Passbolt - Open source password manager for teams version history - 25 versions
Passbolt - Open source password manager for teams by passbolt
Be careful with old versions! These versions are displayed for testing and reference purposes.You should always use the latest version of an add-on.
Latest version
Version 4.10.2
Released Dec 9, 2024 - 4.88 MBWorks with firefox 115.0 and laterPassbolt v4.10.2 is part of a long series of maintenance updates aimed at laying the groundwork for the upcoming v5 release and addressing bugs reported by the community. This update ensures the browser extension is fully compatible with the new v5 resource formats, allowing developers to prepare their integrations under the best possible conditions.
Thank you to the community for your reports.
### Added
PB-35706: WP3-3.7 Webapp EditStandaloneTotp component updates resources of type v5
PB-35741: WP3-5.5 Export resources of type v5
PB-35743: WP3-5.4 Migrate export resources controller logic into a dedicated service
PB-35753: WP3-6.3 Migrate update group controller logic into a dedicated service
PB-35771: WP3-8.1 Implement SessionKeyEntity entity to support session key
PB-35772: WP3-8.2 Implement SessionKeysCollection collection to support collection of session keys
PB-35773: WP3-8.3 Implement SessionKeysBundleEntity entity to support persisted collection session keys as stored on the API or local storage
PB-35857: WP3-8.9 Implement SessionKeysBundlesSessionStorageService to store and retrieve session keys bundles from session storage
PB-35858: WP3-8.4 Implement SessionKeysBundlesCollection collection to support collection of session keys bundle entity
PB-35862: WP3-8.5 Implement decryptOne on DecryptSessionKeysBundles service to decrypt a session key bundle
PB-35863: WP3-8.6 Implement decryptAll on DecryptSessionKeysBundlesService service to decrypt a sessions keys bundles collection
PB-35864: WP3-8.7 Implement findAll on SessionKeysBundlesApiService to retrieve session keys bundles from the API
PB-35867: WP3-8.8 Implement findAllBundles on FindSessionKeysService to retrieve sessions keys bundles from the API
PB-35869: WP3-8.10 Implement findAndUpdateAllBundles on FindAndUpdateSessionKeysSessionStorageService to retrieve session keys bundles from the API and store them in the session storage
PB-35876: WP3-8.11 Implement getOrFindAllBundles on GetOrFindSessionKeysService to retrieve session keys from store or from the API and store them in the session storage
PB-35877: WP3-8.12 Implement getOrFindAllByForeignModelAndForeignIds on GetOrFindSessionKeysService to retrieve session keys from storage or from the API and store them in the session storage
PB-35878: WP3-8.20 DecryptMetadataService should use the session keys when decrypting metadata of a collection of resources
PB-35879: WP3-8.13 Implement decryptWithSessionKey on DecryptMessageService
PB-35881: WP3-8.14 Implement GetSessionKeyService crypto service
PB-35886: WP3-8.15 Implement create on SessionKeysBundlesApiService to create a session keys bundle on the API
PB-35887: WP3-8.16 Implement delete on SessionKeysBundlesApiService to delete a session keys bundle on the API
PB-35888: WP3-8.17 Implement update on SessionKeysBundlesApiService to update a session keys bundle on the API
...Source code released under GNU AGPL V3.0
Download Firefox and get the extensionYou'll need Firefox to use this extensionOlder versions
Version 4.10.0
Released Nov 12, 2024 - 4.87 MBWorks with firefox 115.0 and laterPassbolt v4.10.0 is a maintenance update that prepares for the upcoming v5 release, introducing beta support for the v5 resource type format within the v4 user interface and addressing reported issues.
This release is particularly valuable for maintainers of clients or integrations, offering an early preview of the v5 resource type format to aid in planning for future adaptations. While previous content types will remain supported until version 6, the new content types expand functionality, empowering technical teams to manage a broader range of credentials. Stay tuned—a blog article will be released soon to explain how to enable v5 support and begin testing your integrations.
Thank you to our community for your continued support.
## [4.10.0] - 2024-10-30
### Added
PB-16113 As LU I should be able to drag and drop a resource I own on a shared tag
PB-35412 WP3-2.1 Implement MetadataPrivateKey entity to support metadata private key
PB-35419 WP3-2.3 Implement MetadataPrivateKeys collection to support collection of metadata private keys
PB-35420 WP3-2.5 Implement MetadataKey entity to support metadata key
PB-35421 WP3-2.6 Implement MetadataKeys collection to support collection of metadata keys
PB-35422 WP3-2.2 Implement decryptOne on DecryptMetadataPrivateKeys service to decrypt a metadata private key
PB-35424 WP3-2.4 Implement decryptAll on DecryptMetadataPrivateKeys service to decrypt a metadata private keys collection
PB-35425 WP3-2.7 Implement decryptAllFromMetdataKeysCollection on DecryptMetadataPrivateKeys service to decrypt metadata private keys on MetadataKeys collection
PB-35426 WP3-2.8 Implement the function findAll on the FindMetadataKeys service to retrieve metadata keys from the API and decrypt any metadata private keys found if any
PB-35427 WP3-2.9 Implement the function findAllForSessionStorage on the FindMetadataKeys service to retrieve metadata keys for the Session storage
PB-35428 WP3-2.10 Adapt resource entity to support both encrypted metadata and non encrypted metadata
PB-35429 WP3-2.11 Implement decryptAllFromForeignModels on DecryptMetadata service to decrypt metadata on a resource collection
PB-35430 WP3-2.12 Decrypt metadata of v5 resources types when retrieving resources from the API
PB-35684 WP3-3.4 Implement encryptOneForForeignModel on EncryptMetadata service to encrypt metadata on a resource
PB-35686 WP3-3.5 Encrypt metadata of v5 resource types when editing new resource types
PB-35688 WP3-3.1 Add necessary capabilities to resource types collection and entity to support v5 types in the UI
PB-35692 WP3-4.1 implement metadata types settings entity to support metadata types settings
PB-35693 WP3-4.2 Implement findSettings on MetadataTypesSettingsApiService to retrieve metadata types settings
PB-35694 WP3-4.3 Implement findTypesSettings on FindMetadataSettingsService to retrieve metadata types settings entity
...Source code released under GNU AGPL V3.0
Version 4.9.4
Released Oct 3, 2024 - 4.81 MBWorks with firefox 115.0 and laterPassbolt v4.9.4 is a maintenance update of preparatory work for the incoming v5 and addresses reported issues. Specifically, it cleans the codebase to ease the later encryption of the resource metadata. Plus, it fixes the unexpected resource workspace column resizing and some displayed information.
