Skip to content

v2.4.2

Choose a tag to compare

@github-actions github-actions released this 21 May 01:16

v2.4.2

Code quality release: clean analyzer warnings, strict-warnings build, and a coverage baseline. No behavior changes — passkey, TOTP, OIDC, lockout, sessions, audit log all unchanged. In-place upgrade.

Warnings cleanup

  • Audited 320 analyzer warnings, distinguished perf hints from correctness signals, and addressed every one.
  • Pure perf-only Roslyn rules (CA1848 LoggerMessage delegates, CA1822 static-member, CA1805 default-init, CA1845 span-Concat, CA1865 char-overload, CA1859 concrete-type, CA1869 cached JsonSerializerOptions) are silenced in .editorconfig with documented justifications — none affect correctness, all would force several hundred lines of boilerplate or API churn for negligible runtime impact. Microsoft's own dotnet/runtime does the same.
  • Correctness / clarity warnings fixed in source:
    • CA1001OidcLoginTokenStore and OidcService now implement IDisposable so their cleanup timers release on container shutdown (previously leaked the timer handle for the process lifetime).
    • CA1305 — every int.ToString() / ToString("D6") on the request path now passes CultureInfo.InvariantCulture so HTTP Retry-After headers and OTP codes aren't locale-formatted.
    • CA2249IndexOf(s, …) >= 0 substring probes (webhook URL detection, IPv4-vs-IPv6 disambiguation) switched to .Contains(s, …).
    • CA1835 — request-body byte-buffer read switched to the Memory<byte> overload of Stream.ReadAsync.
    • CA2012 — admin RevokeSession endpoint now awaits the ValueTask returned by ISessionManager.ReportSessionEnded instead of silently dropping it.
    • CA1806Guid.TryParse result discarded explicitly via _ = … so the intent is visible.
    • CA1725PluginServiceRegistrator.RegisterServices parameter names now match IPluginServiceRegistrator.
    • CA1711AuthenticationEventHandler keeps its name with a documented [SuppressMessage].
    • CA5350 — SHA-1 use in HibpService.ComputeSha1Hex is now annotated with a per-symbol [SuppressMessage] linking to the HIBP k-anonymity protocol spec (SHA-1 is mandated by the public API, not a security boundary).

Strict warnings

  • <TreatWarningsAsErrors>true</TreatWarningsAsErrors> enabled on the main plugin project. From now on, any new analyzer warning fails the build.

Coverage baseline

  • Code coverage now measured on every test run via coverlet.collector. Current coverage: 7.8% lines (606/7796), 6.6% branches. This is the baseline; growing it is on the v2.5+ roadmap. The existing 150 xUnit tests focus on service classes (TOTP, recovery codes, challenge store, HIBP, bypass evaluator, cookie signer); controllers and middleware are under-tested.

Upgrade

In-place upgrade. No config or behavior changes.

Package checksums

  • MD5: see Jellyfin.Plugin.TwoFactorAuthv2.4.2.0.md5
  • SHA256: see Jellyfin.Plugin.TwoFactorAuthv2.4.2.0.sha256

Sigstore-signed zip — verify with cosign verify-blob.