_authenticated to Authentication._check_authentication
• Authentication.verify to Authentication._verify
• Authentication.get_access_token to Authentication.generate_access_token
• Authentication.get_refresh_token to Authentication.generate_refresh_token
• Authentication.retrieve_scopes to Authentication.extract_scopes
• Method for getting and setting configurations made dynamic

Fixed

• Verification that a custom payload extender supplies all of the enabled claims
• abort bug when using Sanic’s convenience method for exceptions

Fixed

• Typo in docs for refresh token page
• Custom endpoints passing parameters to BaseEndpoint

Added

• OPTIONS handler method for BaseEndpoint

Fixed

• Some tests for claims that were not using UTC timestamps
• Consistency of docs with class_views

Added

• Initialize class
• New methods for adding configuration settings
• Customizable components
• Customizable responses
• Ability to fallback to header based authentication if cookie based fails
• Initialize on a blueprint and isolate configuration

Fixed

• @protected implementation on class based views
• Usage of signing algorithms with public and private keys

Deprecated

• SANIC_JWT_PAYLOAD_HANDLER
• SANIC_JWT_HANDLER_PAYLOAD_EXTEND
• SANIC_JWT_HANDLER_PAYLOAD_SCOPES