Introduces a compatibility implementation of str_starts_with for environments where it is not available. Updates common.inc.php to include the polyfill if the function does not exist.
Adds a check to initialize $_SESSION['connected_with'] to 'pwg_ui' if it is not already set. This ensures the session variable is always defined before proceeding with cache deletion.
Updated user activity display to show when a user is connected via API key, including an icon and updated tooltip. Modified backend to set a 'connected_with' flag in activity details when API key authentication is used.
Added email notification for successful password reset, improved verification code handling, and implemented account lockout after too many failed attempts. Introduced new language strings for user feedback and security messages. Refactored password reset logic to better handle guest/generic users and API key recommendations.
Changed the "user_status_normal" label from "User" to "Basic" in English and from "Visiteur" to "Basique" in French to improve clarity and consistency in user status naming.
Deleted the "Customize" and "customize the appareance of the gallery" translation strings from all language files. Added a new string for "edit user preferences" in en_UK and fr_FR. This streamlines user preference terminology and removes redundant or outdated translation keys.
Introduces password and password confirmation fields when creating a user with 'generic' status. The password fields are shown or hidden based on the selected user status, and validation is added to ensure passwords are entered and match. Also adds a button to generate random passwords for new generic users.
change how required inputs are handled
change js to display error message for inputs only with data-required
for register handle mandatory or not email
update success message css
Added a call to clear_fake_user_cache() in pwg_login to ensure the fake user cache is reset after a successful login. Also introduced the clear_fake_user_cache() function for this purpose.
Improves login security by:
- implementing constant-time authentication to reduce timing attacks
- refactoring user lookup into find_user_by_username_or_email() for username or email login
- introducing a fake user to keep password verification time consistent
- adding a finalize_login hook so plugins can control the authentication flow (2FA, rate limiting, etc.)
Also updates user activity JS to:
- better display action details
- properly handle user lists (login/logout with multiple users)
Replaces direct login check with ws_session_login for 'pwg.images.uploadAsync' and updates error handling to return the login response. Also updates the web service method definition to make username and password optional and clarifies admin credential requirements in the documentation.
