Skip to content

v0.7.3

Choose a tag to compare

View all tags
@BlackApplication BlackApplication released this 10 Jun 15:20
· 2 commits to dev since this release
v0.7.3
ce991ef

[0.7.3]

Adds step-up authentication — a strict, single-use 2FA confirmation gate for sensitive actions
(change password, view recovery codes, remove a method), independent of the login flow. OpenAPI moves
to 0.7.3; the .NET and all TypeScript packages bump to match.

Added

  • Step-up barrier (.NET)[RequireTwoFactor] (MVC action filter) and .RequireStepUp() (minimal-API endpoint filter) gate any endpoint: an enrolled user must present a valid step-up token or the call returns 403 STEP_UP_REQUIRED (carrying the available methods); a user with no 2FA passes through. The decision lives once in Omni2FA.Core's IStepUpEvaluator. New /api/2fa/stepup/start|resend|verify endpoints (session-authenticated mirrors of /challenge/*); verify mints a single-use step-up token (purpose=2fa-stepup) via the new IPreAuthTokenIssuer.IssueStepUp / ValidateStepUp. New StepUp.Ttl + header-name options.
  • Single-use enforcementIStepUpNonceStore records spent token ids until expiry; default InMemoryStepUpNonceStore is single-instance (register a shared store, e.g. Redis, for multi-node — otherwise a token spent on one node has a replay window on the others bounded by the TTL). The token is bound to the caller, so a stolen token can't be replayed against another account.
  • Step-up (@omni2fa/core)client.startStepUp / resendStepUp / verifyStepUp, the stepUpMachine, the STEP_UP_HEADER constant, and the STEP_UP_REQUIRED error code. Transport-agnostic by design — the library never makes the protected request, so cookie- and Bearer-session hosts integrate identically.
  • Step-up (@omni2fa/react)useStepUp() returning confirmTwoFactor(methods) (shows the prompt, resolves a single-use token) plus the prompt state (active, methods, status, pick/submit/resend/cancel); reuses the existing challenge UI. The host detects 403 STEP_UP_REQUIRED and replays the request with the header in its own fetch/axios layer.

Changed

  • ITwoFactorChallengeService gains VerifyStepUpAsync; login and step-up share one verification core (no behavior change to login).
  • Docs (README, ARCHITECTURE, FLOWS, ASPNETCORE, ERROR_CODES) and the examples/full host (a step-up-protected POST /user/change-password) updated.

[0.7.2]

Patch: EF Core 10 host compatibility. .NET packages only — no API contract change, so OpenAPI stays
at 0.7.1 and the TypeScript packages are unchanged.

Fixed

  • EF Core 10 host compatibility (MissingMethodException on bulk delete)Omni2FA.AspNetCore.EntityFrameworkCore now multi-targets net8.0;net10.0, compiling each build against its matching EF Core major (8.0.x / 10.0.x). The previous single net8.0 build bound ExecuteDeleteAsync to EF Core 8's RelationalQueryableExtensions; under a host running EF Core 10 that method has moved, so recovery-code wipe and challenge purge threw MissingMethodException at runtime. NuGet now hands each host the matching asset. Omni2FA.Core and Omni2FA.AspNetCore stay net8.0 (consumed down-level by net10 hosts).
Assets 2
Loading