Thank you to the community for reporting these issues.
## [4.9.4] - 2024-09-30
### Fixed
- PB-33927: Update the label for password expiry email notification
- PB-34743: Fix: folder's sidebar information misses the creator and modifier information
- PB-35351: Fix: Grid columns resizing unexpectedly
### Security
- PB-35129: Upgrade vulnerable library webpack
- PB-35354: Upgrade vulnerable library path-to-regexp
### Maintenance
- PB-34313: E2EE WP2 documentation permissions finder class
- PB-34612: As a desktop app I should see the dotnet error message in of http error
- PB-34632: WP2-1.1 Migrate ResourceTypeEntity to EntityV2
- PB-34633: WP2-1.2 Migrate ResourceTypesCollection to EntityV2Collection
- PB-34634: WP2-1.3 Migrate CommentEntity to EntityV2
- PB-34635: WP2-1.4 Migrate CommentsCollection to EntityV2Collection
- PB-34636: WP2-1.5 migrate external resource entity to entity v2
- PB-34637: WP2-1.6 migrate external resources collection to entity v2 collection
- PB-34638: WP2-1.7 migrate external folder entity to entity v2
- PB-34639: WP2-1.8 migrate external folders collection to entity v2 collection
- PB-34640: WP2-1.9 Migrate ExportResourcesFileEntity to EntityV2
- PB-34641: WP2-1.10 Migrate PermissionTransferEntity to EntityV2
- PB-34642: WP2-1.11 Migrate PermissionTransfersCollection to EntityV2Collection
- PB-34643: WP2-1.12 Migrate GroupDeleteTransferEntity to EntityV2
- PB-34644: WP2-1.14 Migrate GroupUserTransfersCollection to EntityV2Collection
- PB-34645: WP2-1.15 Migrate UserDeleteTransferEntity to EntityV2
- PB-34646: WP2-1.13 Migrate GroupUserTransferEntity to EntityV2
- PB-34647: WP2-1.16 Migrate NeededSecretEntity to EntityV2
- PB-34648: WP2-1.17 Migrate NeededSecretsCollection to EntityV2Collection
- PB-34649: WP2-1.18 Migrate SecretEntity to EntityV2
- PB-34650: WP2-1.19 Migrate SecretsCollection to EntityV2Collection
- PB-34651: WP2-1.20 Migrate GroupUpdateDryRunResultEntity to EntityV2
- PB-34656: WP2-1.25 Migrate ImportResourcesFileEntity to EntityV2
- PB-34657: WP2-1.26 Migrate PlaintextEntity to EntityV2
- PB-34658: WP2-1.27 Migrate TotpEntity to EntityV2
- PB-34747: WP2-1.28 Remove not used sanitizeDto from GroupsUsersCollection
- PB-35124: Migrate 'gte' and 'lte' props of schemas to 'minimum' and 'maximum'
- PB-35125: WP2-2.6 Find resource permissions by requesting dedicated API permissions entry point
- PB-35128: WP2-2.1 unnecessary quick a api call when displaying home page
- ...Source code released under GNU AGPL V3.0
Version 4.9.3
Released Sep 4, 2024 - 4.8 MBWorks with firefox 115.0 and laterPassbolt v4.9.3 is a maintenance update that addresses issues related to the deletion of users. Specifically, it fixes problems that occurred when trying to delete a user who is either the sole owner of resources or the sole group manager. Under these conditions, the deletion process did not work as expected, and this update resolves those issues.
Thank you to the community for reporting this issue.
## [4.9.3] - 2024-09-04
### Fixed
- PB-35185 Administrator should be able to delete users who are sole owners of resources or sole group managerSource code released under GNU AGPL V3.0
Version 4.9.2
Released Aug 28, 2024 - 4.8 MBWorks with firefox 115.0 and laterThis release addresses several bugs reported by the community. Additionally, it includes numerous maintenance updates as part of our ongoing efforts to ensure a smooth transition and support for the upcoming v5.
Thank you to the community for reporting these issues.
