v4.6.2

Song: https://youtu.be/3WOZwwRH6XU?si=jvTiezg7eEEpEh-S

Version 4.6.2 is a targeted maintenance release of the browser extension, focusing on refining passwords strength verification process. This update ensures a balance between adhering to security best practices and maintaining user-friendliness.

We extend our gratitude to the community for their insights to help us build passbolt.

[4.6.2] - 2024-03-29

Fixed

• PB-32394 As a user defining my passphrase while activating my account I want to know if my passphrase is part of a dictionary on form submission
• PB-32396 As a user defining my new passphrase while changing it I want to know if my new passphrase is part of a dictionary on form submission
• PB-32401 As an administrator defining the passphrase of the generated organization account recovery key I want to know if the passphrase is part of a dictionary on form submission
• PB-32407 As a user editing a password I am invited to confirm its edition when this one very weak in a separate dialog on form submission
• PB-32395 As a user defining my passphrase while requesting an account recovery I want to know if my new passphrase is part of a dictionary on form submission
• PB-32397 As a user verifying my private key passphrase while activation my account I do not want to know if my passphrase is part of a dictionary at this stage
• PB-32399 As a user confirming my passphrase while completing an account recovery (Admin approved) I do not want to know if my passphrase is part of a dictionary on form submission
• PB-32398 As a user confirming my passphrase while importing my private key during an account recover I do not want to know if my passphrase is part of a dictionary on form submission
• PB-32404 As a user creating a password from the quickaccess I am invited to confirm its creation when this one is part of a dictionary in a separate dialog on form submission
• PB-32403 As a user updating a password I am invited to confirm its edition when this one is part of a dictionary in a separate dialog on form submission
• PB-32405 As a user auto-saving a password from the quickaccess I should not be notified if the password is part of an exposed dictionary
• PB-32402 As a user creating a password I am invited to confirm its creation when this one is part of a dictionary in a separate dialog on form submission
• PB-32400 As a user confirming my passphrase while importing an account kit on the desktop app I do not want to know if my passphrase is part of a dictionary on form submission
• PB-32406 As a user creating a password I am invited to confirm its creation when this one very weak in a separate dialog on form submission
• PB-32427 As a user creating a password from the quickaccess I am invited to confirm its creation when this one is VERY WEAK in a separate page on form submission

v4.6.2-rc.0

Passbolt is pleased to announce that the v4.6.2 Release Candidate is officially available for testing. This release contains some bug fixes for issues reported by the community. As always, your feedback is invaluable, please share and report any issues you come across.

Thank you for your support! ♥️

[Unreleased]

[4.6.2-rc0] - 2024-03-28

Fixed

• PB-32394 As a user defining my passphrase while activating my account I want to know if my passphrase is part of a dictionary on form submission
• PB-32396 As a user defining my new passphrase while changing it I want to know if my new passphrase is part of a dictionary on form submission
• PB-32401 As an administrator defining the passphrase of the generated organization account recovery key I want to know if the passphrase is part of a dictionary on form submission
• PB-32407 As a user editing a password I am invited to confirm its edition when this one very weak in a separate dialog on form submission
• PB-32395 As a user defining my passphrase while requesting an account recovery I want to know if my new passphrase is part of a dictionary on form submission
• PB-32397 As a user verifying my private key passphrase while activation my account I do not want to know if my passphrase is part of a dictionary at this stage
• PB-32399 As a user confirming my passphrase while completing an account recovery (Admin approved) I do not want to know if my passphrase is part of a dictionary on form submission
• PB-32398 As a user confirming my passphrase while importing my private key during an account recover I do not want to know if my passphrase is part of a dictionary on form submission
• PB-32404 As a user creating a password from the quickaccess I am invited to confirm its creation when this one is part of a dictionary in a separate dialog on form submission
• PB-32403 As a user updating a password I am invited to confirm its edition when this one is part of a dictionary in a separate dialog on form submission
• PB-32405 As a user auto-saving a password from the quickaccess I should not be notified if the password is part of an exposed dictionary
• PB-32402 As a user creating a password I am invited to confirm its creation when this one is part of a dictionary in a separate dialog on form submission
• PB-32400 As a user confirming my passphrase while importing an account kit on the desktop app I do not want to know if my passphrase is part of a dictionary on form submission
• PB-32406 As a user creating a password I am invited to confirm its creation when this one very weak in a separate dialog on form submission
• PB-32427 As a user creating a password from the quickaccess I am invited to confirm its creation when this one is VERY WEAK in a separate page on form submission

v4.6.0

The Passbolt Pro 4.6.0 release "Purple Haze", brings a new SSO provider and improves administrative aspects and overall system health.

