- The links in the footer (Settings, [Admin,] Sign out) have been replaced by the email address of the logged in user. Clicking on this email shows a navigation menu containing the links that were previously visible in the footer. The former display is still available if you don't like the new one, just uncheck the new _Show email in footer_ user option in Settings. ([#404](https://github.com/Bubka/2FAuth/issues/404))
- Administrators can now configure 2FAuth to register 2FA icons in the database (see the new _Store icons to database_ setting in the admin panel). When enabled, existing icons in the local file system are automatically registered in the database. These files are retained and then used for caching purposes only. 2FAuth will automatically re-create cache files if they are missing, so you only have to consider the database when backing up your instance. When disabled, 2FAuth will check that all registered icons in the database have a corresponding local file before flushing out the db icons table. ([#364](https://github.com/Bubka/2FAuth/issues/364)).
- The ability to export 2FA accounts as a list of otpauth URIs ([#386](https://github.com/Bubka/2FAuth/issues/386)).
### Fixed
- Part of the content of some pages (such as the error page) could be hidden by the footer on small screens.
### API [1.6.0]
- New `otpauth` query parameter for the GET operation of path `/api/v1/twofaccounts/export` to force data export as otpauth URIs instead of the 2FAuth json format.
- The `/up` endpoint for health checks ([#271](https://github.com/Bubka/2FAuth/issues/271)).
- A user preference to close the on-screen OTP after a predefined delay
- A user preference to automatically register a 2FA account immediately after a QR code scan. When enabled, there is no need to click the Save button anymore to save the account to the database.
- An admin setting to make SSO the only authentication method available (does not apply to admins). ([#368](https://github.com/Bubka/2FAuth/issues/368)).
- The ability to assign a 2FA account to a specific group directly from the advanced form ([#372](https://github.com/Bubka/2FAuth/issues/372)).
- A new _Auth_ tab in the admin panel to gather settings related to authentication
- Proxy support for the OpenID connector (using `PROXY_FOR_OUTGOING_REQUESTS`), thanks to [@rstefko](https://github.com/rstefko) ([PR #367](https://github.com/Bubka/2FAuth/pull/367))
2FAuth v5.2 offers a new notification feature. Each user can now decide whether they want to receive an email after a successful login from a new device, or after a failed login.
For now, both notifications are __disabled__ by default. Why this choice when this feature increases security? Because if the email configuration of your 2FAuth instance is not set up correctly, such login attempts will take a while (until all email sending attempts have failed).
If you never set up email sending on your instance, do it. It is the only way to recover your account, whether you use a password or a passkey to authenticate. To help you in this task, all required environment variables are described [here](https://docs.2fauth.app/getting-started/configuration/#email-setting). Since v5.1, administrators also have access to a test email button to validate the email configuration from the UI.
Notifications will be enabled by default in a future version.
- When [installed](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Guides/Installing), 2FAuth now offers shortcuts to common actions.
- A user preference to set the timezone applied to dates and times displayed in the app.
#### New env vars
-`APP_TIMEZONE`: The timezone applied to dates and times recorded to database ([doc](https://docs.2fauth.app/getting-started/configuration/#app_timezone)).
-`AUTHENTICATION_LOG_RETENTION`: The authentication log retention time, in days ([doc](https://docs.2fauth.app/getting-started/configuration/#authentication_log_retention)).
-`PROXY_HEADER_FOR_IP`: Name of the HTTP header sent by a reverse proxy to pass the original visitor IP address. ([doc](https://docs.2fauth.app/getting-started/configuration/#proxy_header_for_ip)).
### Changed
-`MAIL_DRIVER` env var renamed to `MAIL_MAILER`.
This is not a breaking change as the former name is still supported. This is just to stick to Laravel defaults.
- NGINX server now also listens to ipv6 in Docker image ([#336](https://github.com/Bubka/2FAuth/issues/336)).
