v0.3.2

The JWT Authentication Extension was experiencing a critical vulnerability where user authentication state was being persisted across different requests due to Strawberry's extension instance reuse behavior. This could lead to session fixation, where a user could automatically inherit the authentication state of a previously logged-in user without providing credentials.

Issue:

• The extension class maintains authentication state (userID, tokens, etc.) as class attributes
• Strawberry can reuse extension instances across different requests
• This caused authentication state to leak between requests, essentially sharing sessions between different users

Fix:

• Introduced a dedicated _init_request_state() method to reset all state variables
• Removed state initialization from __init__ since the extension instance might be reused
• Added explicit state reset at the beginning of each request in on_request_start()
• Updated documentation to explain the state management approach

This ensures each request starts with a fresh authentication state, preventing any session leakage between requests while maintaining the original functionality of the extension.

Testing:

• Verified that authentication state is properly isolated between requests
• Confirmed that switching between different browsers/incognito modes requires proper authentication
• Validated that existing token refresh and validation logic continues to work as expected

This fix is compatible with Strawberry GraphQL >0.243.0 and maintains backward compatibility with existing usage patterns.

v0.2.7

Merge pull request #4 from traboda/insensitive

make authenticate with email case insensitive

0.2.0 - First Public Release

We are open-sourcing chowkidar <3

First Stable Release - 0.1.7 🎉

First stable release of the package

Initial Release

Basic implementation of the JWT based authentication system for Django Strawberry APIs.