# Changelog

## v1.0.0

Initial release.

### Signers and Verifiers

- `Verifier` interface — `Verify(tokenString string) (*jwt.Token, error)`
- `Signer` interface — extends `Verifier`; adds `Sign(claims jwt.Claims) (string, error)`
- `NewHMACSigner(secret []byte) Signer` — HMAC-SHA256 (HS256)
- `NewRSASigner(privateKey *rsa.PrivateKey) Signer` — RSA-SHA256 (RS256); public key derived from private
- `NewRSASignerFromPEM(pemKey []byte) (Signer, error)` — parses PKCS#8 or PKCS#1 PEM
- `NewRSAPublicKeyVerifier(publicKey *rsa.PublicKey) Verifier` — verify-only; use when the service never issues tokens
- `NewRSAPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error)` — parses PKIX or PKCS#1 PEM
- `NewECSigner(privateKey *ecdsa.PrivateKey) Signer` — ECDSA; algorithm auto-detected from curve (P-256→ES256, P-384→ES384, P-521→ES512)
- `NewECSignerFromPEM(pemKey []byte) (Signer, error)` — parses PKCS#8 PEM
- `NewECPublicKeyVerifier(publicKey *ecdsa.PublicKey) Verifier` — EC verify-only
- `NewECPublicKeyVerifierFromPEM(pemKey []byte) (Verifier, error)` — parses PKIX PEM
- All `Verify` implementations use `jwt.WithJSONNumber()` — preserves large int64 bitmasks through JSON round-trip

### Token issuance

- `TokenConfig` struct — `AccessTTL time.Duration`, `RefreshTTL time.Duration`, `Issuer string`
- `TokenPair` struct — `AccessToken string`, `RefreshToken string`, `ExpiresIn int64`
- `IssueTokenPair(signer, uid, customClaims, cfg) (TokenPair, error)` — signs access + refresh pair; `customClaims` merged at top level of access token; refresh token carries only `sub/iss/iat/exp/jti/fam`

### Token refresh

- `Blacklist` interface — `IsRevoked(ctx, jti) (bool, error)` + `Revoke(ctx, jti, ttl) error`; satisfied by `cache-valkey` via duck typing
- `ErrTokenRevoked` — sentinel error; use `errors.Is(err, authjwt.ErrTokenRevoked)` to detect replay attacks
- `RefreshTokenPair(ctx, signer, refreshToken, bl, cfg, customClaims) (TokenPair, error)` — validates token, checks blacklist, revokes old JTI, issues new pair; `customClaims` re-embedded in new access token

### HTTP middleware

- `AuthMiddleware(logger, verifier, publicPaths) func(http.Handler) http.Handler` — verifies Bearer tokens; calls `authmw.SetTokenData` on success; routes 401 through `httputil.Error`; `publicPaths` support `path.Match` wildcards