### Fixed
- [issue #192](https://github.com/Bubka/2FAuth/issues/192) `DB_DATABASE` path not respected by entrypoint script
- [issue #244](https://github.com/Bubka/2FAuth/issues/244) gauth qr code can't be imported
- [issue #255](https://github.com/Bubka/2FAuth/issues/255) Only one Webauthn Device functioning
- [issue #295](https://github.com/Bubka/2FAuth/issues/295) Add support for PHP 8.3
- [issue #331](https://github.com/Bubka/2FAuth/issues/311) Last admin can demote to user, leaving the instance administratorless
Hey Administrators, this release is for you, a brand new Admin Panel has arrived.
With this dedicated space, you will be able to manage admin settings previously located in the User Options view (like encryption, version check, registration). Some new settings are available to better control registration (email restrictions and self-ruling SSO) and two new features are coming: Email Configuration Testing and Cache Clearing.
But the real newness is the user management. All registered accounts are now searchable, the administrator role can be granted to any user, user access (password, personal token, security key/passphrase) can be revoked and you may also delete existing users or even create new ones.
Note that the 2FAuth API has been updated with the new paths related to user management.
### Added
- A user preference to clear search results after copying a code ([#300](https://github.com/Bubka/2FAuth/issues/300)).
- A user preference to return to default group after copying a code ([#300](https://github.com/Bubka/2FAuth/issues/300)).
- The ability to submit a migration text directly in the Import view besides TXT files & QR codes loading ([#288](https://github.com/Bubka/2FAuth/issues/288)).
- An administrator setting to restrict registration to a limited range of email addresses ([#250](https://github.com/Bubka/2FAuth/issues/250)).
- An administrator setting to keep user registration via SSO enabled ([#317](https://github.com/Bubka/2FAuth/issues/317)).
- A test email feature to ensure email sending works as expected ([#307](https://github.com/Bubka/2FAuth/issues/307)).
- A Clear cache feature to... clear the cache, but from the browser ([#316](https://github.com/Bubka/2FAuth/issues/316)).
- User preferences & Environment variables have been moved from the About view to the new Administration panel ([#303](https://github.com/Bubka/2FAuth/issues/303)).
- Spaces are now removed from the Secret when filling out the Advanced form ([#311](https://github.com/Bubka/2FAuth/issues/311)).
Why? Because most of the changes are internal and come from the Vue 3 migration. I choose the long way, the one where all components had to be rewritten to adopt the new Vue Composition API and where the whole architecture has been rethought. Thus, despite all that work, almost nothing has changed on the surface.
But it was a necessary step, especially because Vue 2 will reach End Of Life on the end of 2023. Now 2FAuth is also better prepared for futur enhancements.
The feature, bootstrapped by [@indyKoning](https://github.com/indykoning) with an OpenID provider, has been completed and now provides a Github provider as well. I plan to add more providers, tell me in the discussion which ones you would like to see. If you need help, the [docs site](https://docs.2fauth.app/security/authentication/sso/) has been updated to guide you through the setup process.
- Single Sign-On (SSO) is now available as an authentication method, with OpenID & Github. Contributed by [@indyKoning](https://github.com/indykoning) ([PR #243](https://github.com/Bubka/2FAuth/pull/243))
- The ability to reveal passwords obscured with dots. See the Options tab in Settings ([#208](https://github.com/Bubka/2FAuth/issues/208)).
- An env var to set a proxy for outgoing requests ([#252](https://github.com/Bubka/2FAuth/issues/252)).