A major addition in this release is the Beta implementation of SSO AD FS (Active Directory Federation Services), enabling streamlined single sign-on capabilities for improved user access management.

Furthermore, this version incorporates the Health Check feature within the Admin workspace, offering administrators a comprehensive tool for system health assessment, thereby enhancing the platform's maintainability and reliability.

This release also focuses on refining the platform's infrastructure for enhanced performance. It lays the groundwork for future updates by optimizing data verification processes and reducing memory usage during web activities.

The update paves the way for a series of successive enhancements with the next releases.

[4.6.0] - 2024-03-14

Added

• PB-24485 As signed-in administrator I can see the healthcheck in the UI
• PB-29051 As a user I can use ADFS as SSO provider
• PB-29162 As signed-in administrator I can authorize only group managers to see the users workspace
• PB-29396 As signed-in administrator I can hide the share folder capability with a RBAC

Security

• PB-29384 As signed-in administrator I should see a 404 when accessing a non existing administration page
• PB-29384 As signed-in user I should see a 403 when attempting to access an administration page

Fixed

• PB-25865 As a signed-in user I want to autofill form which listen to change events
• PB-27709 As signed-in administrator I can reconfigure the LDAP integration after a server key rotation
• PB-29258 A signed-in users with a large data set I should have a direct feedback when selecting a resource with the checkbox
• PB-29506 As signed-in user, when loading the application, I should scroll to the resource detected in the url
• PB-29548 As a signed-in administrator, editing the password expiry policy, I want to be sure that I’m editing the latest version of the settings
• PB-29606 As signed-in user I should be able to export TOTP to keepass for Windows
• PB-29860 As signed-in user I should see the columns header translated to my language
• PB-29861 As signed-in user I should see the filter “Expiry” named “Expired” instead
• PB-29895 As user importing an account to the Windows application I should be able to access the getting started help page
• PB-29961 As signed-in user I want to see the import dialog information banner below the form and before the action buttons
• PB-30033 As a signed-in user I should be able to sign in with the quickaccess right after launching my browser

Maintenance

• PB-25555 Upgrade outdated dev library webpack and associated
• PB-25556 Upgrade outdated library i18next and associated
• PB-25689 Upgrade outdated library ip-regex and associated
• PB-25692 Upgrade openpgpjs to v5.11
• PB-25696 Upgrade outdated library webextension-polyfill
• PB-25699 Upgrade outdated library xregexp
• PB-25701 Upgrade outdated library luxon
• PB-29162 MFA user settings screens should be served by the browser extension
• PB-30015 Homogeneize collection constructor signature
• PB-30017 Remove collection and entity inheritance dependency
• PB-30021 Make collection and entity DTO optionally cloneable
• PB-30022 Reduce the number of resources collection instantiations while displaying the number of suggested resources
• PB-30023 Reduce the number of resources collection instantiations while displaying the suggested resources in the inform menu
• PB-30142 Homogenize collection and entity call parameters
• PB-30143 Ensure entities DTOs are not cloned when the data is retrieved from the API or the local storage
• PB-30156 Ensure the tags collection is not validating multiple times the entities while getting instantiated
• PB-30324 Reduce garbage collector usage while validating large amount of data

v4.6.0-rc.0

Song: https://www.youtube.com/watch?v=Ub0NtPOj7es

Passbolt is thrilled to announce that the v4.6.0 Release Candidate is officially available for testing.

This release introduces the server health check into the administration settings and brings Microsoft ADFS as a new SSO connector. It also contains maintenance updates and some important bug fixes relative to issues reported by the community .

