All Versions
Latest Version
Avg Release Cycle
70 days
Latest Release
354 days ago

Changelog History
Page 1

  • v3.2.1 Changes

    October 10, 2022

    ๐Ÿ”’ Security

    • ๐Ÿ”„ Change it such that events are fired around recovery. Some important events were not occurring despite being logged in that would manage state like remember cookies, locking state, etc.

    A significant side effect of this is that when 2fa is currently turned on on an account, it could be bypassed by using the Recover functionality with the RecoverLoginAfterRecovery feature which was not otherwise flagged as a dangerous option.

    While it is true that recover uses an email to invoke the flow and therefore some second factor has been utilizied, it should be considered insecure to bypass an authenticator or sms verification for any login and therefore this large change in behavior is being shipped as a security fix (meaning it becomes a minor change).

  • v3.2.0 Changes

    August 11, 2021

    โž• Added

    • โž• Add additional events so users can take domain-specific actions when a user adds or removes 2fa.
  • v3.1.1 Changes

    July 01, 2021

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix a test that had gone red
  • v3.1.0 Changes

    July 01, 2021

    โž• Added

    • โž• Add an optional interface in totp2fa that when implemented on the authboss User struct can prevent re-use of totp 2fa codes. This normally should have been a requirement for this module's usage but due to backward compatibility it's being added as optional and will become mandatory in the next major version.

    ๐Ÿ”„ Changed

    • ๐Ÿ”„ Change totp/sms email validation to delete the "email validation" session key after successfully adding 2fa to an account. This requires a second email verification in the same session if a user deletes and re-adds 2fa. This change is a behavior change but is not worthy of a larger version bump and should slightly increase security.
    • ๐Ÿ”„ Change "Successfully Authenticated" flash message when logging in with totp/sms 2fa methods. This was a difference between logging in with the auth module. It now has no flash message.
  • v3.0.5 Changes

    May 18, 2021
    • ๐Ÿ›  Fix an open redirect security issue. This is technically a breaking change if you are redirecting to some other site or front-end that's not on your server.
  • v3.0.4 Changes

    April 27, 2021

    ๐Ÿ”„ Changed

    • ๐Ÿ”„ Change qrcode endpoint for totp to try to prevent caching
  • v3.0.3 Changes

    February 14, 2021

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix that EventRecoverStart/EventRecoverEnd were not being called.

    ๐Ÿ”„ Changed

    • ๐Ÿ”„ Change Remember module to listen to After(EventRecoverEnd) in order to invoke its handler to delete the remember cookie & tokens. This previously was not being called so it could be viewed as new behavior though this only applies if you are using both remember and recover modules.

    ๐Ÿ—„ Deprecate

    • EventPasswordReset is used nowhere and is no longer intended to be used.
  • v3.0.2 Changes

    September 17, 2020

    ๐Ÿ”’ Security fix but also a behavior change that could hurt depending on your usage of redirects. Please see the changelog for details as well as this PR: #309

  • v3.0.1 Changes

    August 25, 2020

    โž• Added

    • โž• Add the ability to carry query string parameters in the redirection to and away from the login page.
  • v3.0.0 Changes

    July 03, 2020

    ๐Ÿšš Move to Go modules. No other changes.