v4.0.3

Song: https://youtu.be/o5TmORitlKk

This is a small maintenance release of the browser extension only. It fixes a bug that prevented users from authenticating with SSO from the quickaccess.

[4.0.3] - 2023-06-05

Fixed

• PB-24734 Fix As a registered user I would like to be able to use SSO login via the quickaccess

Under Pressure

Song: https://youtu.be/a01QQZyl-_I

This release is a small maintenance release of the browser extension only. It fixes an issue reported by the community relative to the users workspace not displaying the correct MFA status of the users.

A big thank you to the community members who are reporting issues and help us investigate them.

[4.0.1] - 2023-05-17

Fixed

• PB-24639 Fix: As an administrator I want to be see which users have activated MFA from the users workspace

Get Up, Stand Up

Song: https://youtu.be/CwIdvOTzvqc

Introducing the latest update of passbolt Pro, release v4. This update includes some significant enhancements to the platform’s functionality and overall user experience.

Passbolt now requires a minimum of PHP 7.4 to run, but also supports PHP 8.2, which means faster performance and security. The browser extension is also getting a bit of love with some much needed maintenance to Manifest v3 and it requires at least a Passbolt API v3 to run.

This release mainly focuses on platform compatibility and accessibility improvements to ensure an inclusive experience for all users across all versions. Alongside these updates, v4 includes numerous bug fixes and security enhancements to further improve system reliability. It’s recommended that all users update to this latest version to get the most out of passbolt and benefit from the upcoming new features.

We appreciate the continued support and feedback as we strive to provide an exceptional user experience. Reach out on the community forum if you encounter some issues with this new release.

[4.0.0] - 2023-05-17

Added

• PB-23531 As an administrator I can setup google as SSO provider
• PB-23532 As a user I can sign-in with SSO
• PB-23535 As a user I want to self register with SSO enabled
• PB-23952 As an administrator I want to synchronize only groups belonging to a given parent group
• PB-24168 As a user I want to use an accessible version of the UI

Improvements

• PB-21564 Application should be aware of authentication status as soon as the user is getting signed out

Fix

• PB-21488 Fix the loading of pagemods when user data is not set in the local storage
• PB-23547 As a signed-in user I should auto-filling credentials in iframe even if there is an empty iframe src ahead
• PB-24076 Fix ApiClient BaseUrl generation to avoid double slashes in the final URL
• PB-24100 As a developer I want to use a fix working version of storybook
• PB-24145 As a signed-in user the inform integration should not freeze the browser if there is a lots of dom changes
• PB-24260 As a signed-in user I should not see a resource stays selected after moves in a folder

Security

• PB-22858 As a user the session storage should have a limit of port by tab
• PB-22859 As a user the web integration pagemod should be attached only on top frame
• PB-23556 PBL-08-002 WP2: Passphrase Retained In Memory Post-Logout
• PB-23942 PBL-08-008 WP2: Lack of explicit CSP on extension manifest
• PB-23797 Backport MV3 port manager on MV2 without using the webNavigation permission

Maintenance

• PB-18667 Migrate gpgAuth session check loop into a dedicated service startLoopAuthSessionCheckService
• PB-22641 As a user the browser extension should handle when the version is updated
• PB-22642 As a developer, when inform call to action and inform menu are destroyed, I should remove the port reference in the session storage and portManager
• PB-24105 As a user I want to trigger file download on firefox with file pagemod
• PB-24131 As a developer I should have class files in the correct folder
• PB-24134 As a developer I should be able to run the CI pipeline even if the audit job is failing
• PB-24147 Remove legacy entry point to check if the user is authenticated

Mental Wave

Song: https://open.spotify.com/track/2M4fZAYyQFNtvHy5rOjRTx?si=a546f57401f34a7b

This release is a small maintenance release of the browser extension only. It fixes issues reported by the community relative to users email validation and the latest introduced SSO.

A big thank you to the community members who are reporting issues and help us investigate them.

[3.12.1] - 2023-03-29

Fix

• PB-23930 Fix the removal of the SSO kit on CSRF token error
• PB-23949 Fix as a user I should be able to use uppercase characters for username
• PB-24041 Fix missing import XRegExp
• PB-24065 Fix to prevent the browser extension from crashing if the server is configured with an unsupported SSO provider

Introspective

Song: https://open.spotify.com/track/3LU41qIkh4lND6PM4W8jHw?si=44039421ff734292

Release 3.12 includes a number of new features and enhancements, including the much-anticipated addition of folders in the Community Edition, which allows users to better organise resources.

Another notable new feature is the ability to customise passbolt to output the action logs in syslog or a file, giving administrators more control and visibility on what is happening on their instance and leverage other tools for threat and unusual activity detection. Administrators can also implement their own handler for action logs to further customise their passbolt instance reporting. A blog to demonstrate this new feature will be available soon.

