Privacyidea

Features:
* Node-specific realms (3758)
* Add node names and UUIDs to database (3757)
* Add, remove and configure realms with node-specific resolver configuration (API and WebUI)
* Add token containers (1291)
* There are three container types (generic, smartphone, and yubikey) which can contain different token types
* A container can have one owner and multiple tokens
* Tokens can be added to a container on the fly during the enrollment, on the token, user and container page
* Perform actions on all tokens of a container (enable, disable, delete)
* Event Handler
* Admin and user policies (similar to tokens)
* Added container serial and type as columns to the audit log

Enhancements:
* Drop support of Python 3.6 and enable Python 3.11 and 3.12 (3593, 3711, 3760)
* UI: Capitalize headings
* UI: Enable/disable tokens, reset the fail counter, delete tokens and unassign user from token in user details
* UI: The support button in the footer will now initiate an email to ease the request of support (3919)
* UI: Add multiple choice elements for realms and resolvers (3793)
* UI: Hide enroll token menu entry, if no token-type is allowed (4053)
* MS CA Connector: Added certificate revocation (3316)
* Email and Phone number attributes can be used in challenge texts (2917)
* Validity of JWT can be configured (3996)
* PUSH: Optionally, the user can be required to press a number or character that is displayed on login
to complete the push authentication (3897)
* PUSH: Add event handler for declining push requests (3632)
* PUSH: Allow tags in PUSH notifications (3227)
* Added "Authentication" condition to event handlers, which can be used to distinguish between
SUCCESS, FAILED and CHALLENGE (3886)
* Enrollment via validate can have a custom enrollment text (3884)
* Allow case insensitive usernames in policies (3281)
* Cleanup of expired challenges externally (3920)
* Tools: Migration of several tools to the click framework (2498, 3769)
* Add functionality to dump token data to YAML (3005)
* Allow extended notes on policies (1814, 3895)
* WebAuthn: Allow offline usage (3764, 3857, 3866)
* Add user-agent to audit log (3856)
* Check Yubikey OTP length before validating (3746)
* Check secret length for Yubikey token during enrollment (3725)
* Enable user-agent version in subscription checks (3800)
* Enhance offline token to allow refill for WebAuthn tokens (3764)
* Add policy to disable PIN+OTP check when using challenge-response (4051)
* Add privacyIDEA version to exported data and warn during import if versions mismatch (4055)
* Make token description available as a tag in the user-notification handler (3763)
* Add "creator" tag to QR-code for enrollment (3902)
* Add email validation to enrollment (3918)

Fixes:
* UI: Added translation for page navigation in the user details and list pages
* UI: Fixed open and close all actions in create new policy and conditions in create new event handler
* UI: Removed duplicated controller calls resulting in duplicated API calls (3421)
* UI: Cancel poll-transaction in case another token is used (3861)
* UI: Fix reset of user filters when changing user view (3543)
* UI: Fix error during generation of drop-down lists in UI (3937)
* UI: Hide "unassign" button in token view if the user does not have the proper rights (3966)
* When attaching a token to a machine, validate the serial and the application (4019)
* The realm of the token owner can not be removed from the token, unless the token is unassigned from the user (3986)
* PUSH: Declined PUSH requests are now saved as such and can no longer be polled (4026)
* PUSH: Label policies are now considered for PUSH token enrollment via validate (3883)
* Verify enrollment now works for indexed secret token (3869)
* Remove duplicate messages from response (3989)
* Lazy translation evaluation for static strings (3721)
* Truncate token description (3747)
* Use uppercase hash name for google-authenticator URLs (3812)
* Improve logging of event handler status in Audit log (3781)
* Update config description of LDAP resolver to remove warning (3854)
* Add missing index to Challenge.expiration column (3920)
* Fix usage of challenge text and token defaults policies during multi-challenge enrollment (3928, 3976)
* Enable sms/email text policies when verifying enrollment (3971)

Fixes:
* Fix creation of database tables with galera cluster (3863)

Fixes:
* Allow verify-enroll for paper token and TAN token (3809)
* Fix offline data, when PIN is behind the OTP value (3831)