As always, your feedback is invaluable, please share and report any issues you come across.

Enjoy the testing journey! ♥️

[4.6.0] - 2024-03-14

Added

• PB-24485 As signed-in administrator I can see the healthcheck in the UI
• PB-29051 As a user I can use ADFS as SSO provider
• PB-29162 As signed-in administrator I can authorize only group managers to see the users workspace
• PB-29396 As signed-in administrator I can hide the share folder capability with a RBAC

Security

• PB-29384 As signed-in administrator I should see a 404 when accessing a non existing administration page
• PB-29384 As signed-in user I should see a 403 when attempting to access an administration page

Fixed

• PB-25865 As a signed-in user I want to autofill form which listen to change events
• PB-27709 As signed-in administrator I can reconfigure the LDAP integration after a server key rotation
• PB-29258 A signed-in users with a large data set I should have a direct feedback when selecting a resource with the checkbox
• PB-29506 As signed-in user, when loading the application, I should scroll to the resource detected in the url
• PB-29548 As a signed-in administrator, editing the password expiry policy, I want to be sure that I’m editing the latest version of the settings
• PB-29606 As signed-in user I should be able to export TOTP to keepass for Windows
• PB-29860 As signed-in user I should see the columns header translated to my language
• PB-29861 As signed-in user I should see the filter “Expiry” named “Expired” instead
• PB-29895 As user importing an account to the Windows application I should be able to access the getting started help page
• PB-29961 As signed-in user I want to see the import dialog information banner below the form and before the action buttons
• PB-30033 As a signed-in user I should be able to sign in with the quickaccess right after launching my browser

Maintenance

• PB-25555 Upgrade outdated dev library webpack and associated
• PB-25556 Upgrade outdated library i18next and associated
• PB-25689 Upgrade outdated library ip-regex and associated
• PB-25692 Upgrade openpgpjs to v5.11
• PB-25696 Upgrade outdated library webextension-polyfill
• PB-25699 Upgrade outdated library xregexp
• PB-25701 Upgrade outdated library luxon
• PB-29162 MFA user settings screens should be served by the browser extension
• PB-30015 Homogeneize collection constructor signature
• PB-30017 Remove collection and entity inheritance dependency
• PB-30021 Make collection and entity DTO optionally cloneable
• PB-30022 Reduce the number of resources collection instantiations while displaying the number of suggested resources
• PB-30023 Reduce the number of resources collection instantiations while displaying the suggested resources in the inform menu
• PB-30142 Homogenize collection and entity call parameters
• PB-30143 Ensure entities DTOs are not cloned when the data is retrieved from the API or the local storage
• PB-30156 Ensure the tags collection is not validating multiple times the entities while getting instantiated
• PB-30324 Reduce garbage collector usage while validating large amount of data

v4.5.2

Song: https://youtu.be/53YYph6Edd0

Passbolt is pleased to announce the immediate availability of version 4.5.2. This is a maintenance update that contains important fixes for both the API and browser extension, addressing issues reported by the community since version 4.5.0.

Most notably this update fixes a problem that previously prevented the autofill feature from working with certain web applications.

Additionally, the release improves the process for importing TOTPs from kdbx files on Windows, ensuring better support for TOTPs across various Keepass clients, including Keepass, KeepassXC, and Macpass.

Administrators would also be pleased to be able to host the API using PHP 8.3. While PHP 7.4 and PHP 8.0 are still supported on some distributions such as Debian, they will be discontinued soon and administrators are encouraged to upgrade to PHP 8.1 or higher and use the latest version of the passbolt API.

We would like to express our sincere thanks to the community members who brought issues to our attention and helped the team to make passbolt better.

