v4.4.0

Release song: https://www.youtube.com/watch?v=6Ejga4kJUts

Version 4.4 of Passbolt is now available, packed full of improvements and new functionalities.

With this release, users are able to manage TOTPs directly from the browser, providing an extended TOTP experience across all their devices. They can now be created, deleted, organised and shared with others just like any other resource type.

Another highlight of this release, administrators now have the ability to suspend/unsuspend users. This new feature will offer administrators with more control over access management of their instance. By example, they will be able to prevent access to the passbolt instance for users in temporary leave, therefore enforce company policies.

Admins of the PRO have an additional option for SSO: a generic OAuth 2.0 provider is now available, expanding your authentication options and providing even more versatility.

And that's not all – a number of fixes and enhancements have been implemented to improve user experience. Among them, notification emails are now aggregated in certain cases, including limiting emails when a user imports a large amount of passwords.

Upgrade to version 4.4 to take advantage of these improvements. Thank you for using and supporting passbolt!

[4.4.0] - 2023-11-06

Browser extension

Added

• PB-25204 As a signed-in user I can create a standalone TOTP
• PB-25206 As a signed-in user I can add a TOTP to an existing password resource
• PB-25210 As a signed-in user I can edit a standalone TOTP
• PB-25224 As a signed-in user I can copy a TOTP
• PB-26088 As a signed-in user I can see standalone TOTP in the quickaccess
• PB-27600 As an administrator I want to suspend or unsuspend a user
• PB-27601 As a sign in user I should see who is suspended in the ui
• PB-27773 As an administrator I can deny access to the mobile setup screen with RBAC
• PB-27898 As an administrator I should have the possibility to deny TOTP copy and preview actions with RBAC
• PB-27949 As a signed-in user I can see password with totp in the quickaccess
• PB-27950 As a user I can use generic OAuth2 as single sign on provider
• [FEATURE INACTIVE] PB-28263 As a user I can see the resource expiry status
• [FEATURE INACTIVE] PB-28265 As a user I can reset resource expiry date
• [FEATURE INACTIVE] PB-28266 As an administrator I can enable the password expiry feature
• [FEATURE INACTIVE] PB-28267 As an administrator I can set the email notifications of the password expiry feature

Improved

• PB-19244 As a user with encrypted description resource type present when creating a resource using quickaccess the description should be encrypted by default
• PB-25560 As an administrator on the admin settings pages I can see the source of information
• PB-26002 As a user downloading my recovery kit I want to be warned about the critical character of this asset
• PB-26086 As an administrator generating an account recovery key for my organization I want to confirm the passphrase
• PB-26094 As an administrator having a passbolt trespassing the user limits I should see a better message
• PB-27668 As a user I'd like to know what the numbers by the heart mean
• PB-27922 As a user entering my passphrase I should see the entropy progressing
• PB-28183 As administrator I want to see warnings while synchronising the organisation users directory
• PB-28378 MFA screen should be display depending on the application

Fixed

• PB-21625 As a user I shouldn't see apostrophe replaced by special characters
• PB-25279 As a user I should see in form call to action icon be well positioned
• PB-26000 As a user updating only a resource metadata I should not update the resource secret on the API
• PB-27784 As an administrator I should not see the account recovery enrollment twice
• PB-27794 Fix unsupported TOTP while decrypting TOTP on webapp
• PB-27894 As a user I should not see my username overpass the card in the login form
• PB-27947 Fix in-form menu generate password should not override all password fields but only new password fields
• PB-27954 Fix message after successful transfer to mobile
• PB-28170 Fix SMTP host from Sendgrid
• PB-28310 As a signed-in user I should not select or unselect a resource on TOTP click
• PB-28293 As a signed-in user I should be redirected when I click on the resource url in the information panel and contextual menu

