All Versions
25
Latest Version
Avg Release Cycle
56 days
Latest Release
367 days ago

Changelog History
Page 1

  • v3.2.0 Changes

    August 11, 2021

    โž• Added

    • โž• Add additional events so users can take domain-specific actions when a user adds or removes 2fa.
  • v3.1.1 Changes

    July 01, 2021

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix a test that had gone red
  • v3.1.0 Changes

    July 01, 2021

    โž• Added

    • โž• Add an optional interface in totp2fa that when implemented on the authboss User struct can prevent re-use of totp 2fa codes. This normally should have been a requirement for this module's usage but due to backward compatibility it's being added as optional and will become mandatory in the next major version.

    ๐Ÿ”„ Changed

    • ๐Ÿ”„ Change totp/sms email validation to delete the "email validation" session key after successfully adding 2fa to an account. This requires a second email verification in the same session if a user deletes and re-adds 2fa. This change is a behavior change but is not worthy of a larger version bump and should slightly increase security.
    • ๐Ÿ”„ Change "Successfully Authenticated" flash message when logging in with totp/sms 2fa methods. This was a difference between logging in with the auth module. It now has no flash message.
  • v3.0.5 Changes

    May 18, 2021
    • ๐Ÿ›  Fix an open redirect security issue. This is technically a breaking change if you are redirecting to some other site or front-end that's not on your server.
  • v3.0.4 Changes

    April 27, 2021

    ๐Ÿ”„ Changed

    • ๐Ÿ”„ Change qrcode endpoint for totp to try to prevent caching
  • v3.0.3 Changes

    February 14, 2021

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix that EventRecoverStart/EventRecoverEnd were not being called.

    ๐Ÿ”„ Changed

    • ๐Ÿ”„ Change Remember module to listen to After(EventRecoverEnd) in order to invoke its handler to delete the remember cookie & tokens. This previously was not being called so it could be viewed as new behavior though this only applies if you are using both remember and recover modules.

    ๐Ÿ—„ Deprecate

    • EventPasswordReset is used nowhere and is no longer intended to be used.
  • v3.0.2 Changes

    September 17, 2020

    ๐Ÿ”’ Security fix but also a behavior change that could hurt depending on your usage of redirects. Please see the changelog for details as well as this PR: #309

  • v3.0.1 Changes

    August 25, 2020

    โž• Added

    • โž• Add the ability to carry query string parameters in the redirection to and away from the login page.
  • v3.0.0 Changes

    July 03, 2020

    ๐Ÿšš Move to Go modules. No other changes.

  • v2.4.1 Changes

    May 18, 2020

    ๐Ÿ›  Fixed

    ๐Ÿ›  Fix a security issue where a user could brute-force a password based on differing responses that are returned from the site when the incorrect password is entered versus the correct password.

    This comes with a slight change in behavior to minimize differences between the code paths of a correct vs incorrect password: The "attempt" time is always โฌ†๏ธ bumped in the DB no matter if it was the right or wrong password when being rejected for locking.