What's Changed
- chore(deps): bump KineticCafe/actions-dco from 2.1.1 to 3.0.0 by @dependabot[bot] in #1637
- update
http-jwtto support multiple issuers, cognito support
Breaking changes (but no one is using packages yet)
@middy/http-jwt
- Removed secretKey option. Provide the verification key via internalKey (populated upstream by e.g. @middy/kms, @middy/ssm, @middy/secrets-manager).
- Renamed cookieName → tokenCookieName.
@middy/http-paseto
- Renamed cookieName → tokenCookieName.
Features
@middy/http-jwt
- New issuers option for multi-issuer JWKS verification: { [iss]: { jwksUri, audience?, algorithm? } }, with built-in caching, cooldown, and prefetch (cacheExpiry, cooldownDuration, disablePrefetch).
- New token sources: tokenHeaderName, tokenQueryStringName (alongside tokenCookieName). Default is still Authorization: Bearer.
- algorithm now accepts a string or array of strings; pinned at factory time to prevent alg-substitution attacks.
- Expanded KMS keySpec compatibility table (now covers RS*/PS* for RSA, ES* for EC, EdDSA for Ed25519). Configured algorithm is validated against the keySpec and verification fails closed on mismatch.
- New setToContext option to expose the verified payload on request.context (default false, internal-only).
@middy/http-paseto
- New tokenHeaderName and tokenQueryStringName sources.
- New setToContext option (default false).
Full Changelog: 7.6.0...7.6.1