Maintenance

• PB-26121 Improve Styleguide coverage of password policies
• PB-27786 As a user I should not see my passphrase part of the breach if the field is empty
• PB-27945 Update web-ext lib to v7.8.0
• PB-27965 Upgrade node to v18
• PB-28148 Migrate development watcher to package.json scripts
• PB-28275 Upgrade @babel/traverse on styleguide as it has a critical security issue
• [FEATURE INACTIVE] PB-27605 As a signed-in user I can set up Yubikey as two-factor authentication on the client (previously done on the API served application)
• [FEATURE INACTIVE] PB-27606 As a signed-in user I can set up TOTP as two-factor authentication on the client (previously done on the API served application)
• [FEATURE INACTIVE] PB-27608 As a user I can sign in with TOTP and Yubikey as 2FA on the client (previously done on the API served application)

Security

• PB-25688 As a desktop app user I should sign the exported account kit with my private key

v4.4.0-rc.0

Release song: https://www.youtube.com/watch?v=6Ejga4kJUts

Version 4.4 (Release Candidate) of Passbolt is now available, packed full of improvements and new functionalities.

With this release, users are able to manage TOTPs directly from the browser, providing an extended TOTP experience across all their devices. They can now be created, deleted, organised and shared with others just like any other resource type.

Another highlight of this release, administrators now have the ability to suspend/unsuspend users. This new feature will offer administrators with more control over access management of their instance. By example, they will be able to prevent access to the passbolt instance for users in temporary leave, therefore enforce company policies.

Admins of the PRO have an additional option for SSO: a generic OAuth 2.0 provider is now available, expanding your authentication options and providing even more versatility.

And that's not all – a number of fixes and enhancements have been implemented to improve user experience. Among them, notification emails are now aggregated in certain cases, including limiting emails when a user imports a large amount of passwords.

Upgrade to version 4.4 to take advantage of these improvements. Thank you for using and supporting passbolt!

[4.4.0-rc.0] - 2023-11-03

Browser extension

Added

• PB-25204 As a signed-in user I can create a standalone TOTP
• PB-25206 As a signed-in user I can add a TOTP to an existing password resource
• PB-25210 As a signed-in user I can edit a standalone TOTP
• PB-25224 As a signed-in user I can copy a TOTP
• PB-26088 As a signed-in user I can see standalone TOTP in the quickaccess
• PB-27600 As an administrator I want to suspend or unsuspend a user
• PB-27601 As a sign in user I should see who is suspended in the ui
• PB-27773 As an administrator I can deny access to the mobile setup screen with RBAC
• PB-27898 As an administrator I should have the possibility to deny TOTP copy and preview actions with RBAC
• PB-27949 As a signed-in user I can see password with totp in the quickaccess
• PB-27950 As a user I can use generic OAuth2 as single sign on provider
• [FEATURE INACTIVE] PB-28263 As a user I can see the resource expiry status
• [FEATURE INACTIVE] PB-28265 As a user I can reset resource expiry date
• [FEATURE INACTIVE] PB-28266 As an administrator I can enable the password expiry feature
• [FEATURE INACTIVE] PB-28267 As an administrator I can set the email notifications of the password expiry feature

Improved

• PB-19244 As a user with encrypted description resource type present when creating a resource using quickaccess the description should be encrypted by default
• PB-25560 As an administrator on the admin settings pages I can see the source of information
• PB-26002 As a user downloading my recovery kit I want to be warned about the critical character of this asset
• PB-26086 As an administrator generating an account recovery key for my organization I want to confirm the passphrase
• PB-26094 As an administrator having a passbolt trespassing the user limits I should see a better message
• PB-27668 As a user I'd like to know what the numbers by the heart mean
• PB-27922 As a user entering my passphrase I should see the entropy progressing
• PB-28183 As administrator I want to see warnings while synchronising the organisation users directory
• PB-28378 MFA screen should be display depending on the application

Fixed

• PB-21625 As a user I shouldn't see apostrophe replaced by special characters
• PB-25279 As a user I should see in form call to action icon be well positioned
• PB-26000 As a user updating only a resource metadata I should not update the resource secret on the API
• PB-27784 As an administrator I should not see the account recovery enrollment twice
• PB-27794 Fix unsupported TOTP while decrypting TOTP on webapp
• PB-27894 As a user I should not see my username overpass the card in the login form
• PB-27947 Fix in-form menu generate password should not override all password fields but only new password fields
• PB-27954 Fix message after successful transfer to mobile
• PB-28170 Fix SMTP host from Sendgrid
• PB-28310 As a signed-in user I should not select or unselect a resource on TOTP click
• PB-28293 As a signed-in user I should be redirected when I click on the resource url in the information panel and contextual menu