Fixes:
* Set correct start sequence for empty tables
* Fix pi-manage backup
* Add privacyIDEA CP to list of clients, that do not
need to be unquoted. (3770)
* Fix problem with token description and verify enrollment (3798)

Features:
* Tokentype: Application Specific password (3260, 3585)
* Tokentype: Day password token (2781)
* Add machine grouping aka service IDs to be used with
application specific passwords and SSH keys (3300, 3246, 3533, 3573)

Enhancements:
* Add event handler to set token application like "offline" (3335)
* Add challenge response with pin reset for better usability with
client plugins (3261)
* Add logged_in_user to g-object during /auth request (3710)
* Allow to force description during rollout (3469)
* Allow an administrator to explicitly (only) set a description (3609)
* Add verify enrollment for indexed secret token (3452)
* Handle declined PUSH requests so that plugins know, that they do
not need to poll anymore (3599)
* Clean up the usage of PI_NODE and AUDIT_SERVERNAME to allow a
consistent naming in the audit log (3589)
* Remove PI_VASCO_LIB error message in log file (3470)
* Add event handler status to audit log (3430)
* Optimize URL decoding for different clients (3337)
* Upgrade to SQLAlchemy 1.4 (2798)
* Add event for poll_transaction (3692)
* Make LDAP Resolver pooling strategy configurable (3461)
* Disable private key checking during loading for speed up (3590)
* Add tool for exporting tokens for database re-encryption (3005)
* UI: Multiselect policies in WebUI (3493)
* UI: Make the whole header of an accordion clickable (3425)
* UI: Improved grouping in the system menu (3419)
* UI: Moved the CA menu to config->system (3419)
* UI: Add italian translation (3508)
* UI: Add user information in selfservice/user context (3688)
* Docs: Improve documentation for /validate/check-enrollment (3507)
* Docs: Improve policy mangle documentation (3565)
* Docs: Add a detailed plugin guide how to write fully functional plugins (3650)
* Docs: Fix description of preferred_client_mode (3661)
* Docs: Update documentation (3728, 3712, 3728)
* Update translations
* Infrastructure: Add Bandit and GraphQL runs for pull requests

Fixes:
* Fix /auth endpoint in case no password is available (3438)
* Return all images as data:image, so that they can be used by the
client plugins (3450)
* Fix typo in policy definition to fix revoke permission (3608)
* Add missing thread ID to audit log in case of /validate/check
(3578)
* Fix pi-manage backup with non-default SQL port (3570)
* Fix SQLAlchemy warnings (3547)
* Fix problems with naming object "." or ".." (3409)
* Use more secure secrets module instead of urandom (3623)
* UI: More explicit description for entering PIN or password (3370)
* Fetch error when decoding JWT (3028)
* UI: Fetch error when user does not exist (3672)
* Ensure subprocess calls are secure (3625)
* TOTP code cleanup: Use time2counter wherever necessary (3664)
* Fix totp.get_otp test function (3660)
* Fix typos (3661)
* Update docs about TOTP apps, that have limited capabilities (3634)
* Enhance schemas for urlopen (3622)
* Add timeout to requests calls (3621)
* Avoid exception if the provided password is shorter than the
OTP length (3467)
* Ignore PIN policy during token rollover and verify to avoid
wrong error (2886)
* Fixing response data of /auth endpoint to make the handling
more consistent (3436)
* Fix parameter error in Webhook event handler (3676)
* Fix calculation of TOTP values (3734)
* Correct ID and help-text for Daypassword (3742, 3744)

Fixes:
* Update diag tool (3146)
* Fix tokengroup error in WebUI (3441)
* Fix dependencies when deleting tokengroups (3423)
* Fix wrong QR code in enroll-via-validate (3427)
* Add missing preferred client mode in validate-check-enrollment (3429)
* Add missing enrollment parameters with challenge-response-enrollment (3478)
* Fix password problem with special chars -
Disable unquoting of LDAP-Proxy and simpleSAMLphp (3337)
* Remove false error message when user assigns a token (3499)
* Fix tags in email tokens (3330)
* Fix LDAP NTLM Authentication (3482)
* Add missing Webhook Eventhandler in UI (3475)
* Remove redundant id in SQL resolver (3454)
* Fix ca-parameter policy during enrollment (3479)
* Fix removing node from a policy (3500)