Fixed:

• Fixed a potential security issue that made JWT verification vulnerable to timing attacks. JWT verification will now always check all bytes, even if it has already detected a miss.

Fixed:

• Updated to latest crypto digest methods.

API Docs: https://api.vapor.codes/jwt/3.0.0-rc.2.1/JWT/

Milestone: 3.0.0-rc.2.1

New:

• Vapor is now running on Swift NIO!

Milestone

New:

• Added RS256, RS384, and RS512 signature support

import Crypto
import JWT

// create public and private key (only public required for verification)
let privateKey: Data = ...
let publicKey: Data = ...
let privateSigner = JWTSigner.rs256(key: .private2048(privateKey))
let publicSigner = JWTSigner.rs256(key: .public2048(publicKey))

// serialize jwt (requires private key)
let payload: TestPayload = ...
var jwt = JWT(payload: payload)
_ = try jwt.sign(using: publicSigner) // throws, can't sign w/ public signer
let data = try jwt.sign(using: privateSigner)

// parse jwt (public and private key work)
let parsed = try JWT<TestPayload>(from: data, verifiedUsing: publicSigner)
let parsed2 = try JWT<TestPayload>(from: data, verifiedUsing: privateSigner) // also works
print(parsed.payload)
print(parsed2.payload)

Milestone