github paolostivanin/OTPClient v5.0.0-alpha3
on GitHub

pre-release6 hours ago

Changes since alpha2

Security

  • Fix heap buffer overflow in AuthPro export (IV nonce wrote 16 bytes into 12-byte buffer)
  • Replace memset with explicit_bzero for wiping sensitive data
  • Use constant-time password comparison in lock screen
  • Add G_FILE_CREATE_PRIVATE to main database writes
  • Fix secure memory misuse in URI parser where g_file_get_contents overwrote gcry_calloc_secure pointer
  • Use gcry_calloc_secure for import password in import dialog
  • Clear password entry widgets after consuming passwords
  • Mitigate TOCTOU in password file symlink check via inode comparison
  • Raise KDF minimum parameters (iterations >= 2, memory >= 64 MiB)

New Features

  • Add clipboard auto-clear with configurable timeout (default 30s)
  • Add column sorting (Account/Issuer) via click-to-sort headers
  • Add undo toast (5s) after token deletion
  • Add cross-database search: when Secret Service stores all database passwords, Ctrl+F and desktop search (GNOME/KDE) now return results from every database. Cross-DB entries show a [DB Name] badge and are read-only
  • Add Welcome dialog on first launch and What's New dialog on major/minor version upgrades
  • Add settings import/export via CLI (--export-settings, --import-settings) and GUI (Backup group in Settings)
  • Disable Secret Service by default and clarify its purpose (fixes #431)

UX Improvements

  • Auto-focus password entry when unlock dialog is shown
  • Add inline password fields to import/export dialogs so encrypted imports actually work in the GUI
  • Add confirm password entry with mismatch validation in export dialog
  • Fix sidebar always showing on startup by respecting saved GSettings state
  • Add SHA1 deprecation warning banner in manual-add dialog
  • Add visible error feedback in KDF parameter dialog
  • Add tooltip to settings menu button for accessibility

Drag and Drop

  • Reimplement DnD with gtk_widget_pick and correct row detection
  • Add visual drop indicator line between rows
  • Disable reordering while search filter is active

Bug Fixes

  • Fix wrong error variable in 2FAS decrypt/tag error messages
  • Fix NULL dereference in FreeOTP export when g_file_replace fails
  • Add NULL checks for missing JSON fields in Aegis, 2FAS, and get-data imports
  • Add json_dumpb return value check in Aegis export to prevent buffer overflow
  • Fix GDateTime leak in TOTP validity calculation
  • Add bounds check in 2FAS decrypt to prevent integer underflow
  • Fix memory leaks in 2FAS import (IV on cipher error, json_data on decrypt/tag failure)
  • Add fsync after database writes to prevent corruption on power loss
  • Clamp TOTP period to 1-300s range in URI parser
  • Validate HOTP counter is non-negative on import
  • Fix popover lifecycle warnings ("Broken accounting of active state")

Performance

  • Cache CSS provider color to avoid reloading CSS every second
  • Cache lowercased search text in filter to avoid per-item reallocation
  • Add 5-second TTL cache in search provider to avoid full DB reload per query

Docs

  • Fix appdata encryption description (PBKDF2 -> Argon2id)

sha256: a2e5614f642fc16c43133a20e3d969b641961db7007645339f01bd246d6737ca

Check out latest releases or
releases around paolostivanin/OTPClient v5.0.0-alpha3

Don't miss a new OTPClient release

NewReleases is sending notifications on new releases.

Get notifications