## [4.9.2] - 2024-08-26
### Fixed
- PB-33861: Resources with personal field set to null should be considered as personal resources
- PB-34314: Fix shadow-dom autofill fields
- PB-34236: Fix Retrieving folder activities displaying no data
### Maintenance
- PB-34313: Add resources type retrieval requirements documentation
- PB-34259: E2EE WP1 - Transform dtos from v4 to v5
- PB-34260: E2EE WP1 - Display resource sidebar information section in v5
- PB-34261: E2EE WP1 - Display resource sidebar activity section in v5
- PB-34262: E2EE WP1 - Display resource sidebar description section in v5
- PB-34263: E2EE WP1 - Display copy username to clipboard from more menu using v5
- PB-34264: E2EE WP1 - Display resource grid using v5
- PB-34265: E2EE WP1 - Display resource grid contextual menu using v5
- PB-34266: E2EE WP1 - Display quickaccess resource view page in v5
- PB-34267: E2EE WP1 - Display quickaccess home page in v5
- PB-34268: E2EE WP1 - Display inform menu in v5
- PB-34269: E2EE WP1 - Autofill resources from Quickaccess in v5 format
- PB-34270: E2EE WP1 - Make resource entity compatible with v4 and v5
- PB-34271: E2EE WP1 - Display inform and toolbar suggested resources badge CTA in v5
- PB-34272: E2EE WP1 - Search resource in webapp using v5
- PB-34287: E2EE WP1 - Create password resource from webapp in v5 format
- PB-34288: E2EE WP1 - Create standalone TOTP resource in v5 format
- PB-34289: E2EE WP1 - Edit password resource in v5 format
- PB-34290: E2EE WP1 - Edit standalone TOTP resource in v5 format
- PB-34291: E2EE WP1 - Edit resource description from sidebar in v5 format
- PB-34292: E2EE WP1 - Delete resource(s) in v5 format
- PB-34293: E2EE WP1 - Share resource(s) in v5 format
- PB-34294: E2EE WP1 - Import resource(s) in v5 format
- PB-34295: E2EE WP1 - Export resource(s) in v5 format
- PB-34296: E2EE WP1 - Move resource(s) in v5 format
- PB-34297: E2EE WP1 - Create password resource from quickaccess in v5 format
- PB-34298: E2EE WP1 - Auto-save password resource from quickaccess in v5 format
- PB-34299: E2EE WP1 - Make resource entity compatible only with v5
- PB-34311: E2EE WP1 - Make resource V4 and V5 compatible in both ways
- PB-34315: E2EE WP1 - Transform DTO to V4 for API and adapt resource validation to v5
- PB-34391: E2EE WP1 - Enforce resource type id should be required and not null
- PB-34392: E2EE WP1 - Validate Metadata.uris as array of string, and maxLength
### Security
- PB-34237: Upgrade vulnerable library i18next-parser
- PB-34305: Upgrade lockfile-lint library on passbolt_api package-lock.json
- PB-34422: Remove grunt-browserify dev dependency from browser extensionSource code released under GNU AGPL V3.0
Version 4.9.1
Released Jul 24, 2024 - 4.79 MBWorks with firefox 115.0 and laterPassbolt v4.9.1 is a maintenance update that addresses issues related to the search resources.
We extend our gratitude to the community for their feedback and assistance in testing this release. We hope these updates enhance your experience with Passbolt and we look forward to hearing from you.
## [4.9.1] - 2024-07-23
### Fixed
- PB-34134 As a signed-in user I should search resources even if the data integrity is corruptedSource code released under GNU AGPL V3.0
Version 4.8.2
Released Jun 17, 2024 - 4.78 MBWorks with firefox 115.0 and laterPassbolt v4.8.2 is a maintenance update that addresses issues related to MV3.
We hope these updates enhance your experience with Passbolt. Your feedback is always valuable to us.
## [4.8.2] - 2024-06-13
### Improved
- PB-33686 As a user I should be signed out after browser update
### Fixed
- PB-33727 Fix session extension, service worker awaken and user instance storage not set
- PB-33801 Remove active account cache in memorySource code released under GNU AGPL V3.0
Version 4.8.1
Released May 23, 2024 - 4.78 MBWorks with firefox 115.0 and laterPassbolt v4.8.1 is a maintenance update that addresses issues related to servers serving invalid SSL certificates, which affected the accessibility of the API with certain user journeys.
## [4.8.1] - 2024-05-23
### Fix
- PB-33595 As a user running an instance serving an invalid certificate I should be able to sync the gpgkeyring
- PB-33596 As a user running an instance serving an invalid certificate I cannot sync my account settings
- PB-33597 As a user running an instance serving an invalid certificate I cannot install passbolt extension using an API < v3Source code released under GNU AGPL V3.0
Version 4.7.0
Released Apr 30, 2024 - 4.78 MBWorks with firefox 115.0 and laterPassbolt v4.7 is a maintenance release that resolves multiple issues identified by the community.
Furthermore, this release supports the commitment to improving customization options and integration features, making it easier for organizations to tailor the system to their specific needs.
A key enhancement in this release is the ability for administrators to use custom SSL certificates for SMTP and Users directory server connections (PRO only).
These long-awaited features are particularly beneficial for organizations operating in air-gapped environments or those using their own root CAs, enabling passbolt to more securely integrate with internal communication tools.
All of these customizations are visible in the API status report of the administration workspace, providing a clear and manageable overview for administrators.
Moreover, the integration with user directories has been enhanced, now enabling the synchronization of user accounts using multiple fields as email identifiers.
This allows organizations with heterogeneous data environments to synchronize more seamlessly with Passbolt.
This improvement is part of a broader initiative aimed at modernizing the integration with your user directories.
Stay tuned, more enhancements are planned for future releases.
