0.1.0: Updates to verifyChallenge

This release contains security-related updates. All users should immediately update

Security Updates:
Previous versions contained an issue with verifyChallenge, where in certain situations a challenge solved for User A could be used in place of a challenge solved by User B. This issue could render MFA useless in applicable situations. This vulnerability does not apply to logging in.

This vulnerability applies to:

• Reset Password
• Use of MFA.verifyChallenge, where the userId returned by MFA.verifyChallenge is not validated to be the same as this.userId.

Breaking Changes:

• MFA.verifyChallenge's arguments now take the format (userId, type, connectionHash, solvedChallenge)

0.0.13: Passwordless

New Features:

• Passwordless

Breaking Changes:
None - Passwordless has been added as an opt-in feature (config.passwordless defaults to false)

Server Changelog:

• Add MFA. disablePasswordless(userId), which disables passwordless (but maintains MFA) for a user
• MFA.disableMFA will also disable passwordless if user has it enabled

Client Changelog:

• Add MFA.loginWithPasswordless
• Add params for MFA.registerU2F, that allows enabling passwordless ({passwordless:true, password:"..."})

Passwordless Release Candidate

Breaking Changes:
None - Passwordless has been added as an opt-in feature (config.passwordless defaults to false)

Server Changelog:

• Add MFA. disablePasswordless(userId), which disables passwordless (but maintains MFA) for a user
• MFA.disableMFA will also disable passwordless if user has it enabled

Client Changelog:

• Add MFA.loginWithPasswordless
• Add params for MFA.registerU2F, that allows enabling passwordless ({passwordless:true, password:"..."})

Passwordless Release Candidate

Breaking Changes:
None - Passwordless has been added as an opt-in feature (config.passwordless defaults to false)

Server Changelog:

• Add MFA. disablePasswordless(userId), which disables passwordless (but maintains MFA) for a user
• MFA.disableMFA will also disable passwordless if user has it enabled

Client Changelog:

• Add MFA.loginWithPasswordless
• Add params for MFA.registerU2F, that allows enabling passwordless ({passwordless:true, password:"..."})

Add Authorization Feature

Add "Authorization" Feature.

Breaking Changes:
None

Client Changelog:

• Add MFA.authorizeAction
• Add MFA.useU2FAuthorizationCode
• Add MFA.supportsU2FLogin (allows you to check whether the current device supports U2F)

Server Changelog:

• Add config.allowU2FAuthorization (default: true), which controls whether the authorization feature (MFA.authorizeAction method) is enabled
• Add config. authorizationDisabledMethods (default: []), which is an array of challenge types that cannot be authorized (e.g., set to ["login"] to prevent MFA.authorizeAction("login"))

0.0.8

v0.0.8

MFA 0.0.8: Add Authorization Feature

0.0.7

Fix issue where challenges were not being invalidated

0.0.6

Merge pull request #2 from TheRealNate/docs-update

MFA: 0.0.6