github nilsteampassnet/TeamPass 3.2.0.3
on GitHub

pre-release23 hours ago

Release note for 3.2.0.3

What's Changed

Stabilization and security-hardening release for the 3.2 line. It focuses on a comprehensive API security overhaul, stored-XSS fixes across the UI/API/logs, a richer Knowledge Base editor, real-time presence improvements, and a series of upgrade and bug fixes (Docker migration, LDAP, uploads, folder counters).

Security

  • API hardening:
    • Reject disabled/deleted users and revoked API rights on every request; audit logging for API authentication (failed/successful) with tp_src=api.
    • Stronger JWT lifecycle: per-token API sessions, per-request re-authorization, iss/aud claims, and POST /api/auth/logout to revoke a token immediately.
    • REST conformity: RFC 9457 application/problem+json error envelope, correct status codes (405 Allow header, 422 validation, 429 rate limit), security headers and CORS handling.
  • API rate limiting (api_rate_limit_per_minute), optional HTTPS enforcement (api_require_https), and connected-users detection/revocation now based on per-token api_sessions.
  • Stored XSS fixed across the web UI, API and log tables; Knowledge Base HTML now sanitized with HTMLPurifier; hardened rich-HTML handling.
  • Custom field role visibility (#5176): fields restricted by role are no longer returned or decrypted for users who don't hold the role, on both the web item card and the API.

Knowledge Base

  • Rich text editing on the KB page, with safe HTML sanitization.
  • Real-time KB edition lock so concurrent edits are signalled to other users.

Real-time (WebSocket)

  • User display name propagated to WebSocket events, notifications and connection data for clearer presence/lock messages.
  • Item consultation presence can be resumed after navigation.

Fixes & improvements

  • #5176: API item read no longer returns HTTP 500 (custom-field visibility regression).
  • #5205: Support comma-separated LDAP user object filters.
  • #5220: Clearing an item password in the web UI now works correctly.
  • #5221: Folder tree counters refresh on item add/delete/move.
  • #5234: Raise nginx-proxy upload limit to prevent 413 on uploads/backups.
  • #5238: Fix Docker on-premise migration blockers (install-dir, version detection, permissions).
  • Renewal period: corrected expiration logic, refreshed page layout, and fixed the duration unit label (months → days).
  • Background tasks are now diagnosable and the cron health check is fixed.
  • Cache rebuild hardened against items with a missing folder.
  • PHPStan level 4 fixes and additional unit test coverage (personal-folder root filter).

Full Changelog

3.2.0.2...3.2.0.3

Important

  • Requires at least PHP 8.2

Languages

Please join Teampass v3 translation project on Poeditor and translate it for your language.

Installation

Follow instructions from Documentation.

Upgrade

Follow instructions from Documentation.

Ideas and comments

Are welcome ... please use Discussions.

Download TeamPass

Check out latest releases or
releases around nilsteampassnet/TeamPass 3.2.0.3

Don't miss a new TeamPass release

NewReleases is sending notifications on new releases.

Get notifications