v2.4.1
Bugfix release on top of v2.4.0 plus the WebAuthn library bump that was deferred from v2.4.
Bugfix: half-enrollment lockout
A user who clicked Begin Setup on the Setup page and navigated away without confirming a TOTP code could end up locked out: TotpEnabled was set immediately, so the next sign-in tried to challenge them, but TotpVerified was still false, so no TOTP method was offered — the challenge fell through to email-only, which doesn't help if SMTP isn't configured. Reproduced reliably with EnforcementScope = All + a fresh second account.
Fixed in three places, belt-and-suspenders:
SetupTotpand the forced-enrollmentBeginForcedTotpEnrollmentendpoints no longer flipTotpEnabledto true. The flag is only set whenConfirmTotpsuccessfully verifies a code, so backing out leaves the account in a clean state.- The auth-time middleware gate now checks
TotpEnabled && TotpVerified(or "has a passkey") instead ofTotpEnabledalone. This rescues any account that was already half-enrolled under v2.4.0 — on the next sign-in it reads as "no 2FA" and follows the configuredEnforcementScopepolicy correctly. TwoFactorAuthProvider.Authenticategot the same treatment, plus it now honoursEnforcementScope(Optional / Admins-only / All) instead of the legacyRequireForAllUsersflag.
Fido2NetLib 3.0.1 → 4.0.1
Upgrades the WebAuthn library to the actively-maintained 4.x line. Existing passkeys keep working unchanged. Internally:
- New params-object API (
RequestNewCredentialParams,MakeNewCredentialParams,GetAssertionOptionsParams,MakeAssertionParams) replaces the positional-argument signatures. - Return types renamed (
AttestationVerificationSuccess→RegisteredPublicKeyCredential,AssertionVerificationResult→VerifyAssertionResult) with cleaner property names (Id/SignCount/AaGuidinstead ofCredentialId/Counter/Aaguid). - Verification failure is now signalled via
Fido2VerificationExceptionrather than a string-typedresult.Statuscheck. - WebAuthn Level 3 fields (backup eligibility, attestation format, transports) are surfaced for policy work in future versions.
The fat package now ships three new transitive dependencies: NSec.Cryptography.dll (native libsodium-backed ed25519), System.Formats.Cbor.dll (in-box CBOR decoder Fido2 4.0 calls into), and Microsoft.Bcl.Memory.dll (Base64Url helpers). They get listed in the plugin manifest's Assemblies array.
Admin UI
The new EnforcementScope dropdown introduced in v2.4.0 is now styled like the rest of the settings page (was rendering as borderless text — hard to spot as a clickable control).
Upgrade
In-place upgrade. No migration. Users who got stuck on v2.4.0 with TotpEnabled=true, TotpVerified=false are automatically un-stuck on next sign-in by the middleware gate change — no manual cleanup needed.
Package checksums
- MD5: see
Jellyfin.Plugin.TwoFactorAuthv2.4.1.0.md5 - SHA256: see
Jellyfin.Plugin.TwoFactorAuthv2.4.1.0.sha256
Sigstore-signed zip — verify with cosign verify-blob.