## [4.7.0] - 2024-04-26
### Added
- PB-32931 As administrator, I see SSO and Directory Sync health checks in Passbolt API Status page
- PB-33065 As an administrator I can add a fallback property to map my organisation AD user username
- PB-33070 Request passphrase when exporting account kit
### Fixed
- PB-32420 Fix double calls to PwnedPassword API service
- PB-32631 Fix healthCheck Entity to support air gapped instances
- PB-33066 As AD, I should not see directorySync and SSO checks if they are disabled
- PB-33067 After an unexpected error during setup, recover or account recovery, only the iframe reload and the port cannot reconnect
### Maintenance
- PB-22623 Start service worker in an insecure environment
- PB-22640 As a signed-in user the inform call to action should remain after the port is disconnected only for MV3
- PB-22644 The passbolt icon should detect if the user is still connected after the service worker awake
- PB-23928 Handle when the extension is updated, the webIntegration should be destroy and injected again
- PB-29622 Simulate user keyboard input for autofill event
- PB-29946 When the service worker is shutdown and a navigation is detected the service worker do not reconnect port and stay in error mode
- PB-29965 Use a dedicated service to verify the server
- PB-29966 Update apiClient to support form data body and custom header
- PB-29967 Use a dedicated service to do the step challenge with the server
- PB-29968 use a dedicated service to check the user authentication status
- PB-29969 Use a dedicated service to logout the user
- ...Source code released under GNU AGPL V3.0
Version 4.6.2
Released Mar 29, 2024 - 4.79 MBWorks with firefox 115.0 and later## [4.6.2] - 2024-03-29
### Fixed
- PB-32394 As a user defining my passphrase while activating my account I want to know if my passphrase is part of a dictionary on form submission
- PB-32396 As a user defining my new passphrase while changing it I want to know if my new passphrase is part of a dictionary on form submission
- PB-32401 As an administrator defining the passphrase of the generated organization account recovery key I want to know if the passphrase is part of a dictionary on form submission
- PB-32407 As a user editing a password I am invited to confirm its edition when this one very weak in a separate dialog on form submission
- PB-32395 As a user defining my passphrase while requesting an account recovery I want to know if my new passphrase is part of a dictionary on form submission
- PB-32397 As a user verifying my private key passphrase while activation my account I do not want to know if my passphrase is part of a dictionary at this stage
- PB-32399 As a user confirming my passphrase while completing an account recovery (Admin approved) I do not want to know if my passphrase is part of a dictionary on form submission
- PB-32398 As a user confirming my passphrase while importing my private key during an account recover I do not want to know if my passphrase is part of a dictionary on form submission
- PB-32404 As a user creating a password from the quickaccess I am invited to confirm its creation when this one is part of a dictionary in a separate dialog on form submission
- PB-32403 As a user updating a password I am invited to confirm its edition when this one is part of a dictionary in a separate dialog on form submission
- PB-32405 As a user auto-saving a password from the quickaccess I should not be notified if the password is part of an exposed dictionary
- PB-32402 As a user creating a password I am invited to confirm its creation when this one is part of a dictionary in a separate dialog on form submission
- PB-32400 As a user confirming my passphrase while importing an account kit on the desktop app I do not want to know if my passphrase is part of a dictionary on form submission
- PB-32406 As a user creating a password I am invited to confirm its creation when this one very weak in a separate dialog on form submission
- PB-32427 As a user creating a password from the quickaccess I am invited to confirm its creation when this one is VERY WEAK in a separate page on form submissionSource code released under GNU AGPL V3.0
Version 4.6.0
Released Mar 14, 2024 - 4.79 MBWorks with firefox 115.0 and later## [4.6.0] - 2024-03-14
### Added
- PB-24485 As signed-in administrator I can see the healthcheck in the UI
- PB-29051 As a user I can use ADFS as SSO provider
- PB-29162 As signed-in administrator I can authorize only group managers to see the users workspace
- PB-29396 As signed-in administrator I can hide the share folder capability with a RBAC
### Security
- PB-29384 As signed-in administrator I should see a 404 when accessing a non existing administration page
- PB-29384 As signed-in user I should see a 403 when attempting to access an administration page
### Fixed
- PB-25865 As a signed-in user I want to autofill form which listen to change events
- PB-27709 As signed-in administrator I can reconfigure the LDAP integration after a server key rotation
- PB-29258 A signed-in users with a large data set I should have a direct feedback when selecting a resource with the checkbox
- PB-29506 As signed-in user, when loading the application, I should scroll to the resource detected in the url
- PB-29548 As a signed-in administrator, editing the password expiry policy, I want to be sure that I’m editing the latest version of the settings
- PB-29606 As signed-in user I should be able to export TOTP to keepass for Windows
- PB-29860 As signed-in user I should see the columns header translated to my language
- PB-29861 As signed-in user I should see the filter “Expiry” named “Expired” instead
- PB-29895 As user importing an account to the Windows application I should be able to access the getting started help page
- PB-29961 As signed-in user I want to see the import dialog information banner below the form and before the action buttons
- PB-30033 As a signed-in user I should be able to sign in with the quickaccess right after launching my browser
