Skip to content

v2.4.1

Choose a tag to compare

@github-actions github-actions released this 21 May 00:03

v2.4.1

Bugfix release on top of v2.4.0 plus the WebAuthn library bump that was deferred from v2.4.

Bugfix: half-enrollment lockout

A user who clicked Begin Setup on the Setup page and navigated away without confirming a TOTP code could end up locked out: TotpEnabled was set immediately, so the next sign-in tried to challenge them, but TotpVerified was still false, so no TOTP method was offered — the challenge fell through to email-only, which doesn't help if SMTP isn't configured. Reproduced reliably with EnforcementScope = All + a fresh second account.

Fixed in three places, belt-and-suspenders:

  • SetupTotp and the forced-enrollment BeginForcedTotpEnrollment endpoints no longer flip TotpEnabled to true. The flag is only set when ConfirmTotp successfully verifies a code, so backing out leaves the account in a clean state.
  • The auth-time middleware gate now checks TotpEnabled && TotpVerified (or "has a passkey") instead of TotpEnabled alone. This rescues any account that was already half-enrolled under v2.4.0 — on the next sign-in it reads as "no 2FA" and follows the configured EnforcementScope policy correctly.
  • TwoFactorAuthProvider.Authenticate got the same treatment, plus it now honours EnforcementScope (Optional / Admins-only / All) instead of the legacy RequireForAllUsers flag.

Fido2NetLib 3.0.1 → 4.0.1

Upgrades the WebAuthn library to the actively-maintained 4.x line. Existing passkeys keep working unchanged. Internally:

  • New params-object API (RequestNewCredentialParams, MakeNewCredentialParams, GetAssertionOptionsParams, MakeAssertionParams) replaces the positional-argument signatures.
  • Return types renamed (AttestationVerificationSuccessRegisteredPublicKeyCredential, AssertionVerificationResultVerifyAssertionResult) with cleaner property names (Id/SignCount/AaGuid instead of CredentialId/Counter/Aaguid).
  • Verification failure is now signalled via Fido2VerificationException rather than a string-typed result.Status check.
  • WebAuthn Level 3 fields (backup eligibility, attestation format, transports) are surfaced for policy work in future versions.

The fat package now ships three new transitive dependencies: NSec.Cryptography.dll (native libsodium-backed ed25519), System.Formats.Cbor.dll (in-box CBOR decoder Fido2 4.0 calls into), and Microsoft.Bcl.Memory.dll (Base64Url helpers). They get listed in the plugin manifest's Assemblies array.

Admin UI

The new EnforcementScope dropdown introduced in v2.4.0 is now styled like the rest of the settings page (was rendering as borderless text — hard to spot as a clickable control).

Upgrade

In-place upgrade. No migration. Users who got stuck on v2.4.0 with TotpEnabled=true, TotpVerified=false are automatically un-stuck on next sign-in by the middleware gate change — no manual cleanup needed.

Package checksums

  • MD5: see Jellyfin.Plugin.TwoFactorAuthv2.4.1.0.md5
  • SHA256: see Jellyfin.Plugin.TwoFactorAuthv2.4.1.0.sha256

Sigstore-signed zip — verify with cosign verify-blob.