ReallySimpleJWT Versions Save

This release upgrades the ReallySimpleJWT library to work with PHP 8 and above. It also makes some significant design tweaks to the underlying codebase which should empower further improvements and functionality. The core interfaces for the library remain unchanged which should minimise the impact of the release.

The main design changes are the removal of the Secret class and interface, secret validation is now handled in the relevant encoding class. Token structure validation is now enforced in the Jwt value object class and not the Validator class. The Validate class now depends on the Parsed class, not the Parse class. This simplifies the Parse class and means token claim data access is only in one place.

Additional Work:

• Upgraded dependent packages to work with PHP 8.
• Added the new mixed and union types available in PHP 8.
• Removed the secret property from the Jwt class.
• Token secrets now validated by new EncodeHS256Strong class.
• Added PHP CS Fixer to CI pipeline.
• Removed unused import statements.
• Ensured declare strict types were applied everywhere.
• Updated comments and readme documentation.
• Fixed issues with CI pipeline SonarCloud integration.
• Fixed issues with CI pipeline Infection PHP integration.
• Updated and Modified exception messages and codes.

To Do:

• Improve the SonarCloud sed command implementation in the CI pipeline.
• Look into the issue with the user_id and sub claims.
• Fix issues with Infection PHP Implementation.

Notes:

• Welcome to the world Reuben I love you and your big brother Jacob! ❤️

This is the Release Candidate for version 5.0.0, only minor fixes will be made from this point until the release. The main change for this release is ensuring the documentation is correct both in the code comments and in the README.

Additional Work:

• Integrated with Sonar Cloud Branch Analysis.
• Fixed and updated the error codes.
• Minor improvement to secret validation.

To Do:

• Improve the sed command implementation in the CI pipeline.

This is the first release for version 5.0 of ReallySimpleJWT and introduces a number of significant architectural changes. It is a Beta release rather than an Alpha as it should work without any significant issues.

Version 5.0 further simplifies the code design and architecture, this should result in a more flexible library. And it should enable the introduction of Public-Private Keys for signature and token security.

The release will also upgrade the library to support PHP 8.1 and drop support for PHP 7.4. This needs to be done to enable the use of all the new features in PHP 8.0.

Additional Work:

• Upgraded most dependencies.
• Couldn’t upgrade PHP Infection due to a bug in a recent version.
• Added new PHP 8 mixed and union types where necessary.
• Added PHP CS Fixer Checks to CI.
• Fixed missing strict types and unused import statements.
• Improved property names.
• JWT Class now validates itself and ensures the token structure is correct on construction.
• Encode classes now consume the secret on construction for signature generation, rather than the Build class.
• Added EncodeHS256Strong class which enforces strong secrets.
• Deleted Secrets Validator class as this is no longer needed due to the introduction of EncodeHS256Strong class.
• Reconfigured Parse and Parsed classes. Parse class only parses the token, it no longer provides access to token data. This is now taken care of solely by the Parsed class.
• Validate class now consumes Parsed class, not Parse class.

To Do:

• Update documentation.
• Update code comments.
• Update exception codes.

This release fixes a bug with the way the package validates Not Before claims in tokens. The Not Before claim defines when a token is usable from, it should have validated when the nbf claim matched the current time, but it didn't. This has been resolved.

See issue #69 for further details.

Additional Work:

• Updated PHP Bench Version and Config.
• Removed PHP 8 Checks from CI Pipeline.
• Updated comments in Validator class so functionality is clearer.

This security patch adds a check to the Tokens::validate() method to ensure the algorithm provided is not set to none as this may result in token misuse.

Additional Work:

• Updated README documentation.

This security patch adds a check to the Parse::validate() method to ensure the algorithm provided is not set to none as this may result in token misuse.

Additional Work:

• Fixed failing CI tasks.
• Updated README documentation.

This release makes some documentation improvements to the README based on issue #63 to make validation method usage clearer in the Token class.

Additional Work:

• Fixed PHP version support badge in README.
• Fixed CI Pipeline integration with Stryker Dashboard for Mutation Score Index.

Version 4.0.0 of ReallySimpleJWT is a significant release as it makes numerous interface changes to improve the composability of the package. It also upgrades PHP support from version 7.2 and above to version 7.4 and above.

The core Token class interface mainly remains unaffected by this release, but a lot of what sits behind it has changed. The Token class is now just a static interface wrapper around the new Tokens class. This enables developers to instantiate and inject the core ReallySimpleJWT functionality if they chose too.

In addition, the validation functionality which existed in the Parse class has been abstracted away and now just exists in the Validate and Helper\Validator classes. Also a number of interfaces for encoding, decoding and validation have been created, this increases composability and allows developers to amend functionality to meet their needs.

Additional Work:

• Updated GitHub Actions CI to work with PHP 7.4 and PHP 8.0.
• Updated comment and README documentation.
• Upgraded PHPUnit Config for PHP 7.4 and above.
• Separated tests into two test suites, Unit and Integration.
• Created class specific Exception classes.
• Abstracted decode functionality away from Encode class into separate Decode class.
• Moved Encode class to Encoders namespace and made it HS256 specific.
• Added PHP 7.4 property type information to classes.
• Bumped PHPStan strictness to level 8.
• Deleted Errors Trait as no longer needed.
• Created Base64 trait to encapsulate functionality.

To Do:

• Add BuildValidate Benchmark Test.
• Add Covers Annotations to tests.
• Abstract documentation away from README, look into documentation tools.
• Fix PHP 8.0 CI pipeline to work correctly with supported packages.

This is the Release Candidate for version 4.0.0 of the Really Simple JWT package. No further interface or functional changes will be made before the 4.0.0 release, only bug fixes and documentation updates.

The release focuses on documentation improvements to the README and the code comments. As a result of this a number of functionality and interface improvements have been made to make the code cleaner and clearer.

Additional Work:

• Separated out signature and structure validation from validate method into two methods.
• Tidied up algorithm validation so it is more secure.
• Added name consistency between Token and Tokens class methods.
• Created Token Integration Tests.
• Created Tokens Exception class.
• Deleted Signature dead code.
• Renamed EncodeHs256 class to EncodeHS256.
• Moved DecodeHs256 class to Decode class.

To Do:

• Add BuildValidate Benchmark Test
• Complete comments documentation.
• Complete README documentation.
• Add Covers Annotations to tests.
• Correct use statements in exception classes.

This Beta release gets version 4.0.0 into a working state and completes the design changes. Primarily it fixes the unit tests, integration tests and benchmark tests so they now all work with the new interfaces.

Additional Work:

• Fixed Namespacing.
• Improved types and doc types.
• Got CI Pipeline working with PHP 7.4 and 8.0
• Bumped PHPStan strictness from 7 to 8.
• Created separate Unit and Integration test suites.

ToDo:

• Add BuildValidate Benchmark Test
• Add Token and Tokens integration tests.
• Tidy up and complete comments documentation.
• Update README documentation.
• Add Covers Annotations to tests.
• Improve validate algorithm functionality.