- Issue created by @Gold
- πΊπΈUnited States cmlara
Note: Some answers have been provided to this request in Slack #contrib-tfa https://drupal.slack.com/archives/C7SR7TWMS/p1744252987515989 and are duplicated below.
My personal recommendation is that 2.x should not be run by anyone except though who are developing for the next release.
My personal opinion is also that we should not be cutting releases for 2.x until it both has all the known security fixes/hardening committed and any major API overhauls have been completed. Some of the other maintainers have expressed differing opinions encouraging more frequent releases, some of this can be seen in #3416791-6: Resolve SA-CONTRIB-2024-003 in 2.x branch β Comment #6 and newer.
I would likely want to see π Insufficient entropy in loginHash generation Active completed as the security evaluation for it was done before committing π Use an EventSubscriber to process one time login links Needs work , and while I'm not sure there is any more risk now I haven't actually done a full in depth review, rather than auditing the line by line just hardening the hash is preferred.
That said there is starting to become a good argument that it may be worth cutting a 2.x before a full API is established with the intent that a 3.x branch be opened up to continue API breaking changes on the roadmap π± Roadmap for 2.0.0 release Active to get away from fundamental implementation flaws that can not be fixed in 1.x.
- π³πΏNew Zealand Gold 20 minutes in the future
Thanks for the prompt response @cmlara.
I think I'll follow up on the downgrade ticket. If it's D11 ready that ticks my boxen.
For those that need the OTP links to work and, for what ever reason, can't switch to the 8.x-1.x branch, the following patches, in this order, got me from 2.0.0-alpha4 to applying the desired patch.
- https://www.drupal.org/project/tfa/issues/3491476 π Cleanup TfaUserDataTrait phpstan warnings Active MR101
- https://www.drupal.org/project/tfa/issues/3478341 π Drupal Core Tests now use one time login links instead of user form Active MR103
- https://www.drupal.org/project/tfa/issues/3496146 π Deprecations PHP 8.4 Active MR106
- https://www.drupal.org/project/tfa/issues/3491836 π Cleanup cSpell GitLab Warnings Active MR104
- https://www.drupal.org/project/tfa/issues/3505295 π Revert PHPUnit Stage to not use core phpunit.xml Active MR112
- https://www.drupal.org/project/tfa/issues/3392427 π Use an EventSubscriber to process one time login links Needs work MR57
* We keep local patches, hence the list rather than a copy/pasteable
"patches": {}block. Sorry.