Skip to content

Releases: archicoop/loginOtp

v2.0.0 — Login OTP via Email

Choose a tag to compare

@monmarzia-archi monmarzia-archi released this 30 Jun 10:46

Major refactor of the 2FA enforcement model: per-journal configuration,
OR-based rule set, plugin is now always active.

Added

  • Site-level login interception: a new Authentication::authenticate hook
    intercepts login attempts on the global (site-level) login form. Site-level
    login always requires OTP, regardless of per-journal configuration.
  • Site-wide rules for elevated roles: Site Administrator and Journal Manager
    (in any journal) always require OTP, on any journal and at site level.
  • Cautious default for external users: a user with no roles in the journal
    they are logging into now always receives OTP.
  • Documented opt-out mechanism: saving a journal's required-roles list empty
    opts that journal out of OTP for ordinary roles (Site Admin, JM, and external
    users still receive OTP).

Changed

  • OTP enforcement: from "highest-privilege role wins" to OR logic
    (OTP is required if the user has any of the selected roles).
  • Settings storage: back to per-journal plugin_settings (instead of the
    site-wide site_settings used in 1.0.1).
  • Plugin architecture: registers as a site plugin (isSitePlugin()=true)
    but cannot be disabled (getCanDisable()=false). Always-active component;
    administrators configure required roles per journal, but cannot turn it off.
  • Configuration scope: settings are now per-journal. Each journal has its own
    required-roles list. No single site-wide configuration anymore.

Removed

  • Role hierarchy logic and the visual cascade in the settings form.
  • Per-journal enable/disable toggle for the plugin.

Upgrade notes

This is a major version with breaking changes to the configuration model.
On upgrade from 1.x:

  • Existing site-wide settings in site_settings are not migrated automatically.
  • After upgrade, configure the required roles per journal via the Plugins panel
    of each journal.
  • The plugin cannot be disabled; to opt a journal out of OTP for ordinary
    roles, save its required-roles list empty.

See the README for the full rule set and examples,
and the CHANGELOG for the full history.

v1.0.1

Choose a tag to compare

@monmarzia-archi monmarzia-archi released this 11 Jun 12:02

Login OTP via Email 1.0.1

First publicly documented release.

Notes

  • Replaces the initial 1.0.0 release (which was iteratively patched in place
    prior to this clean release).
  • Compatible with OJS/OMP 3.5.x.

Changes since 1.0.0

  • Fixed login flow on site-level access (no journal context) — the plugin
    is now registered as a site plugin (isSitePlugin()), with role
    configuration stored in site_settings.
  • Improved OTP email layout: the code is now rendered as a standalone
    styled block for easier copy-paste.
  • Settings UI: visual role hierarchy cascade — selecting a higher-privilege
    role auto-disables lower roles in the UI without affecting saved state.
  • Localization updates and minor code corrections (contributed via PRs).

Installation

See README for installation and
configuration instructions.