In order to ensure users of this library make a conscious choice of QR Code Provider, the QR Code Provider is now a mandatory argument, in first place.
If you didn't provide one explicitly before, you can get the old behavior with:
use RobThree\Auth\TwoFactorAuth;
use RobThree\Auth\Providers\Qr\QRServerProvider;
$tfa = new TwoFactorAuth(new QRServerProvider());
If you provided one before, the order of the parameters have been changed, so simply move the QRCodeProvider argument to the first place or use named arguments.
The default secret length has been increased from 80 bits to 160 bits (RFC4226) PR #117. This might cause an issue in your application if you were previously storing secrets in a column with restricted size. This change doesn't impact existing secrets, only new ones will get longer.
Previously a secret was 16 characters, now it needs to be stored in a 32 characters width column.
You can keep the old behavior by setting 80 as argument to createSecret() (not recommended, see #117 for further discussion).
Other changes
The new PHP attribute SensitiveParameter was added to the code, to prevent accidental leak of secrets in stack traces.
Likely not breaking anything, but now all external QR Code providers use HTTPS with a verified certificate. PR #126.
The CSPRNG is now exclusively using random_bytes() PHP function. Previously a fallback to openssl or non cryptographically secure PRNG existed, they have been removed. PR #122.
If an external QR code provider is used and the HTTP request results in an error, it will throw a QRException. Previously the error was ignored. PR #130, fixes #129.
Version 2.x
Breaking changes
PHP Version
Version 2.x requires at least PHP 8.1.
Constructor signature
... (truncated)
Commits
ec82d39 📚 consistent changelog links to github (#135)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps robthree/twofactorauth from 2.1.0 to 3.0.0.
Release notes
Sourced from robthree/twofactorauth's releases.
Changelog
Sourced from robthree/twofactorauth's changelog.
... (truncated)
Commits
ec82d39
📚 consistent changelog links to github (#135)fc3adc7
mention #130 in changelog337e96b
Merge pull request #134 from RobThree/nico-coc91c091c
add a code of conduct9e8b31e
mention #130 in changelogdf43660
handle curl errors. fix #1296194bb0
throw a QRException instead6f78141
handle curl errors. fix #129f5eb9a7
Changelog for 3.x . PR #1275c97ce9
Update CHANGELOG.mdDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show