[4.5.2] - 2024-02-12

Added

• PB-28672 As a user exporting resources I should also export TOTPs

Fixed

• PB-25865 As a signed-in user I can autofill credentials using input and change events
• PB-29258 As a signed-in user with a large dataset I can select a resource quickly
• PB-29548 As a signed-in administrator I should refresh password expiry cache when navigating to the password expiry administration page
• PB-29560 As a user importing a resources from a Windows keepass kdbx I should also import TOTPs
• PB-29606 As a user exporting a resources to a Windows keepass kdbx I should also export TOTPs

v4.5.2-rc.0

Passbolt is pleased to announce that the v4.5.2 Release Candidate is officially available for testing. This release contains some important bug fixes for issues reported by the community. As always, your feedback is invaluable, please share and report any issues you come across.

Thank you for your support! ♥️

[4.5.2] - 2024-02-12

Added

• PB-28672 As a user exporting resources I should also export TOTPs

Fixed

• PB-25865 As a signed-in user I can autofill credentials using input and change events
• PB-29258 As a signed-in user with a large dataset I can select a resource quickly
• PB-29548 As a signed-in administrator I should refresh password expiry cache when navigating to the password expiry administration page
• PB-29560 As a user importing a resources from a Windows keepass kdbx I should also import TOTPs
• PB-29606 As a user exporting a resources to a Windows keepass kdbx I should also export TOTPs

v4.5.1

Release song: https://youtu.be/90WD_ats6eE?si=S75OZHtm7VM2zdWH

Version 4.5.1 is exclusively a Passbolt browser extension maintenance release designed to address a problem that emerged with the earlier 4.5.0 release. This issue prevented Chrome users who run the Passbolt API from a subdirectory from establishing a connection.

We would like to express our sincere thanks to the community members who brought this issue to our attention and assisted the team in resolving it.

[4.5.1] - 2024-02-09

Fixed

• PB-29626 As a user I should retrieve the csrf token if the instance is running from a sub-folder

v4.5.1-rc.0

Release song: https://youtu.be/90WD_ats6eE?si=S75OZHtm7VM2zdWH

Version 4.5.1 is exclusively a Passbolt browser extension maintenance release designed to address a problem that emerged with the earlier 4.5.0 release. This issue prevented Chrome users who run the Passbolt API from a subdirectory from establishing a connection.

We would like to express our sincere thanks to the community members who brought this issue to our attention and assisted the team in resolving it.

[4.5.1] - 2024-02-09

Fixed

• PB-29626 As a user I should retrieve the csrf token if the instance is running from a sub-folder

v4.5.0

Release song: https://www.youtube.com/watch?v=HR1KH4zElcY

Passbolt v4.5.0, named "Summer is Ending", introduces exclusive features for Pro users, alongside enhancements available to everyone. These updates are geared towards empowering teams with even more control and flexibility over their password management practices.

At the heart of this release is the introduction of the Password Expiry feature, a much-anticipated functionality that allows administrators to enable the automatic expiry policy, enhancing security by ensuring that potentially passwords are rotated when someone loses access to resources, for example by leaving a group or the organization.

A standout feature of this release for Passbolt Pro Edition is the advanced Password Expiry settings. Administrators now have the ability to define comprehensive password expiry policies, ensuring that your team's password hygiene is not just compliant with industry standards but also customized to fit your organization's specific needs. This feature is complemented by the ability for users to mark passwords as expired and adjust expiry dates directly, providing both oversight and flexibility in managing sensitive information.

In addition to the Pro-exclusive features, this release brings shared enhancements with Passbolt CE, such as the inclusion of Russian language support, integration with Microsoft 365 and Outlook for SMTP settings, and the activation of the desktop application feature by default for an improved user experience.

Thank you for your ongoing support. Your feedback and contributions continue to shape Passbolt, enhancing our collective security and usability. Together, we're making password management better for everyone.