### Maintenance
- PB-25555 Upgrade outdated dev library webpack and associated
- PB-25556 Upgrade outdated library i18next and associated
- PB-25689 Upgrade outdated library ip-regex and associated
- PB-25692 Upgrade openpgpjs to v5.11
- PB-25696 Upgrade outdated library webextension-polyfill
- PB-25699 Upgrade outdated library xregexp
- PB-25701 Upgrade outdated library luxon
- PB-29162 MFA user settings screens should be served by the browser extension
- PB-30015 Homogeneize collection constructor signature
- PB-30017 Remove collection and entity inheritance dependency
- PB-30021 Make collection and entity DTO optionally cloneable
- PB-30022 Reduce the number of resources collection instantiations while displaying the number of suggested resources
- PB-30023 Reduce the number of resources collection instantiations while displaying the suggested resources in the inform menu
- PB-30142 Homogenize collection and entity call parameters
- PB-30143 Ensure entities DTOs are not cloned when the data is retrieved from the API or the local storage
- PB-30156 Ensure the tags collection is not validating multiple times the entities while getting instantiated
- ...Source code released under GNU AGPL V3.0
Version 4.5.2
Released Feb 13, 2024 - 4.8 MBWorks with firefox 115.0 and later### Added
- PB-28672 As a user exporting resources I should also export TOTPs
### Fixed
- PB-25865 As a signed-in user I can autofill credentials using input and change events
- PB-29258 As a signed-in user with a large dataset I can select a resource quickly
- PB-29548 As a signed-in administrator I should refresh password expiry cache when navigating to the password expiry administration page
- PB-29560 As a user importing a resources from a Windows keepass kdbx I should also import TOTPs
- PB-29606 As a user exporting a resources to a Windows keepass kdbx I should also export TOTPsSource code released under GNU AGPL V3.0
Version 4.5.0
Released Feb 8, 2024 - 4.79 MBWorks with firefox 115.0 and later## [4.5.0] - 2024-02-08
### Added
- PB-28679 As an administrator I can set advanced password expiry settings
- PB-28681 As a user importing a resources from a file I should also import expiry date from keepass files
- PB-28682 As a user I can quickly mark resources as expired
- PB-28687 As a resource owner, I can change the resource expiration date manually
- PB-28692 As a user I can change the expiry date of a resource automatically based on the password expiry configuration
- PB-28850 As a signed-in user creating a resource from the app I should set the expired date if default expiry period has been defined in the organisation policies
- PB-28851 As a signed-in user creating a resource from the quickaccess I should set the expired date if default expiry period has been defined in the organisation policies
- PB-28852 As a signed-in user creating a resource from the auto-save I should set the expired date if default expiry period has been defined in the organisation policies
- PB-29045 As a user I want to open the quickaccess using a keyboard shortcut
- PB-29125 As an administrator I should not see the control function AllowIfGroupManagerInOneGroup on the UI
- PB-28923 As a user I want to be able to use passbolt in Russian
### Improved
- PB-15269 As a user I do not want my browser extension to make multiple calls on resources.json in a row
- PB-21484 As an administrator I can use Microsoft 365 or Outlook as SMTP providers
- PB-22071 As an administrator I want the SSO messages to be in correct english
- PB-25503 As an admin I should be able to enable/disable emails that request group managers to add users to groups (LDAP/AD)
- PB-25860 As signed-in user I want to see the full name of the user at the origin of any account recovery action
- PB-27783 As a user opening the quickaccess I should have a clear feedback if the API service is unreachable
- PB-27961 As a signed-in user I cannot skip the administrator request to join the account recovery program
- PB-28507 As signed-in user importing resources I should know what is supported
- PB-28612 As a signed-in user I should see TOTP in uppercase
- PB-28646 As an administrator in the account recovery settings I should see “Prompt” instead of “Mandatory"
- PB-28709 Mark SASL option in Users Directory as Enterprise Edition
- PB-28727 As an administrator in the SSO settings I should see a combobox instead of a text input for the Azure’s URL
- PB-29008 As an administrator in RBAC administration page I should not see the role to setup the desktop or mobile app if the plugin is not enabled
- PB-29159 As a signed-in user I want the Mfa screen to be available when using legacy API
- PB-29263 Replace the mechanism to have CSRF token from the cookie
### Security
- PB-29194 Upgrade vulnerable library web-ext
- PB-28658 Mitigate browser extension supply chain attack
- PB-28659 Mitigate browser styleguide supply chain attack
- PB-28660 Mitigate windows app supply chain attackSource code released under GNU AGPL V3.0
Version 4.4.2
Released Nov 28, 2023 - 4.73 MBWorks with firefox 42.0 and later## [4.4.2] - 2023-11-06
### Fixed
- PB-28880 Fix resource with TOTP when description is updated from information panelSource code released under GNU AGPL V3.0
Version 4.4.0
Released Nov 7, 2023 - 4.73 MBWorks with firefox 115.0 and later## [4.4.0] - 2023-11-07
### Added
- PB-25204 As a signed-in user I can create a standalone TOTP
- PB-25206 As a signed-in user I can add a TOTP to an existing password resource
- PB-25210 As a signed-in user I can edit a standalone TOTP
- PB-25224 As a signed-in user I can copy a TOTP
- PB-26088 As a signed-in user I can see standalone TOTP in the quickaccess
- PB-27600 As an administrator I want to suspend or unsuspend a user
- PB-27601 As a sign in user I should see who is suspended in the ui
- PB-27773 As an administrator I can deny access to the mobile setup screen with RBAC
- PB-27898 As an administrator I should have the possibility to deny TOTP copy and preview actions with RBAC