Version 3.12 also includes important fixes, such as a fix to ensure that only administrators can see which users have MFA enabled. This regression was spotted during the Cure53 march security audit. The full report will be available shortly. Spoiler alert: no critical vulnerability was found.

Lastly, more file formats for export are included in release 3.12. This provides more options for migrating data between applications.

Overall, the release of version 3.12 provides several useful improvements. Thank you to the members of the community who’ve reported issues and helped us fix them.

[3.12.0] - 2023-03-15

Added

• PB-22521 As a signed-in user, I want to export resources in logmeonce csv
• PB-22520 As a signed-in user, I want to export resources in nordpass csv
• PB-22519 As a signed-in user, I want to export resources in dashlane csv
• PB-22518 As a signed-in user, I want to export resources in safari csv format
• PB-22517 As a signed-in user, I want to export resources in mozilla csv
• PB-22515 As a signed-in user, I want to export resources in bitwarden csv
• PB-22516 As a signed-in user, I want to export resources in chromium based browsers csv
• PB-22838 As an administrator I can customise the application email validation

Improvements

• PB-22896 Improve DUO style

Fix

• PB-23281 Fix as a user I should see an accurate entropy when a password contain words from a dictionary
  {% if page.product == 'pro' %}- PB-23541 As a user I can use SSO recover when Passbolt is served from a subfolder{% endif %}

Security

• PB-23706 As an administrator I should be the only one to know which users have enabled MFA

Birdie

Song: https://youtu.be/reXhjQ50iug

This is a small maintenance release addressing community reported issues related to the recently introduced Duo v4 support.

This release also includes a security fix for the browser extension to mitigate clickjacking attacks discovered during an independent security audit of the API and browser extension by Cure53. As always, detailed findings will be published on our dedicated incident page soon.

Thank you to the members of the community who’ve reported issues and helped us fix them.

[3.11.2] - 2023-03-03

Security

PB-23328 PBL-08-001 WP2 Credentials Leakage via Clickjacking - As a signed-in user I should not be able to open the application iframe in an untrusted parent frame
PB-23327 PBL-08-001 WP2 Credentials Leakage via Clickjacking - As a signed-in user I should not be able to open the quickaccess in an iframe

Regular

Song: https://youtu.be/yR1u-v66iT4

Community Edition v3.11 introduces new features and enhancements to your passbolt experience.

Duo v4 MFA support is now available in the browser, an update from the previously supported v2. The API also now features a new endpoint that allows administrators to get paginated action logs, to make it easier to browse and find specific events or actions programmatically. In addition, the browser extension is now available in Italian, Portuguese, Korean, and Romanian (these languages are in beta, let passbolt know if you find anything that needs updating).

As part of ongoing efforts to improve passbolt, v3.11 also deprecates PHP 7.3 support and passbolt API v2 support. While you will not be able to install a new instance on PHP 7.3, existing instances will still work until the next version. We encourage users to upgrade to PHP 7.4 or higher and use the latest version of the passbolt’s API.

Passbolt appreciates the support of the community and the contributions we receive. Thank you for choosing passbolt, users play an integral role in growth and development.

[3.11.1] - 2023-02-27

Added

• PB-22081 As a signed-in user I can import my passwords from a Mozilla web browsers csv export
• PB-22082 As a signed-in user I can import my passwords from Safari web browser csv export
• PB-22116 As a signed-in user I can import my passwords from a Dashlane csv export
• PB-22117 As a signed-in user I can import my passwords from a Nordpass csv export
• PB-22510 As a signed-in user I can import my passwords from a LogMeOnce csv export
• PB-22866 As a user I want to use passbolt in Italian
• PB-22866 As a user I want to use passbolt in Portuguese (Brazil)
• PB-22866 As a user I want to use passbolt in Korean
• PB-22866 As a user I want to use passbolt in Romanian
• PB-22882 As a user I can use the SSO feature to speed up the extension configuration process

Improved

• PB-21408 As a logged-in user navigating to the account recovery user settings from the MFA user settings I should not see the screen blinking
• PB-21548 As a signed-in user I can access my MFA settings for a given provider following a dedicated route
• PB-22647 As a signed-in user I want to use my personal google email server as SMTP server
• PB-22699 A a user I want a unified experience using pwned password feature
• PB-22725 As a signed-in user I want to see an introduction screen prior setting up Duo v4
• PB-22835 As an administrator I can define the optional SMTP Settings “client” setting
• PB-22861 As an administrator I want to manage Duo v4 settings

