v5.3.0

Added

• The /up endpoint for health checks (#271).
• A user preference to close the on-screen OTP after a predefined delay
• A user preference to automatically register a 2FA account immediately after a QR code scan. When enabled, there is no need to click the Save button anymore to save the account to the database.
• An admin setting to make SSO the only authentication method available (does not apply to admins). (#368).
• The ability to assign a 2FA account to a specific group directly from the advanced form (#372).
• A new Auth tab in the admin panel to gather settings related to authentication
• Proxy support for the OpenID connector (using PROXY_FOR_OUTGOING_REQUESTS), thanks to @rstefko (PR #367)

New env vars

A lot of new environment variables are available thanks to the Laravel 11 upgrade. They give more control over various features of the application:

• ARGON_THREADS: Number of threads that Argon2 will use to compute a hash.
• ARGON_TIME: Maximum amount of time it may take to compute an Argon2 hash.
• ARGON_MEMORY: Maximum memory (in kibibytes) that may be used to compute an Argon2 hash.
• DB_CHARSET: The character set of the database.
• DB_COLLATION: The collation of the database.
• HASH_DRIVER: The hash algorithm used to hash user passwords.
• LOG_STACK: The stack of log channels used when the log channel is set to stack.
• LOG_DAILY_DAYS: Number of log files to generate/rotate when using the daily log channel.
• LOG_SLACK_USERNAME: The name of the user sending the log messages when using the slack log channel.
• LOG_SLACK_EMOJI: The Emoji code of the emoji used to illustrate log messages when using the slack log channel.
• LOG_SYSLOG_FACILITY: The syslog facility that provides a rough clue of where in a system the message originated.
• SESSION_TABLE: Name of the table to be used to store sessions when using the database session driver.
• SESSION_ENCRYPT: Whether or not session data are encrypted before it is stored.

Please refer to the Configuration doc to find out when and how to use them.

Changed

• The Service data field is now encrypted in the database (#365).
• Upgrade to Laravel 11

Fixed

• issue #347 Sort with ignore case
• issue #349 "Show QR Code" feature returns wrong QR code
• issue #360 Can’t import QR Codes from Confluence 2FA
• issue #362 Cannot use SSO if app runs in subdirectory

API [1.5.0]

• New group_id property for POST and PUT operations of the /api/v1/twofaccounts path

v5.2.0

2FAuth v5.2 offers a new notification feature. Each user can now decide whether they want to receive an email after a successful login from a new device, or after a failed login.

For now, both notifications are disabled by default. Why this choice when this feature increases security? Because if the email configuration of your 2FAuth instance is not set up correctly, such login attempts will take a while (until all email sending attempts have failed).

If you never set up email sending on your instance, do it. It is the only way to recover your account, whether you use a password or a passkey to authenticate. To help you in this task, all required environment variables are described here. Since v5.1, administrators also have access to a test email button to validate the email configuration from the UI.

Notifications will be enabled by default in a future version.

Last but not least :

⚠️ This version drops PHP 8.1 support ⚠️

Added

• When installed, 2FAuth now offers shortcuts to common actions.
• User authentication logs (See user management pages in the admin area).
• Two user preferences to control the notifications sent when authentication events occur.
• A user preference to set the timezone applied to dates and times displayed in the app.

New env vars

• APP_TIMEZONE: The timezone applied to dates and times recorded to database (doc).
• AUTHENTICATION_LOG_RETENTION: The authentication log retention time, in days (doc).
• PROXY_HEADER_FOR_IP: Name of the HTTP header sent by a reverse proxy to pass the original visitor IP address. (doc).

Changed

• MAIL_DRIVER env var renamed to MAIL_MAILER.
  This is not a breaking change as the former name is still supported. This is just to stick to Laravel defaults.
• NGINX server now also listens to ipv6 in Docker image (#336).

Fixed

• issue #192 DB_DATABASE path not respected by entrypoint script
• issue #244 gauth qr code can't be imported
• issue #255 Only one Webauthn Device functioning
• issue #295 Add support for PHP 8.3
• issue #331 Last admin can demote to user, leaving the instance administratorless

API [1.4.0]

• /api/v1/users/{id}/authentications GET path added (doc).

v5.1.1

Fixed

• issue #326 Admin panel not working when using security device
• issue #327 "Keep SSO registration enabled" is not saved

v5.1.0

Hey Administrators, this release is for you, a brand new Admin Panel has arrived.

