authboss v2.4.1 Release Notes

Release Date: 2020-05-18 // 7 days ago
  • 🛠 Fixed

    🛠 Fix a security issue where a user could brute-force a password based on differing responses that are returned from the site when the incorrect password is entered versus the correct password.

    This comes with a slight change in behavior to minimize differences between the code paths of a correct vs incorrect password: The "attempt" time is always ⬆️ bumped in the DB no matter if it was the right or wrong password when being rejected for locking.


Previous changes from v2.4.0

  • ➕ Added

    • ➕ Add config option MailNoGoroutine which prevents the modules from using a goroutine to launch the mailer. This is important because the context that it passes from the http request will be cancelled in a race condition and will affect mailer implementations that honor context cancellation.