[4.5.0] - 2024-02-08

Added

• PB-28679 As an administrator I can set advanced password expiry settings
• PB-28681 As a user importing a resources from a file I should also import expiry date from keepass files
• PB-28682 As a user I can quickly mark resources as expired
• PB-28687 As a resource owner, I can change the resource expiration date manually
• PB-28692 As a user I can change the expiry date of a resource automatically based on the password expiry configuration
• PB-28850 As a signed-in user creating a resource from the app I should set the expired date if default expiry period has been defined in the organisation policies
• PB-28851 As a signed-in user creating a resource from the quickaccess I should set the expired date if default expiry period has been defined in the organisation policies
• PB-28852 As a signed-in user creating a resource from the auto-save I should set the expired date if default expiry period has been defined in the organisation policies
• PB-29045 As a user I want to open the quickaccess using a keyboard shortcut
• PB-29125 As an administrator I should not see the control function AllowIfGroupManagerInOneGroup on the UI

Improved

• PB-15269 As a user I do not want my browser extension to make multiple calls on resources.json in a row
• PB-21484 As an administrator I can use Microsoft 365 or Outlook as SMTP providers
• PB-22071 As an administrator I want the SSO messages to be in correct english
• PB-25503 As an admin I should be able to enable/disable emails that request group managers to add users to groups (LDAP/AD)
• PB-25860 As signed-in user I want to see the full name of the user at the origin of any account recovery action
• PB-27783 As a user opening the quickaccess I should have a clear feedback if the API service is unreachable
• PB-27961 As a signed-in user I cannot skip the administrator request to join the account recovery program
• PB-28507 As signed-in user importing resources I should know what is supported
• PB-28612 As a signed-in user I should see TOTP in uppercase
• PB-28646 As an administrator in the account recovery settings I should see “Prompt” instead of “Mandatory"
• PB-28709 Mark SASL option in Users Directory as Enterprise Edition
• PB-28727 As an administrator in the SSO settings I should see a combobox instead of a text input for the Azure’s URL
• PB-28923 As a user I want to be able to use passbolt in Russian
• PB-29008 As an administrator in RBAC administration page I should not see the role to setup the desktop or mobile app if the plugin is not enabled
• PB-29159 As a signed-in user I want the Mfa screen to be available when using the bext 4.4 and API 4.5
• PB-29263 Replace the mechanism to have CSRF token from the cookie

Security

• PB-29194 Upgrade vulnerable library web-ext
• PB-28658 Mitigate browser extension supply chain attack
• PB-28659 Mitigate browser styleguide supply chain attack
• PB-28660 Mitigate browser windows app supply chain attack

Fixed

• PB-22864 As a signed-in user, I should see a relevant error if I use special characters as security token
• PB-24496 As a user I should be able to use a passphrase with emoji
• PB-28283 As a user when I preview a secret I should see the activity sidebar updated
• PB-28540 As a user I should scroll automatically to the resource selected from the route
• PB-28625 As a user I can open resource url from the resource sidebar on Firefox
• PB-28632 As a user Fix design TOTP button disabled on create and edit resource
• PB-28696 As a user I should fill secret for TOTP with spaces
• PB-28721 As a user I can see the beta chip next to the desktop app menu item in the users settings menu
• PB-28753 As a user I should be able to edit a standalone TOTP from contextual menu
• PB-28880 As a user I should not see an error when I update the description of a resource with TOTP from the information panel
• PB-28842 As a user I can reach the Windows store passbolt app from the Desktop app setup screen
• PB-28282 As a user deleting a TOTP I should see the relevant dialog title mentioning Resource and not password
• PB-28873 As a signed-in user when I autofill input fields I should trigger a change event
• PB-29006 As a user I should not have my browser extension crashing when it receives an unsupported RBAC control_function value

Maintenance

• PB-27972 Refactor code of SSO settings
• PB-28592 Fix minimum gecko version in firefox manifest.json
• PB-29020 Fix detection pagemod duplicate

v4.5.0-rc.0

Release song: https://www.youtube.com/watch?v=HR1KH4zElcY

Hey community members,

Prepare for an exciting update! 🥁

Passbolt is thrilled to announce that the v4.5.0 Release Candidate is officially available for testing. With this release candidate you will be able to get a preview of the password expiry feature if you install both the RC of the browser extension and the API with the PASSBOLT_PLUGINS_PASSWORD_EXPIRY_ENABLED feature flag enabled and additionally the PASSBOLT_PLUGINS_PASSWORD_EXPIRY_POLICIES_ENABLED feature flag enabled for the version PRO.

Head to GitHub and dive in, following the steps here. As always, your feedback is invaluable, please share and report any issues you come across.