Fixed

• PB-22387 As an administrator generating an account recovery organization key, I should see the warning banner after submitting the form
• PB-22587 Fix the CSV exports columns presence and order
• PB-22588 As a signed-in user I want to import resources in Lastpass csv export following their conventions
• PB-22701 As a signed-in user I should not see the MFA mandatory dialog if there are no MFA providers enabled for my organization
• PB-22704 As a user with a configured account and SSO, I should be able to recover/setup another account
• PB-23277 As a signed-in user I should not have a 404 error with the flag mfa policy disable

Security

• PB-21645 As content code application I should be restricted to open ports only for applications I am allowed to open
• PB-21754 As a user I should not see any trace of previously downloaded content in my history
• PB-23279 As a user completing a setup I should not have access to the background page decryption secret capabilities

Maintenance

PB-19641 Handle the setup and recover runtime object

• PB-19675 As a signed-in user I want to perform a recover using the browser extension with MV3
• PB-19676 As a signed-in user I want to perform a setup using the browser extension with mv3
• PB-19677 As a signed-in user I want to perform a sign-in using the browser extension with MV3
• PB-19678 As a signed-in user I want to start the application using the browser extension with mv3
• PB-21750 As service worker I should be able to wake up a disconnected application port
• PB-21822 As a signed-in user I want to open quickaccess using the browser extension with MV3
• PB-21823 As a signed-in user I want to see the web integration using the browser extension with MV3
• PB-21824 As a signed-in user I want to see the web public sign in using the browser extension with MV3
• PB-21829 Clean port after a web navigation on the main frame
• PB-21996 As a signed-in user I want to see the in form call to action using the browser extension with MV3
• PB-21997 As a signed-in user I want to see the in form menu using the browser extension with MV3
• PB-22009 Create a service to parse the webIntegration in url
• PB-22076 Handle flush local storage on browser runtime onStartUp for MV3
• PB-22077 Handle config init and post logout on service worker startup
• PB-22078 Create a polyfill to handle browser.action on MV2
• PB-22113 As a signed-in user I should be able to open the quickaccess popup from inform menu with MV3
• PB-22412 As a signed-in user I want to use account recovery process using the browser extension with MV3
• PB-22648 Adapt payload when back return duo settings
• PB-22896 Update styles to adapt to Duo forms updates
• PB-22898 Update login form design styles

Glue

Song: https://open.spotify.com/track/2aJDlirz6v2a4HREki98cP?si=51e34d30904b4459

The passbolt team is excited to share the latest improvements in release 3.10. With the help of our contributors and the community's input, passbolt is proud to present the release of self-registration.

Users can now self-register if their email domain matches the administrator-defined policy. This will make the registration process more efficient and move smoother, especially with larger teams.

Thanks to everyone who contributed to this release, we look forward to continuing to enhance passbolt with your support.

[3.10.0] - 2023-02-14

Added

• PB-21752 As a user I can self register if my email domain matches the policy defined by the administrators
• PB-21999 As a signed-in administrator I can force users to authenticate with MFA at each sign-in
• PB-22000 As a signed-in administrator I can force users to enable MFA
• PB-22080 As a signed-in user I should be able to import chromium based browsers csv
• PB-21874 As signed-in user I should be able to import bitwarden csv

Improved

• PB-21910 As a signed-in administrator on the self registration admin settings form I want to see the domain warnings while typing and not after blur event

Fixed

• PB-18371 Fix contextual menu positioning issue when right clicking at the bottom of the page
• PB-22386 As an administrator I want to know if the weak passphrase I am entering to generate an organisation recovery key has been pwned
• PB-22387 As an administrator generating an account recovery organisation key, I should see the warning banner after submitting the form
• PB-22388 Fix as a user recovering my account i should not see that the passphrase i entered has been pwned if it is not the valid passphrase
• PB-22084 As a signed-in user I can import my passwords from 1Password csv export with their new header conventions

Maintenance

• PB-21562 Refactor service worker port and add coverage
• PB-21933 Create a service to parse the sign in url
• PB-22337 Merge both controller AuthController and AuthSignInController to keep consistency
• PB-22403 Instead of using new URL when getting sso url login, use an entity to ensure consistency and that the data is validated
• PB-22478 As a developer I should be sure my changes don’t introduce regression in the build
• PB-22479 As a developer I should be sure my changes don't introduce dependency vulnerabilities
• PB-22614 Avoid telemetries to be sent to Storybook
• PB-22630 Fix the Unit test in the browser extension about method that shouldn't be called

Bunny

Song: https://youtu.be/U_i895w7CfM

The team at passbolt is thrilled to announce the release of v3.9 for immediate availability!

Passbolt CE v3.9 ships with Multi Factor Authentication (MFA) for all community edition users! Users can now set up MFA using various methods, including Duo, TOTP (Google Authenticator, Authy), and YubiKey (with Yubico Cloud).