- PB-27949 As a signed-in user I can see password with totp in the quickaccess
- PB-27950 As a user I can use generic OAuth2 as single sign on provider
- [FEATURE INACTIVE] PB-28263 As a user I can see the resource expiry status
- [FEATURE INACTIVE] PB-28265 As a user I can reset resource expiry date
- [FEATURE INACTIVE] PB-28266 As an administrator I can enable the password expiry feature
- [FEATURE INACTIVE] PB-28267 As an administrator I can set the email notifications of the password expiry feature
### Improved
- PB-19244 As a user with encrypted description resource type present when creating a resource using quickaccess the description should be encrypted by default
- PB-25560 As an administrator on the admin settings pages I can see the source of information
- PB-26002 As a user downloading my recovery kit I want to be warned about the critical character of this asset
- PB-26086 As an administrator generating an account recovery key for my organization I want to confirm the passphrase
- PB-26094 As an administrator having a passbolt trespassing the user limits I should see a better message
- PB-27668 As a user I'd like to know what the numbers by the heart mean
- PB-27922 As a user entering my passphrase I should see the entropy progressing
- PB-28183 As administrator I want to see warnings while synchronising the organisation users directory
- PB-28378 MFA screen should be display depending on the application
### Fixed
- PB-21625 As a user I shouldn't see apostrophe replaced by special characters
- PB-25279 As a user I should see in form call to action icon be well positioned
- PB-26000 As a user updating only a resource metadata I should not update the resource secret on the API
- PB-27784 As an administrator I should not see the account recovery enrollment twice
- PB-27794 Fix unsupported TOTP while decrypting TOTP on webapp
- PB-27894 As a user I should not see my username overpass the card in the login form
- PB-27947 Fix in-form menu generate password should not override all password fields but only new password fields
- PB-27954 Fix message after successful transfer to mobile
- PB-28170 Fix SMTP host from Sendgrid
- PB-28310 As a signed-in user I should not select or unselect a resource on TOTP click
- ...Source code released under GNU AGPL V3.0
Version 4.3.1
Released Sep 28, 2023 - 4.48 MBWorks with firefox 42.0 and later## [4.3.1] - 2023-09-28
### Fixed
- PB-27860 As a signed-in user I should be able to autofill from the quickaccessSource code released under GNU AGPL V3.0
Version 4.2.0
Released Aug 23, 2023 - 4.46 MBWorks with firefox 42.0 and later## [4.2.0] - 2023-08-23
### Added
- PB-24987 As an administrator I can define the password policies from the administration UI
- PB-25462 As an administrator I can deactivate RBACs with a feature flag
- PB-25036 As an administrator I can select PostgreSQL as database driver on installation
- PB-21403 As an administrator I can purge the email queue table from the command line
### Improved
- PB-24990 Performance optimisation of the cleanup command responsible to delete secrets without permissions
- PB-25263 Performance optimisation of the entry point retrieving the folders activity logs
- PB-25264 Performance optimisation of all the SQL queries retrieving user profiles
- PB-25199 Lower case UUIDs given as requests parameters before marshalling and persisting data
- PB-25389 As an administrator healthcheck/status.json requests should not be logged in the action_logs table
- PB-25734 As a user I do not want the first letters of my first and last names upper-cased when my profile is saved
### Security
- PB-25181 CSRF cookie should have secure flag set when site is served under HTTPs
- PB-25798 Fixes laminas/laminas-diactoros vulnerability by using the longwave/laminas-diactoros package
### Fixed
- PB-24931 As a user when I rename a tag with the same name, the tag should not be deleted
- PB-25019 As an administrator I can define LDAP filters case sensitivity
- PB-24986 As a user decrypting the SSO organisation settings I should not get a 500 error when the key could not be found in the keyring
- PB-25859 As an administrator notified of an account recovery I should see the first and last name of the acting user in the email
- PB-25472 As a user I can use an SMTP server using NTLM authentication
- PB-25475 As an administrator running the healthcheck, I should be warned for self-signed and wildcard certs instead of having a failure
- PB-25720 As an administrator I should not see a false error in the healthcheck when reading the App.base config
- PB-25800 As an administrator I should be able to migrate from v3 my default LDAP settings
### Maintenance
- PB-21412 Upgrade phpstan to v1.10.15
- PB-21413 Upgrade psalm version to v5.12.0
- PB-21414 Upgrade cakephp codesniffer to v4.7
- PB-21672 Bump lorenzo/cakephp-email-queue package to 5.1
- PB-21917 Bump bcrowe/cakephp-api-pagination to v3.0.0
- PB-21918 Bump spomky-labs/otphp to v10.0.3
- PB-21919 Update enygma/yubikey package
- PB-22052 Passbolt test data version bump to v4.1.0
- PB-25379 Update vierge-noire/cakephp-fixture-factories package
- PB-24575 As a developer release notes should be automatically published on Github on new tag release
- PB-25471 As a developer Crowdin should export only a selected subset of languages
- PB-25801 As a developer I can create unpublished test packagesSource code released under GNU AGPL V3.0
Version 4.1.2
Released Jul 27, 2023 - 4.39 MBWorks with firefox 42.0 and later## [4.1.2] - 2023-07-26
### Improvement
- PB-25251 As a signed-in user previewing a password, I should be able to distinguish look alike characters
### Fixed
- PB-25502 Fix web navigation issue when a port already exists and port disconnection is not fired
- PB-25339 Fix application refusing to load when detecting passbolt event activities
- PB-25311 Fix as anonymous user with the browser extension not configured I should be redirected to passbolt getting started page when using the toolbar icon
