Last Update: 2016-09-22 13:35:58 -0700

jwt Feature Additions/Improvements

  • JSON format responses now have the response content type set to application/json.

  • The jwt feature now does not break if HTTP Basic or Digest authentication is used.

  • If jwt_check_accept? is true, Rodauth will return a 406 error if a request Accept header is provided and it does not indicate that JSON is acceptable.

  • Many new configuration methods have been added:

    • invalid_jwt_format_error_message: The error message to use when a JWT with an invalid format is submitted in the Authorization header.

    • json_accept_regexp: The regexp to use to check the Accept header for JSON if jwt_check_accept? is true.

    • json_not_accepted_error_message: The error message to display if jwt_check_accept? is true and the Accept header is present but does not match json_request_content_type_regexp.

    • json_request_content_type_regexp: The regexp to use to recognize a request as a json request.

    • json_response_content_type: The content type to set for json responses, application/json by default.

    • jwt_authorization_ignore: A regexp matched against the Authorization header, which skips JWT processing if it matches. By default, HTTP Basic and Digest authentication are ignored.

    • jwt_authorization_remove: A regexp to remove from the Authorization header before processing the JWT. By default, a Bearer prefix is removed.

    • jwt_check_accept?: Whether to check the Accept header to see if the client supports JSON responses, false by default for backwards compatibility.

    • session_jwt: An encoded JWT for the current session.

    • use_jwt?: Whether to use the JWT in the Authorization header for authentication information. If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if only_json? is true, or if the request uses a json content type.

jwt Feature Backwards Compatibility Issues

  • The only_json? setting in the jwt feature is now only true by default if the :json=>:only option was used when loading the rodauth plugin into the roda app. Previously, it was always true, but it only was considered in requests to Rodauth endpoints. It now also is considered in most Rodauth calls, and if true will use an empty session instead of falling back to the rack session if an Authorization header is not present.

  • Previously, the jwt feature only handled requests where the request content-type is JSON. It now also handles non-JSON requests if the Authorization header is present or if only_json? is true.

  • If an invalid JWT format is used in the Authorization header, Rodauth now returns a 400 error, instead of raising an exception.

Other Improvements

  • A template_opts configuration method has been added, for overriding the view/render options. One possible use for this is to specify a non-default layout.