v3.3.0 ~ Senior Elfo (pro)

Release date: October 27th, 2021.

The team is pleased to announce the much awaited v3.3 which includes new features as well as some fixes requested by the community. It’s been a while since the last release, but as you’ll see, we’ve been busy!

fig. Auto-fill a form with an existing credential in a click

While browsing the internet, passbolt users don’t always know how to use the quick access menu in the toolbar to create or use credentials on a given page. The anticipated autofill and autosave improvements, which we call “in-form integration”, has finally arrived. You’ll be able to perform actions faster within web forms, and be able to quickly generate passwords and save credentials.

We’ve also optimized the original quick access flow to provide better accessibility, with more complete contextual feedback and a reduced number of steps (for example, when inserting a password in a page).

fig. Password generator

This release also contains a revamped password generator, which allows for the customization of the password parameters and introduces support for passphrase generation. The new passphrase generator produces 9 words using the diceware method. By default, the words aren’t separated, but the user has the option to define a set of characters (e.g. “ ” or “_”) that’ll be used to separate them. The password generator has also been improved, and now generates passwords of 18 characters in length. Also, it’s now possible to exclude look alike characters, like Homoglyphs, and even include emojis 😏.

fig. Translations update

In our continuous effort to make the application accessible by all, in their mother tongue, this release ships with German and Swedish translations. Other languages, such as Dutch, Polish and Spanish, are in the works and scheduled for the end of the year.

fig. SOC2 Type I Report complete!

Both the password generator and in-form quick access functionalities have been reviewed as part of an independent security audit by Cure53. So, they should be safe for everyone to use! We also completed another series of audits for the API code and cloud infrastructure. We’ll share the results with you soon in a dedicated blog post (spoiler alert: no critical issue found).

We’ve also successfully completed our SOC2 Type I audit. Our SOC 2 Type II is also well underway and will be available by Q1 2022. These audits are just another step in our on-going compliance and security efforts.

fig. Mobile applications are pending reviews.

Ok, now for the final reveal. It’s been almost a year that we’ve been working on the passbolt mobile application (Android and IOS). This v3.3 release is shipping with its experimental support, which you can optionally enable to test! We’re currently waiting for the app’s reviews on the different web stores and we’ll publish a blog article to explain how to test the mobile app. The app will be available for general use and enabled by default once an independent security audit is completed by the end of November. Stay tuned!

A big thank you to the people who reported and documented bugs on github and the community forum, provided your feedback on the account recovery specifications. Thank you for your continued support.

API

[3.3.1] - 2021-11-24

Security fixes

• PB-9820 / PBL-06-008 WP3: JWT key confusion leads to authentication bypass (High) [experimental][disabled by default]

[3.3.0] - 2021-10-25

Added

• PB-7815 As a server administrator I should be able to enable / disable the in-form menu feature, enabled by default
• PB-6072 As a server administrator I should be able to enable / disable the password generator feature, enabled by default
• PB-8189 As a user I should be able to use the application in German or Swedish
• PB-7847 As AN I should be able to authenticate to passbolt via JWT access and refresh tokens [experimental][disabled by default]
• PB-6034 As LU I should be able to configure my mobile app [experimental][disabled by default]

Improvement

• PB-8908 As a user I should see the footer of the passbolt emails translated with my locale
• PB-8364 As a user I should see the subject of the passbolt emails translated with my locale
• PB-6032 As API user I shouldn’t see the _joinData properties in the resource entry points responses
• PB-8281 Add Debian 11 bullseye support
• PB-7750 As AD I should be notified by the healthcheck when a tmp files is executable
• PB-7760 Increase PHPStan level to 6
• PB-8081 As AD I should be able to configure passbolt over IPv6 while installing a passbolt package
• PB-5866 As AD I should be able to detect avatar data discrepancies using the passbolt cleanup command
• PB-7605 As a developer I should be able to enable/disable a plugin easily

Fixed

• PB-5982 as LU sharing a folders with a user which contains resources already shared with this same user I should move the resources in the shared folders

• PB-5457 Fix as LU importing a batch of passwords I should not get an internal errors because of database deadlock
• PB-7840 Fix as AD I can install/reconfigure the passbolt package if ssl certificates are already present

Security

• PB-7961 Fix PBL-03-002 Missing CSRF protection on the user directories synchronize and ignore user entry points

• PB-8047 Fix PBL-02-002 As LU I should logout by posting to the API and the entry point should should be protected by CSRF
• PB-7751 Updates FlySystem dependency to v2.1.1
• SEC-181 Fix information disclosure: recover endpoint should not return user role and name.

Maintenance

• PB-8488 Remove user agent unnecessary check associated with MFA token
• PB-8336 Clean phpunit.xml file
• PB-8448 Hashes the session ID prior to passord_hash
• PB-8210 Replaces PHPSESSID with session_name()

Browser extension

[3.3.1] - 2021-10-26

Fixed

• PB-9388 Fix unnecessary organization settings API calls

[3.3.0] - 2021-10-20

Added

• PB-7608 As LU I should be able to customize the password generator parameters
• PB-7608 As LU I should be able to use emojis in the generated passwords
• PB-7608 As LU I should be able to generate passphrase instead of passwords
• PB-7606 As LU I should be able to see how many credentials are suggested for the page I’m currently on by looking at the passbolt icon in the toolbar
• PB-7649 As LU I should be prompted to save a new credential when I generate a password for a new sign-up form
• PB-7683 As LU I should be able to auto-fill a suggested credential directly from inside an authentication form
• PB-7693 As LU I should be able to generate a password directly from inside a sign-up form
• PB-8189 As a user should be able to use the application in German or Swedish
• PB-6034 As LU I should be able to configure my mobile app [experimental]

Improvement

• PB-7639 As LU I should be able to import folders containing slash in their names

• PB-8256 As LU I should be able to see the username and password fields pre-filled when I create a password with the quick access
• PB-8088 As LU I should not see the quick access passphrase capture screen shaking when it appears
• PB-7599 As AN installing the extension on chrome I should be able to see instructions regarding how to pin the extension in the toolbar
• PB-7626 As LU I should be able to auto-fill a form by directly clicking on a credential suggested by the browser extension quick access without seeing the credential details first
• PB-6132 As LU I should be able to see the role column inside the users grid
• As LU I should be able to see my quick access with a larger width

Fixed

• PB-7813 Fix as LU I shouldn’t be able to export from the folders section label if the exports feature is disabled

• PB-8306 Fix as LU I should see a content skeleton during loading on the share dialog of the application

• PB-8525 Fix as LU signing-in for the first time with the quick access I should be able to see the tags category

• PB-7364 As GM I should not see the group name editable in the group edit dialog

Security

• PB-8368 Password secret complexity calculation algorithm should take in account graphemes
• PB-8453 Mark password fields that are viewable as not auto-completable
• PB-8455 Update dependencies, remove unused grunt-contrib-concat

Maintenance

• PB-8367 Add code coverage automation
• PB-8492 Optimize passbolt-styleguide dependency package size
• PB-7575 Remove jQuery dependency
• PB-6057 Remove underscore dependency