Updated user activity display to show when a user is connected via API key, including an icon and updated tooltip. Modified backend to set a 'connected_with' flag in activity details when API key authentication is used.
Added email notification for successful password reset, improved verification code handling, and implemented account lockout after too many failed attempts. Introduced new language strings for user feedback and security messages. Refactored password reset logic to better handle guest/generic users and API key recommendations.
Changed the "user_status_normal" label from "User" to "Basic" in English and from "Visiteur" to "Basique" in French to improve clarity and consistency in user status naming.
Deleted the "Customize" and "customize the appareance of the gallery" translation strings from all language files. Added a new string for "edit user preferences" in en_UK and fr_FR. This streamlines user preference terminology and removes redundant or outdated translation keys.
Introduces password and password confirmation fields when creating a user with 'generic' status. The password fields are shown or hidden based on the selected user status, and validation is added to ensure passwords are entered and match. Also adds a button to generate random passwords for new generic users.
change how required inputs are handled
change js to display error message for inputs only with data-required
for register handle mandatory or not email
update success message css
Added a call to clear_fake_user_cache() in pwg_login to ensure the fake user cache is reset after a successful login. Also introduced the clear_fake_user_cache() function for this purpose.
Improves login security by:
- implementing constant-time authentication to reduce timing attacks
- refactoring user lookup into find_user_by_username_or_email() for username or email login
- introducing a fake user to keep password verification time consistent
- adding a finalize_login hook so plugins can control the authentication flow (2FA, rate limiting, etc.)
Also updates user activity JS to:
- better display action details
- properly handle user lists (login/logout with multiple users)
Replaces direct login check with ws_session_login for 'pwg.images.uploadAsync' and updates error handling to return the login response. Also updates the web service method definition to make username and password optional and clarifies admin credential requirements in the documentation.
* instead of using the provided cat_id in the URL parameters, registers the "context" of the last 10 photos viewed. Be it an album, a search, a tag...
* maybe not the cleanest way to do it (because we do not rebuild the url string) but simple and straightforward
Replaced hardcoded 'username' and 'id' fields in the user query with configurable fields from $conf['user_fields'] to improve flexibility and compatibility with custom user schemas.
Replaces 'Public key' references with 'ID' and updates related copy messages in English and French language files and profile template. Also changes key icon to 'icon-user-secret' for better clarity and consistency in the API key generation UI.
Moved API key authentication input from a separate card to the test form section for improved clarity. Updated related CSS for better layout and consistency, and adjusted descriptions to highlight API key usage in Piwigo 16.
Uncommented and activated QR code generation in getQrCode(), allowing TOTP secrets to be encoded as base64 PNG images for easier setup in authenticator apps.
Added a call to stripslashes for the 'apikey_name' field to ensure it is unescaped before being returned. This improves display consistency for API key names containing escaped characters.
Simplifies the API key validation in auth_key_login by removing the requirement for connection_by_header. Now, API keys matching the pattern are accepted regardless of the connection source.
