Skip to content

CHANGELOG.md

Latest commit

 

History

History
181 lines (143 loc) · 8.4 KB

CHANGELOG.md

File metadata and controls

181 lines (143 loc) · 8.4 KB

Changelog

4.4.0

  • Replace cache/filesystem-adapter for symfony/cache to support PHP 8.2+ this affects sending FCM (Android) push notification (#57)
  • Move SQL create statements from code/documentation to separate files in the /sql directory and use them in the test suite
  • Increase the size of the notification type field from 10 to 15 characters and add tests for it

4.3.1

  • TestServer improvements:
    • Make logs available from the test server web UI. The Remote-User HTTP header is used to keep logs separate for different users.
    • Update notificationAddress and notificationType in the UserStorage when the current values are different from the values in the authentication response.
    • Improve usability of the list user screen.
    • Add vieuws for showing the enrollement status and authentication status.
  • Push notifications:
    • Add authenticationTimeout as a custom value to the push notification message. authenticationTimeout is the time in seconds that a user has to start the authentication process after the push notification was sent. The default value is 150 seconds.
    • iOS: Add "mutable-content": 1 option to allow the app to be notified when a push message arrives.
    • FCM: Add the ability to send a notification with additional customProperties like authenticationTimeout.
    • FCM: Add additional logging.

4.3.0

  • Add healthCheck() to the UserStorage, UserSecretStorage and StateStorage classes (#54).

4.2.0

  • Require PHP 8.2
  • Use SQL "REPLACE INTO" syntax for the state storage. This requires a mysql or sqlite backend.
  • Stricter checking of OCRA suite configuration.
  • Add openssl encryption type to replace the deprecated mcrypt encryption (#50).

4.1.0

  • Switch to FCM HTTP v1 API for Google push notifications (#52). See the included FCM.md for instructions on how to set up FCM for Tiqr.

4.0.0

  • Switch to the composer autoloader. Removed the Tiqr_Autoloader class. This means you must now use composer to use this library, or add your own autoloading.
  • Remove support for Apple push notifications (APNS) v1, and the Zend Framework 1 dependency that it required. The library now only supports APNS v2.
  • Add support for PHP 8.x
  • Replace the abandoned kairos/phpqrcode QR code library by chillerlan/php-qrcode as suggested by the author
  • Documentation updates and corrections. Move security related documentation to SECURITY.md

3.0.2

  • Fix usersecretstorage not throwing on PDO error (#47)

3.0.1

  • Fix PDO state-storage log message (#44)
  • Document state-, user- and usersecret storage options (#45)

3.0.0

Increase the major version because of significant changes in the UserStorage, UserSecretStorage and StateStorage

Review your use of the library from your client code!

  • Almost every function can throw an Exception now!
  • Most interfaces changed
  • Some functions changed their behaviour

interfaces:

  • Remove many differences in behaviour between types, e.g. between UserStorage 'file' and UserStorage 'pdo' types
  • Move interface documentation from the individual drivers to the interfaces
  • Always throw an exception when a communicating error with the backend occurs
  • Added type declarations to many interfaces
  • Update minimal PHP version requirement to 7.2. Supports PHP versions 7.2 and 7.4

StateStorage:

  • Empty key is now explicitly disallowed
  • Check Tiqr_StateStorage_Interface for interface changes
  • The key's in the statestorage are salted to harden against information leaking from the statestorage. A default salt is used which can be changed in the statestorage configuration of the Tiqr_Service.

UserStorage:

  • Several interface changes, see Tiqr_UserStorage_Interface
  • Creating a user that already exists is now an error
  • Temporary block times are unix timestamps (time_t) now, not strings
  • PDO: timestamps are now stored as integers (unix timestamp). Requires database schema update when using temporary block

UserSecretStorage:

  • Document PDO table format
  • Describe combining PDO UserStorage and UserSecretStorage in one table
  • Check Tiqr_UserSecretStorage_Interface for interface changes

TiqrService:

  • More functions throw
  • Explicitly describe the functions that will not throw
  • Sessions keys used in OCRA and other places in the Tiqr protocol are now always 32 hex digits long (i.e. 16 bytes – 128 bits – of entropy) and are now generated by the Tiqr_Service class, and not by the OCRAWrapper. The OCRAWrapper_v2 implementation generated session keys with a length that depended on the configured OCRA Suite and used 64 hex digits with the default suite.

