2FAuth already bumps to v8 because of the upgrade of the Laravel PHP framework it is built on.
Warning
One of the underlying components has changed the way authentication tokens are generated, so your personal access tokens will become invalid. This is, strictly speaking, a breaking change, but the impact is limited (not everyone uses PAT) and generating new tokens is not a big deal. I'm sorry about that nonetheless.
Despite the short time that has passed since v7, I found time to make two improvements to the user experience:
- You can now switch between groups without having to open the selection menu. Groups are displayed as chips directly below the search bar for quick switching. The groups displayed in the chips list are the ones you choose to make visible. A new option is available in the Group edit form to do so.
- Lengthy pages in the Settings and Admin sections now have a navigation menu that lets you scrolls to the desired section. Don't be surprised — I took this opportunity to reorganize the Settings > Options page, as all the additions over time had made it a bit messy.
You can disable any of this from the Settings > Options page if you want to restore the previous behaviour.
This release also includes several security fixes, including one that affects authentication via a reverse proxy with the following consequence:
Warning
To ensure authentication at 2FAuth level, your auth proxy must now be identified as trusted with the TRUSTED_PROXIES environment variable.
Added
- Group switching can be done directly from the main view using chips
- The lengthy Settings and Admin pages now come with a quick navigation menu that lets you scroll directly to the desired section.
- The docker image is now tagged with shifting major and minor tags (#541).
New env vars
PHP_MEMORY_LIMIT_TEMP_OVERRIDE: Temporary PHP memory limit applied during QR code detection to preventexhausted memory error(doc).
Security fix
- Fix of a possible user impersonation and admin privilege escalation issue when using an authentication proxy (thx @Dokaoista).
- Fix of SSRF vulnerability via dns rebinding during imageLink resource fetching (thx @5ud0er / Tarmo Technologies).
- Block IPv6 NAT64 addresses in SSRF guard (thx @tonghuaroot).
- Fix missing authorization on share recipients endpoint allowing cross-user account enumeration (thx @de3erve-hunter).
Fixed
- issue #540 Scan/Import QR Code Not working
- issue #543 Scan/Import Google Authentificator QR Code
- issue #549 Unshare action in Manage mode does not remove sharing
- UI elements overlapping during transitions on Manage mode enter/leave