### Changed
- Automatic signed out user now lands on the Login view instead of the Autolock view ([#138](https://github.com/Bubka/2FAuth/issues/138))
- User preferences that depend on another now appear indented
- Letters with diacritic marks are allowed in Group name ([#241](https://github.com/Bubka/2FAuth/issues/241))
- Request body threshold increased to 10Mo in the Docker image to allow importing large file ([#239](https://github.com/Bubka/2FAuth/issues/239))
### Removed
- [PR #247](https://github.com/Bubka/2FAuth/pull/247), [PR #248](https://github.com/Bubka/2FAuth/pull/248), [PR #249](https://github.com/Bubka/2FAuth/pull/249) Useless env var, thanks to [@rouilj](https://github.com/rouilj)
### Fixed
- [issue #253](https://github.com/Bubka/2FAuth/issues/253) 2FAs exports cannot be imported
- [PR #242](https://github.com/Bubka/2FAuth/pull/242) The Docker image now embed the PostgreSQL PHP extensions, thanks to [@stavros-k](https://github.com/stavros-k)
### Fixed
- [PR #235](https://github.com/Bubka/2FAuth/pull/235) Fix build badge broken, thanks to [@sy-records](https://github.com/sy-records)
- An Only for the brave feature: ctrl + click a TOTP account from the main view automatically generates a password and copies it to the clipboard without displaying it at all. Will the password be valid at the time you paste it? Nobody knows 💀
- Navigation with the __Back__ and __Close__ buttons is now fully consistent with their labeling, even when browsing back through successive views using those buttons.
This new version introduces a very common feature in the 2FA app world, the automatic generation and display of passwords.
Since the very beginning, 2FAuth offers an _Open, Click & Get one password_ behavior, this is one of the main reasons why I created it. But this can be very troublesome or frustrating for users migrating from other 2FA apps as almost all of them work with an _Open & Get passwords_ behavior, which is much more straightforward.
So this is now only a user choice as 2FAuth offers both behaviors via a user preference. Obvisouly, the _Open, Click & Get one password_ behavior remains the default one.
- [issue #180](https://github.com/Bubka/2FAuth/issues/180) OTP does not rotate while _Close after copy_ and _Copy on display_ is activated - By [@josh-gaby](https://github.com/josh-gaby)
- [issue #134](https://github.com/Bubka/2FAuth/issues/134), [#143](https://github.com/Bubka/2FAuth/issues/143), [#147](https://github.com/Bubka/2FAuth/issues/147) Issue with some Microsoft 2FA
- [issue #196](https://github.com/Bubka/2FAuth/issues/196) ERROR The [public/storage] link already exists
This is a first step mainly dedicated to internal changes, so the feature has been integrated gently. For now, almost nothing has changed around user management, except that registrations are opened to new users and some options are only available to the administrator.
This version also comes with nice additions. A light theme, an export feature or the support of custom base url just to name a few.
- Support of custom base URL. You can now install 2FAuth in a domain sub-directory, e.g `https://mydomain/2fauth/` (see [Docs](https://docs.2fauth.app/getting-started/installation/self-hosted-server//#subdirectory))
⚠️ 2FAuth uses a new component to operate the WebAuthn authentication that cannot use existing registrations of your security devices. As a consequence, all your security devices will be revoked and the "Use Webauthn only" option will be disabled during the upgrade to avoid any issue and/or lockout. You will have to sign in using your email and password to re-register you security devices.
This release is a big step towards more accessibility. Keyboard navigation is now fully supported, with clean and consistent focus, and several UI components have received relevant ARIA properties to support assistive technologies.
It also provides a rewritten Import feature that supports new export formats (Aegis and 2FAS Authenticators) and more to come.
⚠️ This release should be the last that supports PHP 8.0
### Added
- An option to check for new release on Github ([#127](https://github.com/Bubka/2FAuth/issues/127))
- An option to automatically copy One-Time Passwords when they are displayed ([#125](https://github.com/Bubka/2FAuth/issues/125))
- [Aegis](https://github.com/beemdevelopment/Aegis) and [2FAS](https://2fas.com/) export formats are now supported by the Import feature ([#128](https://github.com/Bubka/2FAuth/issues/128))
- (Partial) Spanish and Chinese (simplified) localizations
### Changed
- Password fields can reveal the password and inform about the password strength ([#124](https://github.com/Bubka/2FAuth/issues/124))
### Fixed
- [issue #126](https://github.com/Bubka/2FAuth/issues/126) HOTP counters are not updated after OTP generation
The [docker image](https://hub.docker.com/r/2fauth/2fauth) has been upgraded as well.
