2.5 KiB
Changelog
All notable changes to this project will be documented in this file, in reverse chronological order by release.
2.4.0 - 2018-04-03
Added
- Callback now receives also the raw token in arguments (#93).
$app->add(new \Slim\Middleware\JwtAuthentication([ "secret" => "supersecretkeyyoushouldnotcommittogithub", "callback" => function ($request, $response, $arguments) { print_r($arguments["token"]); } ]));
Changed
2.3.3 - 2017-07-12
Added
2.3.2 - 2017-02-27
This is a security release.
RequestPathRule now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For HTTP client /foo and //foo are different URIs and technically valid according to RFC3986. However on serverside it depends on implementation and often /foo, //foo and even /////foo are considered a same route.
Different PSR-7 implementations were behaving in different way. Diactoros removes multiple leading slashes. By default Slim does not alter any slashes. However when installed in subfolder Slim removes all slashes.
This means if you are authenticating a subfolder, for example /api and Slim is installed in document root it was possible to bypass authentication by doing a request to //api. Problem did not exist if Slim was installed in subfolder. Diactoros was not affected.
$app->add(new \Slim\Middleware\JwtAuthentication([
"path" => "/api",
"secret" => "supersecretkeyyoushouldnotcommittogithub"
]));
If you were using default setting of authenticating all routes you were not affected.
$app->add(new \Slim\Middleware\JwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub"
]));
Fixed
- Bug #50 where in some cases it was possible to bypass authentication by adding multiple slashes to request URI.