build(deps): bump robthree/twofactorauth from 2.1.0 to 3.0.0

[dependabot[bot]]

Bumps robthree/twofactorauth from 2.1.0 to 3.0.0.

Release notes

Sourced from robthree/twofactorauth's releases.

v3.0.0

A lot of cleaning up and improvements across the board.

For a full breakdown of the key changes, including all the backwards incompatible changes, have a read of the official changelog

What's Changed

• delete files specific to code editors by @​NicolasCARPi in RobThree/TwoFactorAuth#120
• remove insecure rng providers by @​NicolasCARPi in RobThree/TwoFactorAuth#122
• add CI4-auth link in README. fix #107 by @​NicolasCARPi in RobThree/TwoFactorAuth#123
• add SensitiveParameter to sensitive arguments by @​NicolasCARPi in RobThree/TwoFactorAuth#119
• Changed default secret length from 80bits to 160bits as recommended by RFC4226 by @​Mattie112 in RobThree/TwoFactorAuth#117
• Bacon has multiple versions now by @​willpower232 in RobThree/TwoFactorAuth#124
• make QR Code Provider a mandatory constructor argument by @​NicolasCARPi in RobThree/TwoFactorAuth#125
• set verify ssl parameter for HTTP based QR provider to true by default by @​NicolasCARPi in RobThree/TwoFactorAuth#126
• Changelog for 3.x by @​NicolasCARPi in RobThree/TwoFactorAuth#127
• handle curl errors. fix #129 by @​NicolasCARPi in RobThree/TwoFactorAuth#130
• add a code of conduct by @​NicolasCARPi in RobThree/TwoFactorAuth#134
• mention #130 in changelog by @​NicolasCARPi in RobThree/TwoFactorAuth#133
• 📚 consistent changelog links to github by @​willpower232 in RobThree/TwoFactorAuth#135

Full Changelog: https://github.com/RobThree/TwoFactorAuth/compare/v2.1.0...v3.0.0

Changelog

Sourced from robthree/twofactorauth's changelog.

RobThree\TwoFactorAuth changelog

Version 3.x

Breaking changes

PHP Version

Version 3.x requires at least PHP 8.2.

Constructor signature change

In order to ensure users of this library make a conscious choice of QR Code Provider, the QR Code Provider is now a mandatory argument, in first place.

If you didn't provide one explicitly before, you can get the old behavior with:

use RobThree\Auth\TwoFactorAuth;
use RobThree\Auth\Providers\Qr\QRServerProvider;
$tfa = new TwoFactorAuth(new QRServerProvider());

If you provided one before, the order of the parameters have been changed, so simply move the QRCodeProvider argument to the first place or use named arguments.

Documentation on selecting a QR Code Provider is available here: QR Code Provider documentation.

Default secret length

The default secret length has been increased from 80 bits to 160 bits (RFC4226) PR #117. This might cause an issue in your application if you were previously storing secrets in a column with restricted size. This change doesn't impact existing secrets, only new ones will get longer.

Previously a secret was 16 characters, now it needs to be stored in a 32 characters width column.

You can keep the old behavior by setting 80 as argument to createSecret() (not recommended, see #117 for further discussion).

Other changes

• The new PHP attribute SensitiveParameter was added to the code, to prevent accidental leak of secrets in stack traces.
• Likely not breaking anything, but now all external QR Code providers use HTTPS with a verified certificate. PR #126.
• The CSPRNG is now exclusively using random_bytes() PHP function. Previously a fallback to openssl or non cryptographically secure PRNG existed, they have been removed. PR #122.
• If an external QR code provider is used and the HTTP request results in an error, it will throw a QRException. Previously the error was ignored. PR #130, fixes #129.

Version 2.x

Breaking changes

PHP Version

Version 2.x requires at least PHP 8.1.

Constructor signature

... (truncated)

Commits

• ec82d39 📚 consistent changelog links to github (#135)
• fc3adc7 mention #130 in changelog
• 337e96b Merge pull request #134 from RobThree/nico-coc
• 91c091c add a code of conduct
• 9e8b31e mention #130 in changelog
• df43660 handle curl errors. fix #129
• 6194bb0 throw a QRException instead
• 6f78141 handle curl errors. fix #129
• f5eb9a7 Changelog for 3.x . PR #127
• 5c97ce9 Update CHANGELOG.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)