With this dedicated space, you will be able to manage admin settings previously located in the User Options view (like encryption, version check, registration). Some new settings are available to better control registration (email restrictions and self-ruling SSO) and two new features are coming: Email Configuration Testing and Cache Clearing.

But the real newness is the user management. All registered accounts are now searchable, the administrator role can be granted to any user, user access (password, personal token, security key/passphrase) can be revoked and you may also delete existing users or even create new ones.

Note that the 2FAuth API has been updated with the new paths related to user management.

Added

• A user preference to clear search results after copying a code (#300).
• A user preference to return to default group after copying a code (#300).
• The ability to submit a migration text directly in the Import view besides TXT files & QR codes loading (#288).
• An administrator setting to restrict registration to a limited range of email addresses (#250).
• An administrator setting to keep user registration via SSO enabled (#317).
• A test email feature to ensure email sending works as expected (#307).
• A Clear cache feature to... clear the cache, but from the browser (#316).
• Hindi translation, thanks to @saxenas

Changed

• User preferences & Environment variables have been moved from the About view to the new Administration panel (#303).
• Spaces are now removed from the Secret when filling out the Advanced form (#311).

Fixed

• issue #303 "Already authenticated" error message
• issue #305 403 Forbidden {message: "unauthorized"}
• issue #315 "Check now" button is untranslatable
• issue #320 app/Policies/OwnershipTrait contains a bug, i think

API [1.3.0]

• /api/v1/users paths added to manage registered users
• oauth_provider property to the response body of /api/v1/user GET path

v5.0.4

Added

• Japanese translation, thanks to @yheuhtozr

Fixed

• issue #284 Blank screen with version 5.0.3
• issue #296 WARN Command cancelled (env=production breaks docker entrypoint)
• issue #298 WebAuthn account recovery and password recovery doesn't work. Email template broken
• issue #299 OID redirect behind reverse proxy

v5.0.3

⚠️ For everyone experiencing a blank screen after updating to v5.*, please set the ASSET_URL env variable to the same value as APP_URL.

Added

• The ASSET_URL now appears in the .env.example variables next to APP_URL

Fixed

• issue #273 Unable to automatically paste email and password in login page
• issue #276 Camera does not work
• issue #277 Import 2FAS
• issue #279 Cannot use stdout LOG_CHANNEL anymore

v5.0.2

Fixed

• issue #265 Version 5.0.1 doesn't display colored countdown segments

v5.0.1

Fixed

• issue #262 Missing custom base url support

v5.0.0

2FAuth v5, the not-so-major release

Why? Because most of the changes are internal and come from the Vue 3 migration. I choose the long way, the one where all components had to be rewritten to adopt the new Vue Composition API and where the whole architecture has been rethought. Thus, despite all that work, almost nothing has changed on the surface.

But it was a necessary step, especially because Vue 2 will reach End Of Life on the end of 2023. Now 2FAuth is also better prepared for futur enhancements.

Ok, so is there anything new?
Yes, SSO.

Not so bad, right ?

The feature, bootstrapped by @indyKoning with an OpenID provider, has been completed and now provides a Github provider as well. I plan to add more providers, tell me in the discussion which ones you would like to see. If you need help, the docs site has been updated to guide you through the setup process.

v5 also comes with the following.

Added

• Single Sign-On (SSO) is now available as an authentication method, with OpenID & Github. Contributed by @indyKoning (PR #243)
• The ability to reveal passwords obscured with dots. See the Options tab in Settings (#208).
• An env var to set a proxy for outgoing requests (#252).

Changed

• Automatic signed out user now lands on the Login view instead of the Autolock view (#138)
• User preferences that depend on another now appear indented
• Letters with diacritic marks are allowed in Group name (#241)
• Request body threshold increased to 10Mo in the Docker image to allow importing large file (#239)

Removed

• PR #247, PR #248, PR #249 Useless env var, thanks to @rouilj

Fixed

• issue #253 2FAs exports cannot be imported

API [1.2.0]

• /api/v1/user GET path added
• ids and withOtp query parameters added to the /api/v1/twofaccounts GET path

---

Full Changelog: v4.2.4...v5.0.0

v4.2.4

Changed

• PR #242 The Docker image now embed the PostgreSQL PHP extensions, thanks to @stavros-k

Fixed

• PR #235 Fix build badge broken, thanks to @sy-records