OcraWrapper:

  • The OcraWapper_* classes for wrapping the OCRA v1 and OCRA v2 implementations were removed
  • The OCRA v1 implementation was removed

OcraService:

  • Refactored to use the OCRA implementation directly.
  • Note that the Tiqr_OcraService_OathServiceClient was updated, but that it was not tested
  • Add support for the new Apple HTTP/2 based Push Notification protocol. Set apns.version in the Tiqr_Service configuration to select which implementation to use.
  • Add support for a new enrollment and authentication link format that uses Universal links instead of a custom URL schemes. See Tiqr_Service configuration for details.

2.1.0

The release adds support for sending push notifications without using a token exchange. Added checks for invalid input to the default (v2) OCRA implementation. No interface changes.

Features

  • Add two new message types APNS_DIRECT and FCM_DIRECT to Tiqr_Service::sendAuthNotification that do not do a lookup of the notificationAddress at the token exchange, instead the notificationAddress is used to send a notification directly to the device.

  • Add more input validation to the default (v2) OCRA implementation. More methods in the OCRA and Tiqr_OCRAWrapper classes can now throw exceptions. Added the One-Way Challenge Response test vectors from RFC 6287 to the unit tests.

Bugfix

  • Fix bug in the OCRA v2 algorithm that computed responses that did not match the RFC reference implementation when the OCRA suite included a password component that contained an "S" (e.g. PSHA1). This does not affect the Tiqr app because password components are not used there.

2.0.0

As of release 2.0.0 we started keeping the CHANGELOG.md file. The older entries were copied from the Github release page.

A release with several backward compatibility breaking changes. Most notable are:

  1. User and User Secret storage are no longer intertwined. You are now required to create both, the user storage factory no longer creates a user secret storage for you when you have not configured it.
  2. Several of the Tiqr server library services now require a PSR style logger to function correctly.
  3. LDAP support was dropped from the project. If you used it, sorry we no longer ship it as of version 2

Behavioral changes:

  1. The code now throws exceptions when unrecoverable runtime issues are encountered. Previously the service would return an 'error-ish' response like null or false. We now throw exceptions in these situations.
  2. As mentioned above in the BC breaking changes: the User storage situation changed. More info can be found: #30 and https://www.pivotaltracker.com/story/show/181525762

Features

  • Implement and with it, improve logging #27
  • Add a test server for mobile app development #21
  • Improve StateStorage File implementation #35
  • Throw exceptions when an unrecoverable error situation occurs #36
  • Move expiry action and make probability of triggering it configurable #25
  • State storage pdo expiry #20
  • Convert TravisCI to GitHub Actions #34

Bugfix

  • Fix OCRA algorithm used by tiqr "v2" calculating incorrect responses for some values #22

  • Remove C2MD and GCM Message API support #31

  • Demystify user storage #30

  • Other chores and tasks

  • Remove unreachable code #32

  • Log the http-statuscode and error received from firebase #14

  • Run local-php-security-checker on Travis CI #28

  • Update PHP version for phpunit #26

  • Enable code coverage on unit tests #18

  • Remove unused LDAP storage solution #29

  • State storage updates #16

  • Fix travis builds on php7.2 #15

1.1.12

Add exta logging to FCM errors

1.1.10

Add firebase FCM push notifications

1.1.1

updated dependency for phpqrcode lib

1.1

maintenance update

  • Add OATHservice backend
  • Migrate from C2DM to GCM libraries for push notifications on Android
  • Add ability to use different QR code generation libraries
  • Bugfixes