Additionally, v3.9 also includes support for PHP 8.2.

The team is glad to make MFA, a former passbolt Pro feature, more widely available, as it’s been a highly requested feature within our community (even though one could argue that the existing authentication protocol already combined 2 factors of authentication: the private key and the master passphrase). The goal at passbolt is to provide the best security possible first while constantly improving user experience. It wouldn’t be possible without the incredible community that surrounds passbolt. Thank you to everyone who contributed ideas, reported bugs, and provided input.

Big things are on their way! Keep an eye out for how passbolt continues to grow and evolve in the coming months with additional pro edition features becoming available in the CE such as folders! To show your support please write a review on the app / extension webstore (chrome, firefox, edge, ios, android).

[3.9.1] - 2023-01-18

Added

• PB-21383 As AD I can save the SSO server settings
• PB-21383 As AD I can disable the SSO server settings
• PB-21393 As a registered user I can use the SSO feature to sign in to passbolt
• PB-21400 As LU I can rotate my private key's passphrase and still be able to sign in via SSO
• PB-21735 As a signed-in administrator in the administrator workspace, I can see the user
  self registration settings option in the left-side bar
• PB-21740 As a signed-in administrator I can remove a domain from the user self registration list
• PB-21767 As AN I want to have the SSO login displayed by default when I have an SSO kit available
• PB-21768 As AD I want my SSO kit to be generated when saving a new SSO settings if I don't have already one
• PB-21769 As AN I want to use SSO login from the quickaccess
• PB-21814 As LU When rotating my passphrase I want to clean my SSO kit on the API
• PB-21842 As AN I want to have help if I can't remember my passphrase and SSO login is activated
• PB-21907 As a signed-in on the self registration admin settings form, I want to see the warning message on a row domain even when there are errors on other domains rows
• PB-21908 As a signed-in administrator on the self registration admin settings form, I should not see an error when I enable the settings which previously were containing error
• PB-21909 As a signed-in administrator on the self registration admin settings form, I want to see the new row having focus when I click on the add a new row button
• PB-22006 - As a user finalising my recover I should be able to authenticate with SSO after my first sign out

Improved

• PB-21920 As a user I want to use the new PwnedPasswords service when I setup an account, recover an account, change my passphrase or generate a organisation recovery key
• PB-19793 As a user I want to see a consistent layout while signing-in to passbolt
• PB-20561 As a user changing my passphrase I would like to see the passphrase field description translated
• PB-21490 As an administrator I shouldn't see the "save required" banner after saving the SMTP settings
• PB-20559 As an administrator I want clearer account recovery email notification descriptions relative to administrators
• PB-21746 As a signed-in user I want to autofill french authentication form using french language as field name
• PB-21612: Refactor fileController into a dedicated service
• PB-19156: Replace setInterval by alarm in worker::waitExists

Fixed

• PB-19649 As a user sharing a resource/folder, I should be able to see the number of users contained in groups search result
• PB-21443 As a user on the administration section I would like to see the passbolt logo
• PB-21476 As signed-in user, I want to copy content in my clipboard using passbolt over http
• PB-22022 Fix height for the svg Passbolt logo

Maintenance

• PB-19054 Remove the usage of the soon the soon unavailable global “window” object
• PB-19292 As a user I want file downloads to be compatible with MV3 as well
• PB-19299 Remove the usage of the soon the soon unavailable global “window” object in the unit tests
• PB-19309 Remove the usage of the soon the soon unavailable global “window” object in the “Random” crypto helper
• PB-19586 Refactor administration screen actions components
• PB-19639 Refactor applications port connection bootstrap
• PB-19650 Handle MV3 port re-connection
• PB-19657 Add frameId to the ScriptExecution
• PB-21370 Reduce repository size
• PB-21435 Bootstrap MV3 service worker
• PB-21486 Increase code coverage relative to the SMTP authentication method recently added in the SMTP settings admin screen
• PB-21911 As a developer I want to know the source (author, url, license) of the src/react-extension/lib/Domain/Domains.js list

Trechter

Song: https://youtu.be/QrSDDdzjMVo

This release is a small maintenance release fixing issues reported by the community relative to the session expiry. Additionally it was the opportunity to ship a long time requested improvement also relative to the session expiry. When signing in to passbolt and checking the “remember until sign out” checkbox, users will keep their session alive for the duration of their operating system user session or until they sign out manually.

Thanks to the community members who reported issues and helped us fix them.

[3.8.2] - 2022-11-28

Fixed

PB-21565: As a logged-in user, I should decide to keep my session alive until I sign out
PB-21372: As a logged-in user, I should see folders without caret aligned