### Added
- An option to fetch icons automatically from [2factorauth/twofactorauth](https://github.com/2factorauth/twofactorauth) ([#99](https://github.com/Bubka/2FAuth/issues/99))
- An _About_ page, accessible from the footer ([#91](https://github.com/Bubka/2FAuth/issues/91))
- Support of Google Authenticator migration data: QR codes generated by the G-Auth export feature can be flashed/uploaded to import their data into 2FAuth. ([Import doc](https://docs.2fauth.app/usage/import), [#74](https://github.com/Bubka/2FAuth/issues/74))
- Partial support of STEAM TOTP. See the [Steam Guard doc](https://docs.2fauth.app/usage/steam-guard) for detailed informations about this support ([#30](https://github.com/Bubka/2FAuth/issues/30))
### Changed
- Pages now have a unique title
- Signing in while already authenticated no longer display the "_Already authenticated_" error message ([#88](https://github.com/Bubka/2FAuth/issues/88))
- The Auto lock feature now forwards to a dedicated page to ensure proper logout and prevent CSRF token mismatch error (see [issue #73](https://github.com/Bubka/2FAuth/issues/73)) that still occurred in certain situation
### Fixed
- [issue #90](https://github.com/Bubka/2FAuth/issues/90) Empty page after deletion of all accounts
- [issue #97](https://github.com/Bubka/2FAuth/issues/97) Secret's format selector should not clear the locked field in edit form
- [issue #85](https://github.com/Bubka/2FAuth/issues/57), [issue #86](https://github.com/Bubka/2FAuth/issues/86) Invalid OTP generated after the 2FA account has been saved to db
This is a milestone in the 2FAuth development that greatly enhances 2FAuth under the hoods and comes with a [brand new documentation](https://docs.2fauth.app/).
### New
- 2FAuth now exposes a REST API following the OpenAPI 3.1 specification that allows connexion with third parties (see the [API doc](https://docs.2fauth.app/api/))
- Support of the _Web Authentication_ standard, aka WebAuthn, to login using a security device like a Yubikey or FaceID
- Support of authentication proxy to bypass the 2FAuth auth login
- Heroku setup to deploy 2FAuth using the _Deploy to Heroku_ button
#### Also added
- Ability to delete the user account and reset 2FAuth
- The content of any non-2FA QR code can be copied or followed (in case of an HTTP link)
- PHP 8.0 support
### Changed
- 2Fauth now uses the browser language preference by default.
- The current group is now clickable in the group selector
- Upgrade to Laravel 8
### Fixed
- [issue #45](https://github.com/Bubka/2FAuth/issues/45) Account or Service field containing colon breaks the Test feature in the advanced form
- [issue #47](https://github.com/Bubka/2FAuth/issues/47) Account creation fails when otpauth service parameter is missing
- [issue #50](https://github.com/Bubka/2FAuth/issues/50) Email password reset does not work
- [issue #51](https://github.com/Bubka/2FAuth/issues/51) Cannot delete a group with accounts (MySQL only)
- [issue #52](https://github.com/Bubka/2FAuth/issues/52) null "Default group" setting after group delete
- [issue #57](https://github.com/Bubka/2FAuth/issues/57) Can't save icons or upload QR codes - Docker installation
- Show Register/Login forms and their links only when relevant
- Let the user choose between all available submitting methods (livescan, qrcode upload, advanced form)
- Translations are now managed on [Crowdin.com/2fauth](https://crowdin.com/project/2fauth). You master some foreign languages? Why not help translate 2FAuth, your help would be welcome.
- QR Code scan using live stream when a camera is detected. Previous QR Code scanner remains available as fallback method or can be forced in Settings.