v2.4.2
Code quality release: clean analyzer warnings, strict-warnings build, and a coverage baseline. No behavior changes — passkey, TOTP, OIDC, lockout, sessions, audit log all unchanged. In-place upgrade.
Warnings cleanup
- Audited 320 analyzer warnings, distinguished perf hints from correctness signals, and addressed every one.
- Pure perf-only Roslyn rules (
CA1848LoggerMessage delegates,CA1822static-member,CA1805default-init,CA1845span-Concat,CA1865char-overload,CA1859concrete-type,CA1869cached JsonSerializerOptions) are silenced in.editorconfigwith documented justifications — none affect correctness, all would force several hundred lines of boilerplate or API churn for negligible runtime impact. Microsoft's owndotnet/runtimedoes the same. - Correctness / clarity warnings fixed in source:
CA1001—OidcLoginTokenStoreandOidcServicenow implementIDisposableso their cleanup timers release on container shutdown (previously leaked the timer handle for the process lifetime).CA1305— everyint.ToString()/ToString("D6")on the request path now passesCultureInfo.InvariantCultureso HTTPRetry-Afterheaders and OTP codes aren't locale-formatted.CA2249—IndexOf(s, …) >= 0substring probes (webhook URL detection, IPv4-vs-IPv6 disambiguation) switched to.Contains(s, …).CA1835— request-body byte-buffer read switched to theMemory<byte>overload ofStream.ReadAsync.CA2012— adminRevokeSessionendpoint now awaits theValueTaskreturned byISessionManager.ReportSessionEndedinstead of silently dropping it.CA1806—Guid.TryParseresult discarded explicitly via_ = …so the intent is visible.CA1725—PluginServiceRegistrator.RegisterServicesparameter names now matchIPluginServiceRegistrator.CA1711—AuthenticationEventHandlerkeeps its name with a documented[SuppressMessage].CA5350— SHA-1 use inHibpService.ComputeSha1Hexis now annotated with a per-symbol[SuppressMessage]linking to the HIBP k-anonymity protocol spec (SHA-1 is mandated by the public API, not a security boundary).
Strict warnings
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>enabled on the main plugin project. From now on, any new analyzer warning fails the build.
Coverage baseline
- Code coverage now measured on every test run via
coverlet.collector. Current coverage: 7.8% lines (606/7796), 6.6% branches. This is the baseline; growing it is on the v2.5+ roadmap. The existing 150 xUnit tests focus on service classes (TOTP, recovery codes, challenge store, HIBP, bypass evaluator, cookie signer); controllers and middleware are under-tested.
Upgrade
In-place upgrade. No config or behavior changes.
Package checksums
- MD5: see
Jellyfin.Plugin.TwoFactorAuthv2.4.2.0.md5 - SHA256: see
Jellyfin.Plugin.TwoFactorAuthv2.4.2.0.sha256
Sigstore-signed zip — verify with cosign verify-blob.