Skip to content

Releases: scheb/2fa

v6.11.0

23 Nov 15:48
Compare
Choose a tag to compare

The window config option is deprecated and will be removed in bundle version 7. Please use the new option leeway instead.

See the configuration reference for details


Background: The options scheb_two_factor.google.window and scheb_two_factor.totp.window behave differently, depending on the version of Spomky-Labs/otphp used:

  • With Spomky-Labs/otphp v10: How many codes before/after the current one would be accepted
  • With Spomky-Labs/otphp v11: Acceptable time drift in seconds

To address this confusing ambiguous behavior (#201), the new config option leeway is introduced, which is only allowed in conjunction with Spomky-Labs/otphp v11.

v6.10.0

04 Nov 13:00
Compare
Choose a tag to compare
  • Add support for PHP 8.3 🎁
  • Use of deprecated HttpKernelInterface::MASTER_REQUEST was replaced with HttpKernelInterface::MAIN_REQUEST

v6.9.0

05 Aug 11:39
Compare
Choose a tag to compare

v6.8.0

01 Apr 11:22
Compare
Choose a tag to compare

v6.7.0

25 Feb 09:24
Compare
Choose a tag to compare
  • Fix lcobucci/jwt ValidAt, #178, thanks to @maxhelias
  • Minimum required version for lcobucci/jwt was bumped up to 4.1

v6.6.0

26 Jan 18:48
Compare
Choose a tag to compare

v6.5.0

21 Jan 11:18
Compare
Choose a tag to compare

v6.4.0

10 Dec 15:28
Compare
Choose a tag to compare
  • Add PHP 8.2 support
  • Avoid starting session usage, #168, thanks to @trsteel88
  • Add cookie same site option "none"

v6.3.0

01 Sep 18:49
Compare
Choose a tag to compare

A configuration option scheb_two_factor.trusted_device.key was added to configure an encryption key for the trusted device token. Before, it was hard-coded to use the application's kernel.secret. This is still the case, if you don't set a value for scheb_two_factor.trusted_device.key.

Background:
If you're using lcobucci/jwt version 4.2 or higher, a 265bit key is required for the trusted device token. If your kernel.secret isn't long enough, you'll run into problems. In that case, you have the option to configure a scheb_two_factor.trusted_device.key value with sufficient length, if you don't want to change the kernel.secret value for your entire application (which may have unforeseen consequences (λ) for your application). Warning: This will invalidate all trusted device tokens for your users.

Thanks to @lcobucci for suggesting the approach in #158 and doing the majority of work :)

v6.2.0

01 Aug 17:20
Compare
Choose a tag to compare