Privacyidea

Fixes:
* Fix WebUI login with HOTP/TOTP challenge-response token (3038)
* Improve error handling for "/ttype" endpoint (3090)
* Removed redundant "user" option from offline token assignment (3077)
* Fix creation of download-links for certificates due to HTML sanitizer (3088)
* Fix policy descriptions containing HTML-like tags (3118)
* Add documentation for the CustomUserAttributeHandler (3075)
* Send Push message as notification and data to FireBase (3117)
* Fix translation issue in PSKC-import (3126)
* Add App-PIN policy for Push token (3116)

Features:
* Allow Offline Token without assigning to a specific IP address (2926)
* The enrollment of HOTP, TOTP, SMS and Email Tokens can be verified
by entering a valid OTP value after the enrollment. (2441)
* Security: Add security module to decrypt encryption keys using HSM (3003)

Enhancements:
* Token: Policy for Password token can create human readable passwords (2864)
* Token: Redesign the code logic of is_previous_otp and make it more robust for HOTP and TOTP tokens (2916)
* Token: Allow resyncing of a token via Multi-Challenge (2349)
* Token: consolidate client_wait in token enrollment. All tokens now
get the rollout_state "clientwait" or "enrolled" which can
be used in Token Handlers and in the token-janitor (2784)
* Security and Speed: Allow to choosing hashing algorithms in pi.cfg (2981)
* Policies: Also honor the user resolver in policies, when administrator is managing tokens (2778)
* Policies: Add policy extended conditions of webserver environment (2510)
* Event Handler: Token Handler can use the serial numbers of the tokens
during token import (2698)
* Event Handler: Notification Handler now allows placeholders like "tokenowner" in reply-to. (2711)
* UI: Allow to login to WebUI using Push-Tokens (2893)
* UI: If an adminitrator is allowed to manage only one realm, this realm is autoselected in the UI. (2908)
* UI: Rename buttons from "create" to "save" to avoid misunderstanding (2932)
* UI: Use new dependency injection in javascript code (1917)
* UI: Policy to exclude tokeninfo in token details (2819)
* UI: Highlight policy search term (2577)
* Tools: The tokenjanitor can check for the pure existence of a tokeninfo key (2753)
* Tools: Improve the token janitor documentation (2885)
* Tools: LinOTP miration script now also works with PostgreSQL (2770)
* Tools: The "orphaned" parameter of the token-janitor allows to use
0/False or 1/True to also search for non-orphaned tokens (2838)
* Tools: Add more export/import functions to pi-manage (2455)
* Add nightly tests with a MySQL database (2477)
* Add new translated languages from the community: cs, es, it nb_NO, pl, ru, si, tr, uk, zh_HANS
* Add extra_require in setup.py for PyKCS11 to allow installing via pip also in case of use with HSMs. (2951)
* Support SMTPS (2568)
* Documentation: Add documentation for max_identifier_length for Oracle DBs (2986)
* Documentation: Improve Event Handler documentation
* Documentation: Add missing policy documentation (2768)
* Documentation: Add documentation about importance of time in privacyIDEA (3026)
* Add detailed log messages to track HSM sessions (3000)

Fixes:
* Failures in submission to Firebase will not block Push-Poll (2904)
* Fix problems with CA certificate and StartTLS (2892)
* Dependency update (Pillow)
* Token: Remove the tokenowner entry after the automatic deletion of the registration token (2907)
* Fix the usage of secondary login attribute (2919)
* Fix removal of the "alembic_version" table with dropdb (2848)
* Fix "validate_mac no_check" when importing tokens with the token janitor (2755)
* Update dependencies
* UI: Fix reload of policy list (2967)
* UI: Remove the client side keygen tag for x509 certificates, since it is not supported by browsers anymore (2968)
* UI: Fix submenu links like "new" and the routing highlighting (2546)
* UI: Check the sanity of client IPs during creation of a policy (2949)
* Event Handler: Fix loading of boolean values in event handler options (2310)
* Token: Fix email token without an assigned user (2990)
* Token: Handle modhex error for invalid passwords in Yubikey token (2896)
* Do not use not-readily enrolled tokens for auth (2852)
* Allow tokens in client_wait to be rolled over (2763)
* Make token-janitor robust against unknown chars in last_auth check (2780)
* Fix the manual setting of U2F tokens, which was overwritten by an
automatic description (2793)
* Improve parameter parsing and decoding (2810)
* Fix policy import with missing "condition" keyword (2829)
* Add failsafe to raise an exception on the lib level when trying to assign a token
to a user, if the token is already assigned. (2860)
* Fix AD little endian in objectGUID
* Fix upper case realm names in policy check (2869)
* Fix deleting expired auth_cache entries (2481)

