jwtiny 1.2.2

Minimal, type-safe JWT validation library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

# Changelog

All notable changes to jwtiny will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [1.2.1] - 2025-11-03

### Added

- **HMAC algorithms** (always enabled): HS256, HS384, HS512
- **RSA algorithms** (via `rsa` feature): RS256, RS384, RS512
- **ECDSA algorithms** (via `ecdsa` feature): ES256, ES384
- **Remote JWKS fetching** (via `remote` feature): automatic key resolution from OpenID Connect providers
- **Type-safe validation pipeline** with compile-time enforced ordering:
  - `ParsedToken``TrustedToken``VerifiedToken``ValidatedToken``Token`
- **Algorithm confusion prevention** via explicit `AlgorithmPolicy` requirement
- **SSRF prevention** through mandatory issuer validation before key fetching
- **Constant-time HMAC comparison** using `constant_time_eq` crate
- **Claims validation**:
  - Temporal checks: `exp`, `nbf`, `iat`
  - Audience validation
  - Custom validation callbacks
  - Clock skew tolerance
  - Maximum token age (max_age)
- **Builder pattern API** via `TokenValidator` for declarative validation configuration
- **Algorithm-specific convenience constructors** for common use cases
- **Cryptographic backend support**:
  - `ring` (default) for RSA/ECDSA
  - `aws-lc-rs` (opt-in) for FIPS-compliant deployments

### Security

- **"none" algorithm rejection** per [RFC 8725](https://datatracker.ietf.org/doc/html/rfc8725)
- **Issuer validation** prevents SSRF attacks when using JWKS fetching
- **Algorithm policy enforcement** prevents accepting unexpected algorithms
- **Constant-time signature comparison** mitigates timing-based key recovery attacks
- **Mandatory issuer check** before fetching keys from remote endpoints

### Documentation

- Comprehensive README with security best practices
- Type-safe validation flow diagrams
- Code examples for all algorithm families
- JWKS integration examples
- Security considerations and attack prevention guidance
- Cargo.toml metadata for crates.io and docs.rs integration