github nilsteampassnet/TeamPass 3.2.0.1
on GitHub

pre-release7 hours ago

What's Changed

This is a maintenance and security release on top of 3.2.0.0. It removes a third-party password library in favour of native PHP hashing, fixes the API token lifetime used by the browser extension, and includes installer and cleanup improvements.

Upgrading from 3.2.0.0 is recommended for all installations.

🚀 Pre-release Disclaimer: Version 3.2.0.1 is currently a pre-release. It has been heavily tested, but it now needs a real-world "baptism by fire" by the community. We strongly advise testing it in a non-production environment first.

Security

  • PasswordLib third-party dependency removed. Password hashing now relies exclusively on native PHP bcrypt through the built-in PasswordManager (Symfony PasswordHasher). This removes a large, unmaintained dependency (~68,000 lines of code) and reduces the supply-chain attack surface.

Fixes

  • API token duration is now interpreted in minutes. api_token_duration is computed as now + duration × 60, matching the browser extension's long-standing expectation. With the default value of 60, tokens now live 60 minutes instead of 60 seconds. A fallback of 60 and a 1440-minute (24 h) cap prevent instantly-expired tokens when the setting is missing or zero. This fixes browser-extension sessions that expired almost immediately after the 3.2.0.0 API hardening.
  • Clearer API authentication errors. The API now returns two distinct 401 responses: "Missing Authorization header" when no bearer token is sent, and "Invalid or expired token" when the JWT fails validation — letting clients tell a web-server/proxy configuration problem apart from a genuine token expiry.
  • Installer group ownership. (#5228) migrate_3.2.x.php now resolves the real web server group name via posix_getgrgid() on systems where the user and group names differ, and adds a new --web-group=GROUP option for explicit control.

Maintenance

  • Removed the obsolete password-migration tracking widget from the admin dashboard, the pw_legacy_bcrypt alias and warning icon from the users table, and the now-unused needs_password_migration database column (dropped via the 3.2.0 upgrade script).
  • Minor code cleanup in backups.queries.php and utilities.queries.php, and documentation updates (docs/install/upgrade.md --web-group option, ownership guidance).

Full Changelog

3.2.0.0...3.2.0.1

Important

  • Requires at least PHP 8.2

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Check out latest releases or
releases around nilsteampassnet/TeamPass 3.2.0.1

Don't miss a new TeamPass release

NewReleases is sending notifications on new releases.

Get notifications