authboss v3.2.1 Release NotesRelease Date: 2022-10-10 // 6 months ago
- 🔄 Change it such that events are fired around recovery. Some important events were not occurring despite being logged in that would manage state like remember cookies, locking state, etc.
A significant side effect of this is that when 2fa is currently turned on on an account, it could be bypassed by using the Recover functionality with the
RecoverLoginAfterRecoveryfeature which was not otherwise flagged as a dangerous option.
While it is true that recover uses an email to invoke the flow and therefore some second factor has been utilizied, it should be considered insecure to bypass an authenticator or sms verification for any login and therefore this large change in behavior is being shipped as a security fix (meaning it becomes a minor change).
Previous changes from v3.2.0
- ➕ Add additional events so users can take domain-specific actions when a user adds or removes 2fa.