xF2 Add-on [DigitalPoint] Security & Passkeys 1.2.0.3

Sorry about the back to back releases. This is really only needed for XenForo 2.3 (previous release worked in 2.2 just fine).

Click to expand...

• Fixed issue with FontAwesome icons in XenForo 2.3
• Removed enable/disable toggle for Passkeys on two-step page

If you use the Days to auto-extend two-step device trust setting, the addon will always set the tfa_trust cookie when the user_remember record is extended (since we can't see the cookie duration on the server-side). Before we were only setting the cookie if the user_tfa_trusted.trusted_until value changed.

This will make it work as expected even if you had something unrelated (like a different addon) altering the user_tfa_trusted.trusted_until value (where you had a short cookie duration, but a long user_tfa_trusted.trusted_until value).

• Entropy for challenge changed from 192-bits to 768-bits
• All JavaScript has been rewritten to be "native" (does not use jQuery) in preparation for removal of jQuery in XenForo 2.3.

If you aren't using XenForo 2.3, you don't need to upgrade (might be some unmeasurable speed increase [think nanoseconds] when running its JavaScript since it doesn't dip into jQuery any longer).

I think this may have been the cause for a couple cases where an invalid Passkey record was saved to a user account. Previously, if an exception happened, it blindly accepted the null Passkey record as the new Passkey. If things went as expected (most cases) it wouldn't matter, but not everything always goes as expected.

• Added dataList-row--noHover class so background color doesn't change when the mouse moves over the table of two-step options a user has
• If an exception happens when Passkey is added to user account, present the user with an error that the Passkey could not be registered and log the underlying exception message to the XenForo error log (and most importantly, don't save an invalid Passkey registration as a new Passkey)

Added additional sanity check to ensure the device trust record is valid and exists before trying to extend it.

Click to expand...

Fixes an issue where certain (most) security keys couldn't properly authenticate as a two-step verification option.

Click to expand...

• Added ability to view and delete remembered sessions in admin area (new Sessions tab when editing a user)
• Fix for PHP warning when on PHP 8 and accessing site through localhost (a test setup)

Give the user a better error message if they try to create a Passkey entry without actually registering a Passkey.

Click to expand...

• Checking for PHP version 7.1.0 or higher
• Removed dependency on third-party library to get list of countries for sessions and trusted devices

This doesn't change anything for users that already have it installed. The net change is now you can use it with PHP 7.1+ (the previous requirements were PHP 7.3+).