- PB-24933 Fix in-form menu detection not working when existing tab port disconnection occurs after webnavigation event
### Maintenance
- PB-25471 Crowdin should export only a selected subset of languages
- PB-25272 Github actions updates for storybook
- PB-25172 Remove former demo application, replaced by storybookSource code released under GNU AGPL V3.0
Version 4.1.0
Released Jul 3, 2023 - 4.35 MBWorks with firefox 42.0 and later## [4.1.0] - 2023-07-23
### Added
- PB-24259 As an administrator I can define with role based access control users' rights
- PB-24054 As an administrator I can define LDAP field mapping
- PB-24051 As an administrator I can define LDAP multi domain
### Improved
- PB-24744 As a LU the date time format in the response always display the time zone
- PB-24929 As a LU with multiple MFA providers setup, the latest provider used is proposed by default
- PB-24488 Non-JSON request should return a 404 if JSON is required
- PB-24617 As LU I want improved performance while sharing a folder with a user
- PB-23843 Update SSO settings endpoint to allow prompt for Azure provider
- PB-24244 As an administrator I can remap email and username properties
### Security
- PB-25030 As an admin I can set a feature flag to prevent user email enumeration
- PB-24273 As an admin I can enable the GET auth/logout.json endpoint (disabled by default)
- PB-19510 As a user I should be redirected to HTTPS if SSL FORCE configuration is true
- PB-24566 As an admin the email settings password should be masked in the test email command log output
- PB-23591 As a user authenticating I can perform a limited amount of TOTP MFA attempts
### Fixed
- PB-24782 As an administrator I can perform LDAP synchronization with over 1k records with improved performance
- PB-24914 As an admin I should be able to rename a tag with uppercase
- PB-24658 As an admin I should see no false warning in the email notification configuration section
### Maintenance
- PB-24925 Updates the fixture factories to its latest version
- PB-24913 Removes "type" from required JSON schema definition for TOTP resource types
- PB-24305 Recovery and register legacy routes are not used in emails and commands outputs
- PB-21604 Extract composer audit task from checkstyle job and make it non-blocking
- PB-21641 Rename check-style job to static-analysis and make it blockingSource code released under GNU AGPL V3.0
Version 4.0.3
Released Jun 7, 2023 - 3.48 MBWorks with firefox 42.0 and later## [4.0.3] - 2023-06-05
### Fixed
- PB-24734 Fix As a registered user I would like to be able to use SSO login via the quickaccessSource code released under GNU AGPL V3.0
Version 4.0.1
Released May 23, 2023 - 3.48 MBWorks with firefox 42.0 and later## [4.0.1] - 2023-05-17
### Fixed
- PB-24639 Fix: As an administrator I want to be see which users have activated MFA from the users workspaceSource code released under GNU AGPL V3.0
Version 4.0.0
Released May 16, 2023 - 3.48 MBWorks with firefox 42.0 and later## [4.0.0] - 2023-05-02
### Added
- PB-23531 As an administrator I can setup google as SSO provider
- PB-23532 As a user I can sign-in with SSO
- PB-23535 As a user I want to self register with SSO enabled
- PB-23952 As an administrator I want to synchronize only groups belonging to a given parent group
- PB-24168 As a user I want to use an accessible version of the UI
### Improvements
- PB-21564 Application should be aware of authentication status as soon as the user is getting signed out
### Fix
- PB-21488 Fix the loading of pagemods when user data is not set in the local storage
- PB-23547 As a signed-in user I should auto-filling credentials in iframe even if there is an empty iframe src ahead
- PB-24076 Fix ApiClient BaseUrl generation to avoid double slashes in the final URL
- PB-24100 As a developer I want to use a fix working version of storybook
- PB-24145 As a signed-in user the inform integration should not freeze the browser if there is a lots of dom changes
- PB-24260 As a signed-in user I should not see a resource stays selected after moves in a folder
### Security
- PB-22858 As a user the session storage should have a limit of port by tab
- PB-22859 As a user the web integration pagemod should be attached only on top frame
- PB-23556 PBL-08-002 WP2: Passphrase Retained In Memory Post-Logout
- PB-23942 PBL-08-008 WP2: Lack of explicit CSP on extension manifest
- PB-23797 Backport MV3 port manager on MV2 without using the webNavigation permission
### Maintenance
- PB-18667 Migrate gpgAuth session check loop into a dedicated service startLoopAuthSessionCheckService
- PB-22641 As a user the browser extension should handle when the version is updated
- PB-22642 As a developer, when inform call to action and inform menu are destroyed, I should remove the port reference in the session storage and portManager
- PB-24105 As a user I want to trigger file download on firefox with file pagemod
- PB-24131 As a developer I should have class files in the correct folder
- PB-24134 As a developer I should be able to run the CI pipeline even if the audit job is failing
- PB-24147 Remove legacy entry point to check if the user is authenticatedSource code released under GNU AGPL V3.0
Version 3.12.0
Released Mar 16, 2023 - 3.46 MBWorks with firefox 42.0 and later## [3.12.0] - 2023-03-15
### Added
PB-22521 As a signed-in user, I want to export resources in logmeonce csv
PB-22520 As a signed-in user, I want to export resources in nordpass csv
PB-22519 As a signed-in user, I want to export resources in dashlane csv
PB-22518 As a signed-in user, I want to export resources in safari csv format
PB-22517 As a signed-in user, I want to export resources in mozilla csv
PB-22515 As a signed-in user, I want to export resources in bitwarden csv
PB-22516 As a signed-in user, I want to export resources in chromium based browsers csv
PB-22838 As an administrator I can customise the application email validation
### Improvements
PB-22896 Improve DUO style
### Fix
PB-23281 Fix as a user I should see an accurate entropy when a password contain words from a dictionary