Thank you for your support, helping test passbolt prior to a release is a very valuable contribution to the project! ♥️

[4.5.0-rc.0] - 2024-02-02

Added

• PB-28679 As an administrator I can set advanced password expiry settings
• PB-28681 As a user importing a resources from a file I should also import expiry date from keepass files
• PB-28682 As a user I can quickly mark resources as expired
• PB-28687 As a resource owner, I can change the resource expiration date manually
• PB-28692 As a user I can change the expiry date of a resource automatically based on the password expiry configuration
• PB-28850 As a signed-in user creating a resource from the app I should set the expired date if default expiry period has been defined in the organisation policies
• PB-28851 As a signed-in user creating a resource from the quickaccess I should set the expired date if default expiry period has been defined in the organisation policies
• PB-28852 As a signed-in user creating a resource from the auto-save I should set the expired date if default expiry period has been defined in the organisation policies
• PB-29045 As a user I want to open the quickaccess using a keyboard shortcut
• PB-29125 As an administrator I should not see the control function AllowIfGroupManagerInOneGroup on the UI

Improved

• PB-15269 As a user I do not want my browser extension to make multiple calls on resources.json in a row
• PB-21484 As an administrator I can use Microsoft 365 or Outlook as SMTP providers
• PB-22071 As an administrator I want the SSO messages to be in correct english
• PB-25503 As an admin I should be able to enable/disable emails that request group managers to add users to groups (LDAP/AD)
• PB-25860 As signed-in user I want to see the full name of the user at the origin of any account recovery action
• PB-27783 As a user opening the quickaccess I should have a clear feedback if the API service is unreachable
• PB-27961 As a signed-in user I cannot skip the administrator request to join the account recovery program
• PB-28507 As signed-in user importing resources I should know what is supported
• PB-28612 As a signed-in user I should see TOTP in uppercase
• PB-28646 As an administrator in the account recovery settings I should see “Prompt” instead of “Mandatory"
• PB-28709 Mark SASL option in Users Directory as Enterprise Edition
• PB-28727 As an administrator in the SSO settings I should see a combobox instead of a text input for the Azure’s URL
• PB-28923 As a user I want to be able to use passbolt in Russian
• PB-29008 As an administrator in RBAC administration page I should not see the role to setup the desktop or mobile app if the plugin is not enabled
• PB-29159 As a signed-in user I want the Mfa screen to be available when using the bext 4.4 and API 4.5
• PB-29263 Replace the mechanism to have CSRF token from the cookie

Security

• PB-29194 Upgrade vulnerable library web-ext
• PB-28658 Mitigate browser extension supply chain attack
• PB-28659 Mitigate browser styleguide supply chain attack
• PB-28660 Mitigate browser windows app supply chain attack

Fixed

• PB-22864 As a signed-in user, I should see a relevant error if I use special characters as security token
• PB-24496 As a user I should be able to use a passphrase with emoji
• PB-28283 As a user when I preview a secret I should see the activity sidebar updated
• PB-28540 As a user I should scroll automatically to the resource selected from the route
• PB-28625 As a user I can open resource url from the resource sidebar on Firefox
• PB-28632 As a user Fix design TOTP button disabled on create and edit resource
• PB-28696 As a user I should fill secret for TOTP with spaces
• PB-28721 As a user I can see the beta chip next to the desktop app menu item in the users settings menu
• PB-28753 As a user I should be able to edit a standalone TOTP from contextual menu
• PB-28880 As a user I should not see an error when I update the description of a resource with TOTP from the information panel
• PB-28842 As a user I can reach the Windows store passbolt app from the Desktop app setup screen
• PB-28282 As a user deleting a TOTP I should see the relevant dialog title mentioning Resource and not password
• PB-28873 As a signed-in user when I autofill input fields I should trigger a change event
• PB-29006 As a user I should not have my browser extension crashing when it receives an unsupported RBAC control_function value

Maintenance

• PB-27972 Refactor code of SSO settings
• PB-28592 Fix minimum gecko version in firefox manifest.json
• PB-29020 Fix detection pagemod duplicate