Skip to content

Releases: WordPress/two-factor

Version 0.10.0

02 Dec 10:04
990c967
Compare
Choose a tag to compare

What's Changed

Major Changes

  • Bump minimum WP to 6.3, minimum PHP to 7.2. by @dd32 in #625

Fixes and Features

Dependency Updates

New Contributors

Full Changelog: 0.9.1...0.10.0

Version 0.9.1

25 Apr 20:04
1828c55
Compare
Choose a tag to compare

What's Changed

  • Remove trailing commas in parameters to avoid syntax error with some PHP versions (ex. 7.2.x) by @KZeni in #604
  • Ensure PHP 5.6+ support during CI to avoid breaking changes by @kasparsd in #605

Full Changelog: 0.9.0...0.9.1

Version 0.9.0

25 Apr 10:09
dc27957
Compare
Choose a tag to compare

This is a large release with lots of changes and improvements to how the two-factor data is processed.

Notable Changes

  • Users are now asked to re-authenticate with their two-factor before making changes to their two-factor settings #529. This builds on #528 which associates each login session with the two-factor login meta data for improved handling of that session.

Full Changelog

  • Fix typo by @pkevan in #551
  • Add a filter to filter the classname used for a provider by @dd32 in #546
  • Bump tested up to version by @av3nger in #552
  • Store the two-factor details in the user session at login time by @dd32 in #528
  • Bump guzzlehttp/psr7 from 2.4.3 to 2.5.0 by @dependabot in #555
  • Use simpler/less-technical wording and UI. by @dd32 in #521
  • Fixing bug where Super Admins cannot setup Time Based One-Time Password as first Two Factor option on WP VIP by @spenserhale in #560
  • Enqueue jQuery and wp.apiRequest for use within callbacks. by @dd32 in #561
  • Revalidate two factor settings prior to allowing any two-factor changes to an account. by @dd32 in #529
  • ReAuth: resolve fatal, code cleanup by @dd32 in #567
  • Sync two-factor session meta to newly created sessions by @dd32 in #574
  • Require a nonce be present for revalidate POST requests. by @dd32 in #575
  • Bump tough-cookie from 4.1.2 to 4.1.3 by @dependabot in #579
  • Destroy existing sessions when activating 2FA. by @dd32 in #578
  • Bump version identifier by @iandunn in #588
  • Add method to disable an individual provider by @iandunn in #587
  • issue/594 - Prefer "require_once" in a few spots. by @JJJ in #595
  • Update readme.txt by @bph in #597
  • Bump postcss from 8.4.17 to 8.4.31 by @dependabot in #589
  • Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #582
  • Release 0.9.0 by @kasparsd in #603

New Contributors

Full Changelog: 0.8.2...0.9.0

Version 0.8.2

04 Sep 20:38
2d4b9ec
Compare
Choose a tag to compare

Includes the following changes

Full Changelog: 0.8.1...0.8.2

Version 0.8.1

27 Mar 16:36
8f73d27
Compare
Choose a tag to compare

Includes the following changes 0.8.0...8f73d27

  • Remove unnecessary comma to fix fatal error on PHP 7.2 #547

Version 0.8.0

27 Mar 09:12
2fa64f6
Compare
Choose a tag to compare

Includes the following changes 0.7.3...2fa64f6.

  • Reduce the login nonce expiration from 60 minutes to 10 minutes by default, and include user ID in the login nonce to make them unique #473.
  • Replace QR generation for TOTP secrets with local Javascript tooling instead of Google Charts API #487 and #495.
  • Fix Backup code download with quotes in translations #494.
  • Block sending authentication cookies upon 2FA login #502.
  • Backup Codes: Always generate 10 codes via REST #514.
  • TOTP: Enforce single-use of TOTP one-time passwords #517.
  • Add rate limiting to two factor attempts #510.
  • Core: Reset compromised passwords after 2FA failures #482.
  • Document the TOTP Filters, add Issuer filter #530.
  • Support login-by-email in maybe_show_reset_password_notice() #532.
  • Be more tolerant of user input for auth codes #518.
  • Standardise on int|WP_User input to the "for user" functions #535.

Version 0.7.3

17 Oct 15:50
e544e89
Compare
Choose a tag to compare

Includes the following changes 0.7.2...79c3641

  • Make wp_login_failed action call compatible with the WP core argument count and types. Reported in #471 by @dziudek and fixed in #478 by @dd32.
  • Use hash_equals() for nonce comparison to improve security. Reported in #458 and fixed in #458 by @calvinalkan.
  • Improve compatibility with PHP 8.1 by replacing all instances of FILTER_SANITIZE_STRING usage. Reported and fixed in #428 by @sjinks.
  • Add automated checks for PHP 8 compatibility in #465 and #466 by @kasparsd.
  • Improve accessibility of two-factor settings in the user profile by introducing a label that links the method names with the associated checkboxes. Reported and fixed in #387 by @r-a-y.
  • Improve TOTP autocomplete behaviour by setting the autocomplete attribute to one-time-code. Reported and fixed in #420 by @squaredpx.

Version 0.7.2 (Security Improvement)

12 Sep 15:06
90a86f7
Compare
Choose a tag to compare
  • Security improvement: Store the second factor authentication step nonce hashed to prevent leaking it via database read access #453. Props to @calvinalkan for reporting the issue.
  • Fix: Add wp_specialchars_decode() to escape the HTML entity on the Email Subject line (#412), props @nbwpuk.
  • Fix: Use hash_equals() when comparing the email token (#425), props @Mati02K.
  • Tooling: Introduce @wordpress/env for development tooling and move to GitHub actions for CI (#436).

Version 0.7.1

07 Sep 07:18
ff6b358
Compare
Choose a tag to compare
  • Update the login_header() and login_footer() methods to match the WP core (see #407), props @cfaria.
  • Mark as compatible with WordPress 5.8.

Version 0.7.0

26 Aug 09:58
736473e
Compare
Choose a tag to compare
  • Fix: improve time-based one-time (TOTP) autofill when using password managers like 1Password, see #373. Props @omelhus.
  • Fix: allow spaces in email code input and strip them away before processing, see #379. Props @shay1383.
  • Fix: remove references to Google Authenticator app since there are a lot more TOTP authenticators these days, see #367. Props @r-a-y.
  • Fix: register FIDO U2F related scripts during the suggested action hooks to avoid PHP noticed, see #356 and #368. Props @cojennin.
  • Rename and deprecate action and filter names two-factor-user-options- and two-factor-totp-time-step-allowance that don't following the WP coding standards. Use two_factor_user_options_ and two_factor_totp_time_step_allowance now. See #363. Props @paulschreiber.
  • Update codebase to match the WordPress coding standards, see #340. Props @paulschreiber.
  • Add tooling to run PHPUnit tests locally during development, see #355. Props @kasparsd.