PB-23541 As a user I can use SSO recover when passbolt is served from a subfolder
### Security
PB-23706 As an administrator I should be the only one to know which users have enabled MFASource code released under GNU AGPL V3.0
Version 3.11.1
Released Mar 1, 2023 - 3.42 MBWorks with firefox 42.0 and later### Added
- PB-22081 As a signed-in user I can import my passwords from a Mozilla web browsers csv export
- PB-22082 As a signed-in user I can import my passwords from Safari web browser csv export
- PB-22116 As a signed-in user I can import my passwords from a Dashlane csv export
- PB-22117 As a signed-in user I can import my passwords from a Nordpass csv export
- PB-22510 As a signed-in user I can import my passwords from a LogMeOnce csv export
- PB-22866 As a user I want to use passbolt in Italian
- PB-22866 As a user I want to use passbolt in Portuguese (Brazil)
- PB-22866 As a user I want to use passbolt in Korean
- PB-22866 As a user I want to use passbolt in Romanian
- PB-22882 As a user I can use the SSO feature to speed up the extension configuration process
### Improved
- PB-21408 As a logged-in user navigating to the account recovery user settings from the MFA user settings I should not see the screen blinking
- PB-21548 As a signed-in user I can access my MFA settings for a given provider following a dedicated route
- PB-22647 As a signed-in user I want to use my personal google email server as SMTP server
- PB-22699 A a user I want a unified experience using pwned password feature
- PB-22725 As a signed-in user I want to see an introduction screen prior setting up Duo v4
- PB-22835 As an administrator I can define the optional SMTP Settings “client” setting
- PB-22861 As an administrator I want to manage Duo v4 settings
### Fixed
- PB-22387 As an administrator generating an account recovery organization key, I should see the warning banner after submitting the form
- PB-22587 Fix the CSV exports columns presence and order
- PB-22588 As a signed-in user I want to import resources in Lastpass csv export following their conventions
- PB-22701 As a signed-in user I should not see the MFA mandatory dialog if there are no MFA providers enabled for my organization
- PB-22704 As a user with a configured account and SSO, I should be able to recover/setup another account
- PB-23277 As a signed-in user I should not have a 404 error with the flag mfa policy disable
### Security
- PB-21645 As content code application I should be restricted to open ports only for applications I am allowed to open
- PB-21754 As a user I should not see any trace of previously downloaded content in my history
- PB-23279 As a user completing a setup I should not have access to the background page decryption secret capabilities
### Maintenance
PB-19641 Handle the setup and recover runtime object
- PB-19675 As a signed-in user I want to perform a recover using MV3
- PB-19676 As a signed-in user I want to perform a setup using MV3
- PB-19677 As a signed-in user I want to perform a sign-in using MV3
- PB-19678 As a signed-in user I want to start the application using MV3
- PB-21750 As service worker I should be able to wake up a disconnected application portSource code released under GNU AGPL V3.0
Version 3.10.0
Released Feb 9, 2023 - 3.3 MBWorks with firefox 42.0 and later## [3.10.0] - 2023-02-09
### Added
- PB-21752 As an anonymous user I can self register if the organization allows my email domain
- PB-21999 As a signed-in administrator I can force users to authenticate with MFA at each sign-in
- PB-22000 As a signed-in administrator I can force users to enable MFA
- PB-22080 As a signed-in user I should be able to import chromium based browsers csv
- PB-21874 As signed-in user I should be able to import bitwarden csv
### Improved
- PB-21910 As a signed-in administrator on the self registration admin settings form I want to see the domain warnings while typing and not after blur event
- PB-22007 As a user finalizing my account recovery I should be able to authenticate with SSO after my first sign out
- PB-22619 As a user authenticating with SSO, I should close the SSO popup when I am navigating away in the main frame
- PB-22617 As a user authentication with SSO, closing the third party popup should not redirect me to the passphrase screen
### Fixed
- PB-18371 Fix contextual menu positioning issue when right clicking at the bottom of the page
- PB-22386 As an administrator I want to know if the weak passphrase I am entering to generate an organization recovery key has been pwned
- PB-22387 As an administrator generating an account recovery organization key, I should see the warning banner after submitting the form
- PB-22388 Fix as a user recovering my account i should not see that the passphrase i entered has been pwned if it is not the valid passphrase
- PB-22084 As a signed-in user I can import my passwords from 1Password csv export with their new header conventions
### Maintenance
- PB-21562 Refactor service worker port and add coverage
- PB-21813 Unit test the private key's passphrase rotation SSO kit regeneration
- PB-21878 Unit test the user stories related to SSO via quickaccess
- PB-21932 Unit test: As AD I want my SSO kit to be generated when saving a new SSO settings
- PB-21933 Create a service to parse the sign in url
- PB-22337 Merge both controller AuthController and AuthSignInController to keep consistency
- PB-22353 Remove redundant toDto function in SsoClientPartEntity
- PB-22403 Instead of using new URL when getting sso url login, use an entity to ensure consistency and that the data is validated
- PB-22478 As a developer I should be sure my changes don’t introduce regression in the build
- PB-22479 As a developer I should be sure my changes don't introduce dependency vulnerabilities
- PB-22614 Avoid telemetries to be sent to Storybook
- PB-22630 Fix the Unit test in the browser extension about method that shouldn't be calledSource code released under GNU AGPL V3.0