github Bubka/2FAuth v6.0.0
on GitHub

7 hours ago

2FAuth’s (not so) Major Update is Here!

The project keeps moving forward gently but surely, as it always has. This major version introduces a lot of changes under the hood, and although the change log isn't that ridiculous (with a nice addition over icon packs, see below), there isn’t much to get excited about (Sorry folks, sharing is not yet available).

I wish I could have released this version earlier, but work has also kept me pretty busy. I hope the next version will come out faster.

A Unified Foundation for Web and Browser Extension

One of the biggest changes in this release is the complete restructuring of the codebase for both the web app and browser extension. Both frontends now share a common set of Vue.js components, making them more consistent and much easier to maintain and evolve. This architectural shift is why I’ve bumped the version number—it’s a major step forward.

I’ve done my best to avoid regressions, but with changes this extensive and despite all my tests, there’s always a risk some features might not behave as expected, even if they were stable before. If you notice anything amiss, please let me know by opening an issue.

If you are participating in translating 2FAuth, you have probably received notification about a significant number of new translations. This is because I changed how translations are organized through files, there is now only one file per locale. I apologize for the additional workload this entails, but I couldn't avoid it. Hopefully, thanks to Crowdin's history feature, restoring your previous translations will be relatively quick. This is by the way a good opportunity to correct or complete them.

A Fresh Look with Lucide Icons

You’ll notice a subtle refresh to the web app’s interface. Just like the ones in the browser extension, all icons now come from the lucide.dev collection. This brings a touch of freshness and modernity to the application without changing it too much, as the Lucide collection is quite similar to FontAwesome, which was previously used.

Important notices

Warning

Possible APP_KEY issue with Docker
For security reasons, the Docker image is no longer built with the APP_KEY environment variable included.
If you never set your own APP_KEY var, i.e. via Docker-Compose or the Docker run -e argument, your 2FAuth instance relies on the former default value SomeRandomStringOf32CharsExactly. Since the environment variable is no longer set at build time, you may experience a container startup error, followed by decryption issues or invalid access tokens.

How to fix
First, set APP_KEY with a personal unique value (How to). You can generate one using Laravel Encryption Key Generator.
Next, set the APP_PREVIOUS_KEYS env var with the former default value, like so: APP_PREVIOUS_KEYS=SomeRandomStringOf32CharsExactly.
Finally, restart your container.

Updating protected data
Setting up APP_PREVIOUS_KEYS will not update the encryption of protected DB records or personal tokens. You will have to disable data encryption at Admin Panel > Security, and enable it back for the new encryption key to be used. Existing tokens should be revoked.

Remember to back up your database before making any changes.

And last but not least:

Warning

This version drops PHP 8.3 support

Added

  • 2FAuth can now fetch icons from offline icon packs. Visit the new Icon documentation page to learn how to set them up (#203).
  • The sort order of 2FA accounts is saved to user preferences when changed from the Manage mode. This allows the account list to be reordered automatically after a new account is registered. (#377).
  • Groups can be reordered (manually, from the Group management view) (#419).
  • A new filter is available to only show 2FA accounts that do not belong to any group (#430).
  • The Import feature now supports Bitwarden export (#501).

New env vars

  • APP_KEY_FILE: Suffixed version of the APP_KEY environment variable to be used in conjunction with a docker secret (doc).
  • APP_PREVIOUS_KEYS: Lists all application's former encryption keys to ensure data decryption after a key rotation (doc).

Changed

  • PR #366 Separate env variables to a separate env file for docker compose, thanks to @sinipelto
  • Group names now accept single quote (#465).
  • Upon logging out, users are now redirected to the last login form they used: Password, SSO or Webauthn. (#478).
  • Catchable errors that occur during the sending of a test email are now displayed in the UI to help you understand what's going on.

Fixed

  • issue #447 Unable to import Google Authenticator.
  • issue #464 Import error not correctly reported in the GUI.
  • issue #481 HASH_DRIVER not working with argon with OID.
  • issue #495 2FA.directory polluted by selfho.st call.
  • issue #508 OpenID from new browser doesn't work - Email address already exists.
  • Remaining loader after 422 response on login request.
  • Missing Group selection in the advanced form after a QR code upload.
  • Disabling the Remember active group user preference could lead to always returning to the last memorized group

API [1.9.0]

  • /api/v1/icons/packs GET path added (doc).
  • /api/v1/groups/reorder POST path added (doc).
  • Add missing orderedIds property in /api/v1/twofaccounts/reorder POST response.
Check out latest releases or
releases around Bubka/2FAuth v6.0.0

Don't miss a new 2FAuth release

NewReleases is sending notifications on new releases.

Get notifications