Releases: WordPress/two-factor
Releases · WordPress/two-factor
Version 0.9.1
What's Changed
- Remove trailing commas in parameters to avoid syntax error with some PHP versions (ex. 7.2.x) by @KZeni in #604
- Ensure PHP 5.6+ support during CI to avoid breaking changes by @kasparsd in #605
Full Changelog: 0.9.0...0.9.1
Contributors
KZeni and kasparsd
Assets 3
Version 0.9.0
This is a large release with lots of changes and improvements to how the two-factor data is processed.
Notable Changes
- Users are now asked to re-authenticate with their two-factor before making changes to their two-factor settings #529. This builds on #528 which associates each login session with the two-factor login meta data for improved handling of that session.
Full Changelog
- Fix typo by @pkevan in #551
- Add a filter to filter the classname used for a provider by @dd32 in #546
- Bump tested up to version by @av3nger in #552
- Store the two-factor details in the user session at login time by @dd32 in #528
- Bump guzzlehttp/psr7 from 2.4.3 to 2.5.0 by @dependabot in #555
- Use simpler/less-technical wording and UI. by @dd32 in #521
- Fixing bug where Super Admins cannot setup Time Based One-Time Password as first Two Factor option on WP VIP by @spenserhale in #560
- Enqueue jQuery and wp.apiRequest for use within callbacks. by @dd32 in #561
- Revalidate two factor settings prior to allowing any two-factor changes to an account. by @dd32 in #529
- ReAuth: resolve fatal, code cleanup by @dd32 in #567
- Sync two-factor session meta to newly created sessions by @dd32 in #574
- Require a nonce be present for revalidate POST requests. by @dd32 in #575
- Bump tough-cookie from 4.1.2 to 4.1.3 by @dependabot in #579
- Destroy existing sessions when activating 2FA. by @dd32 in #578
- Bump version identifier by @iandunn in #588
- Add method to disable an individual provider by @iandunn in #587
- issue/594 - Prefer "require_once" in a few spots. by @JJJ in #595
- Update readme.txt by @bph in #597
- Bump postcss from 8.4.17 to 8.4.31 by @dependabot in #589
- Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #582
- Release 0.9.0 by @kasparsd in #603
New Contributors
- @pkevan made their first contribution in #551
- @av3nger made their first contribution in #552
- @spenserhale made their first contribution in #560
- @JJJ made their first contribution in #595
- @bph made their first contribution in #597
Full Changelog: 0.8.2...0.9.0
Contributors
bph, JJJ, and 7 other contributors
Assets 3
Version 0.8.2
Version 0.8.1
Includes the following changes 0.8.0...8f73d27
- Remove unnecessary comma to fix fatal error on PHP 7.2 #547
Version 0.8.0
Includes the following changes 0.7.3...2fa64f6.
- Reduce the login nonce expiration from 60 minutes to 10 minutes by default, and include user ID in the login nonce to make them unique #473.
- Replace QR generation for TOTP secrets with local Javascript tooling instead of Google Charts API #487 and #495.
- Fix Backup code download with quotes in translations #494.
- Block sending authentication cookies upon 2FA login #502.
- Backup Codes: Always generate 10 codes via REST #514.
- TOTP: Enforce single-use of TOTP one-time passwords #517.
- Add rate limiting to two factor attempts #510.
- Core: Reset compromised passwords after 2FA failures #482.
- Document the TOTP Filters, add Issuer filter #530.
- Support login-by-email in
maybe_show_reset_password_notice()#532. - Be more tolerant of user input for auth codes #518.
- Standardise on
int|WP_Userinput to the "for user" functions #535.
Version 0.7.3
Includes the following changes 0.7.2...79c3641
- Make
wp_login_failedaction call compatible with the WP core argument count and types. Reported in #471 by @dziudek and fixed in #478 by @dd32. - Use
hash_equals()for nonce comparison to improve security. Reported in #458 and fixed in #458 by @calvinalkan. - Improve compatibility with PHP 8.1 by replacing all instances of
FILTER_SANITIZE_STRINGusage. Reported and fixed in #428 by @sjinks. - Add automated checks for PHP 8 compatibility in #465 and #466 by @kasparsd.
- Improve accessibility of two-factor settings in the user profile by introducing a label that links the method names with the associated checkboxes. Reported and fixed in #387 by @r-a-y.
- Improve TOTP autocomplete behaviour by setting the
autocompleteattribute toone-time-code. Reported and fixed in #420 by @squaredpx.
Contributors
dziudek, kasparsd, and 5 other contributors
Assets 2
Version 0.7.2 (Security Improvement)
- Security improvement: Store the second factor authentication step nonce hashed to prevent leaking it via database read access #453. Props to @calvinalkan for reporting the issue.
- Fix: Add
wp_specialchars_decode()to escape the HTML entity on the Email Subject line (#412), props @nbwpuk. - Fix: Use
hash_equals()when comparing the email token (#425), props @Mati02K. - Tooling: Introduce
@wordpress/envfor development tooling and move to GitHub actions for CI (#436).
Version 0.7.1
Version 0.7.0
- Fix: improve time-based one-time (TOTP) autofill when using password managers like 1Password, see #373. Props @omelhus.
- Fix: allow spaces in email code input and strip them away before processing, see #379. Props @shay1383.
- Fix: remove references to Google Authenticator app since there are a lot more TOTP authenticators these days, see #367. Props @r-a-y.
- Fix: register FIDO U2F related scripts during the suggested action hooks to avoid PHP noticed, see #356 and #368. Props @cojennin.
- Rename and deprecate action and filter names
two-factor-user-options-andtwo-factor-totp-time-step-allowancethat don't following the WP coding standards. Usetwo_factor_user_options_andtwo_factor_totp_time_step_allowancenow. See #363. Props @paulschreiber. - Update codebase to match the WordPress coding standards, see #340. Props @paulschreiber.
- Add tooling to run PHPUnit tests locally during development, see #355. Props @kasparsd.
Version 0.7.0-rc.1
- Update codebase to match the WordPress coding standards, see #340. Props @paulschreiber.
- Add tooling to run PHPUnit tests locally during development, see #355. Props @kasparsd.