Maintenance

• PB-26121 Improve Styleguide coverage of password policies
• PB-27786 As a user I should not see my passphrase part of the breach if the field is empty
• PB-27945 Update web-ext lib to v7.8.0
• PB-27965 Upgrade node to v18
• PB-28148 Migrate development watcher to package.json scripts
• PB-28275 Upgrade @babel/traverse on styleguide as it has a critical security issue
• [FEATURE INACTIVE] PB-27605 As a signed-in user I can set up Yubikey as two-factor authentication on the client (previously done on the API served application)
• [FEATURE INACTIVE] PB-27606 As a signed-in user I can set up TOTP as two-factor authentication on the client (previously done on the API served application)
• [FEATURE INACTIVE] PB-27608 As a user I can sign in with TOTP and Yubikey as 2FA on the client (previously done on the API served application)

Security

• PB-25688 As a desktop app user I should sign the exported account kit with my private key

v4.3.1

Release song: https://www.youtube.com/watch?v=sc5iTNVEOAg

This is a small maintenance release of the browser extension only. It fixes a bug that prevented users from using the auto-fill feature from the quickaccess.

Thank you for choosing passbolt and for your continued support.

[4.3.1] - 2023-09-28

Fixed

• PB-27860 As a signed-in user I should be able to autofill from the quickaccess

v4.3.1-rc.0

Release song: https://www.youtube.com/watch?v=sc5iTNVEOAg

This is a small maintenance release of the browser extension only. It fixes a bug that prevented users from using the auto-fill feature from the quickaccess.

Thank you for choosing passbolt and for your continued support.

[4.3.1] - 2023-09-28

Fixed

• PB-27860 As a signed-in user I should be able to autofill from the quickaccess

v4.3.0

Release song: https://youtu.be/s88r_q7oufE

The latest version is here – take a look at what’s new in 4.3.

One enhancement is improved portability of TOTP (Time Based One Time Password). TOTP can now be conveniently viewed across both the web and mobile applications. Although the creation of TOTP remains mobile-centric, version 4.3 provides convenient access to reading and retrieving TOTP content in the browser, resulting in greater usability.

Improvements have also been made to grid customisation. Any changes made to the grid are now persistent, meaning your tailored experience is saved from session to session. And to make the new TOTP portability even more accessible, an option has been added to display a column for your TOTP content.

Admins of the PRO can now manage passphrase policies alongside their password policies. These policies include: setting minimal entropy and managing access to external tools for monitoring if a passphrase has been compromised.

Other updates include improvements to SQL query performance (retrieving resource tags and system tags), restricting LDAP-related settings, some bug fixes, and a number of performance improvements.

Thank you for choosing passbolt and for your continued support.

[4.3.0] - 2023-09-21

Added

• PB-24600 As a user remember me is kept checked for next time if it was used
• PB-25192 As a signed-in user I can persist the display customizations of the resource workspace grid
• PB-25202 As a signed-in user I can see an existing TOTP value in the password workspace grid
• PB-25932 As a signed-in administrator I can access the user passphrase policies
• PB-25933 As a signed-in administrator I can see the user passphrase policy settings
• PB-25934 As a signed-in administrator I can customise the user passphrase policy settings
• PB-25935 As a user registering to passbolt I have to comply with the policy
• PB-25937 As a user changing my passphrase I have to comply with the policy
• PB-27725 As a signed-in user I should not be able to edit resources with totp
• PB-27759 As a signed-in user I shouldn't see the TOTP column in the grid if the totp plugin is disabled

Improved

• PB-22801 As an administrator I want to use a decrypted organization account recovery key
• PB-24089 Add Range component to styleguide
• PB-25301 Replace the 'unlock' icon to enhance visibility
• PB-25512 As a signed-in user I want to see previewed password with a bigger font
• PB-25965 As a signed-in user I shouldn't see the resources chips initialized with 0 as long as the breadcrumb is not rendered
• PB-27624 Release notes automation

