Releases: SeaweedbrainCY/zero-totp
Releases · SeaweedbrainCY/zero-totp
b5.0.0
This is a major beta release with important security improvement
- Remove Admin dashboard as it is now the role of Zero-TOTP admin, from frontend and API endpoints.
- Fix GHSA-59g5-xgcq-4qw3
- Session are now based on token instead of JWT. This improve the global security of the application, by reducing the attack surface created by JWT, and enabling a far better session management, with session revokation
- Fix 2 low security weakness by not giving to the frontend the choice of a secret uuid and forcing db-side the uniqueness of user's unique properties (username, email, token etc...)
- Improve overall logging
- Fix the issue causing the detection of user's remote IP to fail while verifying the session
b4.1.1
What's Changed
- Bump werkzeug from 3.0.3 to 3.0.6 in /api by @dependabot in #145
- Add refresh token feature and expand the duration of the open vault by @SeaweedbrainCY in #147
- Add refresh token to decrease JWT lifetime and increase session lifetime by @SeaweedbrainCY in #148
- Fix generic creds error message by @SeaweedbrainCY in #149
Full Changelog: b4.0.1...b4.1.1
b4.0.1
What's Changed
- Bump starlette from 0.36.2 to 0.40.0 in /api by @dependabot in #140
- Add PWA capabilities to Zero-TOTP by @SeaweedbrainCY in #141
- Add Zero-TOTP PWA by @SeaweedbrainCY in #142
- Bump cookie and socket.io in /frontend by @dependabot in #143
- Fix duckduckgo icon loading due to service working and fix CVE-2024-47764 by @SeaweedbrainCY in #144
Full Changelog: b3.1.0...b4.0.1
b3.1.0
What's Changed
- Add custom session timeout up to 1h by @SeaweedbrainCY in #138
- Upgrade to angular18
Full Changelog: b3.0.3...b3.1.0
Beta 3.0.3
What's Changed
- This is an important release that brings a lot of under-the-hood changes to Zero-TOTP. We have made a lot of changes to the codebase to make it more maintainable and to prepare it for the future.
- Zero-TOTP is now present in Switzerland and Germany alongside Canada to improve the data redundancy.
- Zero-TOTP is now far more reliable with a better load balancing and a better failover system.
- The security of how Zero-TOTP communicates with its API and how the API handles each client has been reviewed to be more efficient and more strict.
- Zero-TOTP is more reliable, resilient and secure than ever.
What's fixed :
- The issue causing some backend request to fail while opening the vault have been definitively fixed by design improvement.
- Update of our dependencies to fix 1 moderate CVE.
- The issue causing the french translation to come a bit after the page load has been fixed.
- Some errors messages have been improved to be more user-friendly.
Full Changelog: b2.11.3...b3.0.3
Beta 2.11.3
What's Changed
- Bump flask-cors from 4.0.1 to 5.0.0 in /api by @dependabot in #122
- Bump cryptography from 42.0.5 to 43.0.1 in /api by @dependabot in #123
- Fix CVE-2024-6221 && CWE-1395 by @SeaweedbrainCY in #124
Full Changelog: b2.11.2...b2.11.3
b2.11.2
What's Changed
- CVEs fix by @SeaweedbrainCY in #111
- Bump ws and socket.io-adapter in /frontend by @dependabot in #112
- Fix a bug unabling to update the passphrase by @SeaweedbrainCY in #113
- Bump zipp from 3.17.0 to 3.19.1 in /api by @dependabot in #114
- Move db model from code to a shared package by @SeaweedbrainCY in #116
- Bump sentry-sdk from 1.39.2 to 2.8.0 in /api by @dependabot in #117
- Use shared model and fix vuln by @SeaweedbrainCY in #118
- Remove flask alembic and use alembic instead by @SeaweedbrainCY in #119
- Add db check before starting API by @SeaweedbrainCY in #120
- Add 3rd replication node, add notification feature, modification of migration process by @SeaweedbrainCY in #121
Full Changelog: b2.10.5...b2.11.2
Beta 2.10.5
What's Changed
- Fix 2 CVEs (1 high & 1 moderate) by @SeaweedbrainCY in #105
- Fix a UI bug in the account creation flow by @SeaweedbrainCY in #108
Full Changelog: b2.10.2...b2.10.5
Beta 2.10.2
What's Changed
- Improve homepage privacy and totp edit UX by @SeaweedbrainCY in #102
Full Changelog: b2.10.1...b2.10.2
Beta 2.10.1
What's Changed
- Make pipeline fail on semgrep findings
- Removed or whitelist all semgrep findings
- Remove the last call to buy me coffee CDN, leaving Zero-TOTP completely free of any external call (except to duckduckgo api for favicon if user consent)
- Improve sse rotation key script
- Improve frontend with more loading animation when the network is slow
- When the user add a tag they can now chose among the already registered one on other secrets
Full Changelog: b2.10...b2.10.1