⚠️ Upgrade Notes
JWT: Minimum Key Length Now Enforced
If you are using the JWT authenticator with an HMAC algorithm (HS256, HS384, HS512), note that the underlying firebase/php-jwt library was upgraded to v7, which now enforces minimum key lengths at runtime. If your secret is too short, every JWT encode and decode call will throw: LogicException: Cannot encode/decode JWT: Provided key is too short.
How to fix it? Generate a new key:
php -r 'echo base64_encode(random_bytes(32));' # HS256
php -r 'echo base64_encode(random_bytes(48));' # HS384
php -r 'echo base64_encode(random_bytes(64));' # HS512Then update your configuration:
// app/Config/AuthJWT.php
'secret' => '<output of the command above>',Warning
Existing tokens signed with the old (short) secret will become invalid after updating.
Users will need to re-authenticate to obtain new tokens.
What's Changed
Fixed Bugs
- fix:
withPermissions()for users without permissions by @michalsn in #1290 - fix: check for empty actionClass so that actions can be disabled via .env params by @najdanovicivan in #1286
Enhancements
- PHP 8.5 compatibility
- feat: ignore robots when accessing magic link by @michalsn in #1294
- feat: add bot detection for ActionController by @michalsn in #1295
- feat: withIdentities/withGroups/withPermissions now work with first() by @michalsn in #1315
Translations
- lang: [sk] update Slovak translations for invalid email and token by @jozefrebjak in #1279
- lang: [it] Added the remaining translations for the Italian language by @Franky5831 in #1282
New Contributors
- @Franky5831 made their first contribution in #1282
- @najdanovicivan made their first contribution in #1286
Full Changelog: v1.2.0...v1.3.0
Contributors
michalsn, najdanovicivan, and 2 other contributors