Fixed

• PB-18482 Fix missing translation in quickaccess resource view page
• PB-18520 Fix missing translation in user theme settings page
• PB-25247 As a user, I should not be able to configure MFA if I am not running HTTPS
• PB-25319 Fix double slashes in URLs builder in apiClient
• PB-25375 As a user I should not see the passbolt icon on gmail email search
• PB-25521 Fix web application loading skeleton
• PB-25956 Fix extra bracket typo in password generator screen
• PB-25962 As a signed-in user I should see the more button for folders, group and tag with border-radius
• PB-25966 Fix translations source strings issues reported by community in password policies administration screen
• PB-26140 Fix double detached quick access windows when the quick access is triggered by a sign-in from the in-form menu
• PB-26147 Fix user theme settings page title typo
• PB-26148 As a user when I signed out I should have the same theme on the login screen
• PB-26202 As a signed-in user, I should not be able to associate a mobile if I am not running HTTPS

Maintenance

• PB-24795 Improve browser extension coverage of password policies
• PB-25551 Upgrade outdated development library web-ext to 7.6.2
• PB-25557 Remove xmldom dependency as direct dependency
• PB-25695 Remove unused utility hashString
• PB-25697 Remove unused jquery, copy-webpack-plugin dependency and references
• PB-25698 Remove cross-fetch unused direct dependency
• PB-25700 Remove simplebar as direct dev dependency
• PB-27662 Drive progress dialog with dedicated context
• PB-27706 Homogeneize resource plaintext secret as an object

Experimental

• PB-25824 As an unknown user I should be invited to configure the desktop application
• PB-25825 As an unknown user configuring the desktop app I should be able to import an account kit
• PB-25826 As an unknown user configuring the desktop app I should see the detail of the account kit & verify my passphrase when importing an account

v4.3.0-rc.0

v4.3.0-rc.0

The Man Who Sold The World

Song: https://youtu.be/fregObNcHC8

Version 4.2 of the Community Edition introduces a number of enhancements and fixes to the passbolt experience.

One of the highlights of this release is the first brick of grid modernization. With it, you’re in control of what’s shown on the password grid. You can decide which columns you want to see, as well as their position and size. This first version is part of a larger improvement project. The aim is to make customization of the grid available and persistent with the next v4.3.0 release, and to later introduce new columns such as OTP, Icon & Tag.

Additionally, users will be pleased to see the new resource count chips displayed in the breadcrumb, providing an intuitive way to keep track of filtered resources.

Administrators are not left behind with this release as a few bugs with the command line healthcheck have been fixed and the feature is being prepared to be available in the UI soon.

Thank you for being a part of the community and for choosing passbolt.

[4.2.0] - 2023-08-24

Added

• PB-24268 As a signed-in user I can reorder & show/hide columns of the resource workspace grid
• PB-25189 As a signed-in user I can resize the columns of the resource workspace grid
• PB-25283 As a signed-in administrator I can access the password policies
• PB-25283 As a signed-in administrator I can see the password policies settings
• PB-25283 As a signed-in administrator I can customise the password policies
• PB-25283 As a signed-in user I generate passwords using the password policies of my organisation
• PB-25283 As a signed-in user I am warned about passwords which are part of a dictionary

Improved

• PB-25251 As a sign-in user I want the passwords to be rendered with a monospace font
• PB-25288 As a signed-in user I should see the number or resources or users filtered in the workspace from the breadcrumb

Fixed

• PB-22555 As a German-speaking signed-in user I want to autofill my password and name when the input identifiers are in German
• PB-24612 As a user I should not see “remember until I log out” option in the quickaccess it the option is disabled from the servers
• PB-25259 Fix dropdown profile style
• PB-25260 As a user I should be redirect to the resource workspace when signing in right after a sign out
• PB-25261 Fix box-shadow on more button for folders
• PB-25320 In-form menu icon was moving when scrolling on page
• PB-25504 As a user I want to use SSO with Firefox
• PB-25807 As a signed in user I should see my profile metadata updated after editing my profile
• PB-25816 As a signed-in user, the link in resource activity or user account recovery activity should be valid
• PB-25822 Fix typos in User Directory settings interface