Features:
* Security: Add security module to decrypt encryption keys using HSM (3003)

Enhancements:
* UI: Policy to exclude tokeninfo in token details (2819)
* UI: Highlight policy search term (2577)
* Token: Policy for Password token can create human readable passwords (2864)
* Security and Speed: Allow to choosing hashing algorithms in pi.cfg (2981)
* Add documentation about importance of time in privacyIDEA (3026)
* Allow to login to WebUI using Push-Tokens (2893)

Fixes:
* Failures in submission to Firebase will not block Push-Poll (2904)
* Fix problems with CA certificate and StartTLS (2892)
* Dependency update (Pillow)

Features:
* Allow Offline Token without assigning to a specific IP address (2926)
* The enrollment of HOTP, TOTP, SMS and Email Tokens can be verified
by entering a valid OTP value after the enrollment. (2441)

Enhancements:
* Policies: Also honor the user resolver in policies, when administrator is managing tokens (2778)
* Token: Redesign the code logic of is_previous_otp and make it more robust for HOTP and TOTP tokens (2916)
* Add detailed log messages to track HSM sessions (3000)
* UI: If an adminitrator is allowed to manage only one realm, this realm is autoselected in the UI. (2908)
* UI: Rename buttons from "create" to "save" to avoid misunderstanding (2932)
* UI: Use new dependency injection in javascript code (1917)
* Tools: The tokenjanitor can check for the pure existence of a tokeninfo key (2753)
* Tools: Improve the token janitor documentation (2885)
* Add new translated languages from the community: cs, es, it nb_NO, pl, ru, si, tr, uk, zh_HANS
* Add nightly tests with a MySQL database (2477)
* Add extra_require in setup.py for PyKCS11 to allow installing via pip also in case of use with HSMs. (2951)
* Documentation: Add documentation for max_identifier_length for Oracle DBs (2986)
* Documentation: Improve Event Handler documentation
* Documentation: Add missing policy documentation (2768)

Fixes:
* Token: Remove the tokenowner entry after the automatic deletion of the registration token (2907)
* Fix the usage of secondary login attribute (2919)
* Fix removal of the "alembic_version" table with dropdb (2848)
* Fix "validate_mac no_check" when importing tokens with the token janitor (2755)
* Update dependencies
* UI: Fix reload of policy list (2967)
* UI: Remove the client side keygen tag for x509 certificates, since it is not supported by browsers anymore (2968)
* UI: Fix submenu links like "new" and the routing highlighting (2546)
* UI: Check the sanity of client IPs during creation of a policy (2949)
* Event Handler: Fix loading of boolean values in event handler options (2310)
* Token: Fix email token without an assigned user (2990)
* Token: Handle modhex error for invalid passwords in Yubikey token (2896)

Enhancements:
* Support SMTPS (2568)
* Add policy extended conditions of webserver environment (2510)

Fixes:
* Do not use not-readily enrolled tokens for auth (2852)
* Allow tokens in client_wait to be rolled over (2763)

Features:
Enhancements:
* Allow resyncing of a token via Multi-Challenge (2349)
* Token Handler can use the serial numbers of the tokens
during token import (2698)
* Notification Handler now allows placeholders like "tokenowner" in reply-to. (2711)
* LinOTP miration script now also works with PostgreSQL (2770)
* consolidate client_wait in token enrollment. All tokens now
get the rollout_state "clientwait" or "enrolled" which can
be used in Token Handlers and in the token-janitor (2784)
* The "orphaned" parameter of the token-janitor allows to use
0/False or 1/True to also search for non-orphaned tokens (2838)
* Add more export/import functions to pi-manage (2455)

Fixes:
* Make token-janitor robust against unknown chars in last_auth check (2780)
* Fix the manual setting of U2F tokens, which was overwritten by an
automatic description (2793)
* Improve parameter parsing and decoding (2810)
* Fix policy import with missing "condition" keyword (2829)
* Add failsafe to raise an exception on the lib level when trying to assign a token
to a user, if the token is already assigned. (2860)
* Fix AD little endian in objectGUID
* Fix upper case realm names in policy check (2869)
* Fix deleting expired auth_cache entries (2481)