Maintenance

• PB-25390 Upgrade outdated library word-wrap
• PB-25391 Upgrade outdated library tough-cookie
• PB-25704 Upgrade outdated library babel

Experimental

• PB-25185 As LU user on the browser extension, I want to export my account to configure the windows application
• PB-25253 Desktop bootstrapped applications should have CSP rules enforced prior to execute any javascript

Bella Ciao

Song: https://youtu.be/leb5pvB3B20

Version 4.1.2 of passbolt is a maintenance release mainly solving small bugs reported by the community on the API as well as the browser extension.

The API ships with a fix that restores email notifications for organisations using NTLM to authenticate against their SMTP server.

On the client side, the browser extension ships with a long time due improvement that will help users to distinguish look alike characters while previewing a password. Furthermore and in a continuous effort to provide the best user experience, the extension ships with fixes about the auto-fill capabilities. It should be more resilient and integrate better with web applications.

Thank you for helping us make Passbolt better!

[4.1.2] - 2023-07-26

Improvement

• PB-25251 As a signed-in user previewing a password, I should be able to distinguish look alike characters

Fixed

• PB-25502 Fix web navigation issue when a port already exists and port disconnection is not fired
• PB-25339 Fix application refusing to load when detecting passbolt event activities
• PB-25311 Fix as anonymous user with the browser extension not configured I should be redirected to passbolt getting started page when using the toolbar icon
• PB-24933 Fix in-form menu detection not working when existing tab port disconnection occurs after webnavigation event

Maintenance

• PB-25471 Crowdin should export only a selected subset of languages
• PB-25272 Github actions updates for storybook
• PB-25172 Remove former demo application, replaced by storybook

War Pig

Song: https://www.youtube.com/watch?v=LQUXuQ6Zd9w

Version 4.1 of Passbolt introduces the long-awaited Role-Based Access Control (RBAC) feature. In its first version, RBAC provides admins with the ability to control the capabilities offered to users through the user interface (UI). As passbolt evolves, subsequent releases will expand on this, eventually providing control over API capabilities.

On the performance side, while passbolt was able to handle thousands of passwords, sharing on large volumes was a challenge due to the end-to-end model. With this new version, users will be pleased to experience enhanced performance when sharing their passwords with others. More improvements are yet to come in future releases, so stay tuned.

Additionally, users will notice improvements in some areas: passwords are now easier to read, special characters and numbers are highlighted with contrasting colors, and multi-factor authentication is now able to remember the last method used.

Finally, this release also includes the latest security fixes (minor and info) identified during the March security audit by Cure53. As usual, the full report along with the mitigations will be fully disclosed on the website.

Thank you for choosing passbolt. Your support and feedback are greatly appreciated.

[4.1.0] - 2023-07-03

Added

• PB-24169 As an administrator I want to customise what capabilities users are allowed to access on the UI of my organisation
• PB-24598 SSO allow administrators to remap email/username properties

Fixed

• PB-14174 As a user I want the inform menu not to be displayed outside my browser window
• PB-24657 As a user I should see the triage page even when SSO is misconfigured
• PB-25031 Fix margin on folder name in the information panel

Improvement

• PB-24619 As LU I should see the link on the same line in a paragraph
• PB-24646 As LU, I should see colored passwords

Maintenance

• PB-24622 Put back the rolled-back code for LDAP multi-domain and field-mapping feature
• PB-24794 Adapt browser extension to not crash when unknown content types are retrieved from the API

Security

• PB-23852 PBL-02-002 As a user I should sign-out using POST method
• PB-24997 Change static images URL to be served from the browser extension instead of the API

The One Percent

Song: https://youtu.be/hF0MZKDq814

This is a small maintenance release of the browser extension only. It fixes a bug that prevented users from authenticating with SSO from the web integrated in-form menu.

[4.0.4] - 2023-06-07

Fixed

• PB-24932 Fix: As a user I want to be able to sign-in through SSO from the inform menu