Privacyidea

Features:
* Allow user attributes in policy conditions (1645)
* Assign tokens and set old PIN during migration (1619)
* Admins can only see tokens within the realm they are allowed to manage (1713)
**Note**: During update a policy "pi-update-policy-b9131d0686eb" is added, which
gives admins the previous read rights on tokens.
* Add adminread policies for policies, events, resolvers, system, machineresolvers,
smtpserver, radiusserver, privacyidea server, periodic tasks, smsgateways. (1495)
**Note**: During update a policy "pi-update-policy-3d7f8b29cbb1" is added, which
gives read rights to all admins to provide backward compatibility

Enhancements:
* Authentication and Challenge Response:
* RADIUS token supports a single AccessChallenge with the remote RADIUS server (1790)
* Improving Push token performance by reusing still valid access token (1795)
* Improving TiQR token: It returns the remaining attemps after a wrong PIN is given (1777)
* Improving TiQR token: Make TiQR info URL configurable (1782)
* Enhance validate check logic in regards to serials and user names (1768)
* User may now have several TiQR tokens at the same time (1739)
* Do not increase fail counter when *checking* for an answered challenge (1697)
* Allow additional token specific checks when answering challenge response (1695)
* Endpoint GET /token/challenges also takes transaction_id (1689)
* Push token can delay the response of /validate/check, so that there is no need
to query the server to check if the push notification has been answered (1583)
* User experience:
* Improve user experience when enrolling Yubikeys via ykpersonalize - Automatically
removing whitespaces (1735)
* Allow user to change the token description (1717)
* Customize Web UI page title (1624, 1243)
* *search_on_enter* also applies to audit log (1493)
* Allow a welcome message in the Web UI if the user has no token (1074)
* Do not display token configuration hints in the UI to normal users (1789)
* Management:
* Event handlers allow rollout_state as condition (1801)
* Add script to export OTP counters (1728)
* Allow many additional tags in email notifications: serial, user, givenname,
surname, username, userrealm, tokentype, recipient_givenname, recipient_surname,
time, date (1703)
* Improve diagnostics script by adding SQLAlchemy URL (1667)
* Add resolver conditions to several policy checks (1646)
* /auth entries in the audit log now also fill in resolver and serial (1593)
* `pi-manage backup` also backs up the FreeRADIUS configuration (1575)
* Allow event handlers on /auth endpoint (1567)
* Allow to force a PIN on tokens in the privacyIDEA Authenticator App (1295)
* New policy *max_active_tokens_per_user* (1241)
* Add image url to the otpauth QR code, allow images in e.g. FreeOTP (1228)
* Add MAC to PSKC token export (1663)
* Performance:
* Make the serverpool in LDAP resolver persistant improving redundancy performance (1396)

Fixes:
* Improve the stability of the schema-update-script (1760)
* Rearrange update order in migration scripts (1733)
* Adapt privacyidea-token-janitor to run with the TokenOwner table (1709)
* Reordering decorators and policy checks to avoid unnecessary error messages (1751)
* Fix user enrollment for tokens that require certain read rights for RADIUS and
certificates by adding additional endpoint /system/names/... (1749, 1748)
* Use same transaction ID for all user tokens even with a TiQR token (1723)
* Improve challenge response to also check the matching of the transaction ID
right at the beginning (1699)
* Add event API requests to Audit log (1600)
* Fix configuring pre-eventhandler with empty condition makes authentication fail (1658)
* Improve UI by changing the cursor on all clickable elements (1725)
* Web UI: Focus the filter entry field in tables, when the filter is activated (1661)
* Fix some broken links in UI (1610)
* Fix double listing in policy list (1132)
* Remove additional empty line in audit log in case of an error (1707)
* Fix enrollment of certificate tokens under Python 3 (1799)

Fixes:
* Fix creation of table tokenover and update with PostgreSQL DB
* Fix user assignment migration with non-ascii characters in userid

Fixes:
* Fix PUSH token issues:
* Add logic checking to setup of PUSH token (1592)
* Remove double enrollment notification of PUSH token in WebUI (1598)
* Fix to allow spaces in Firebase configuration (1599)
* Add support for iOS Firebase configuration (1608)
* Fix to allow PUSH token enrollment, even with Label-policy (1589)
* Fix to mark PUSH token challenge answered in the database (1584)
* Fix the validity period of the registration token (1587)
* Beautify the vertical alignment in the Web UI top menu (1559)
* Fix user cache configuration read - defaults to 0 (1596)
* Remove links in audit log for normal users (1497)
* Check UI rights for user resolvers (1496)
* Fix placeholder in realm dropdown in login dialog (1498)
* Fix enckey creation in Python 3 (1594)
* Allow the usage if "browserLanguage" in custom templates (1620)
* Open all accordions when searching for policy action (1558)
* Fix to hide support links also in menu (1626)

Features:
* Add Push Token that receives a Firebase push notification and allows login
by confirming this notification. Works with privacyIDEA Authenticator. (1342)
* Add a queue to offload certain tasks from the original request.
Allow sending emails via queue. (1290)
* Add API to write your own statistics-DB-module to be able to write
to a time series DB (1289)
* The matching policies per request get written to the audit log (874)
* Support Python 3 (676)

Enhancements:
* Enhance challenge response text, allows headers and footers and HTML
in the challenge text (1384)
* Event Handlers may now depend on the user and IP address (1435)
* Improve documentation about customization (1377)
* Allow to use the client IP from X-Forwarded-For for all endpoints (1399)
* The otp-counter-condition for event handlers can also match greater
than and less than (1383)
* Allow a token to use another SMS gateway than the default (1358)
* The policy "reset_all_user_tokens" will also work with challenge response (1348)
* Create more readable temporary token passwords based on base58. (1325)
* Allow support button in the UI to point to more sensible locations (1331)

Fixes:
* Update LDAP3 dependency to 2.6 and fixes broken objectGUID (1526)
* Allow tokentype endpoints /ttype only for the specific tokentypes (1528)
* When logging in to the webui the client IP is only determined by
X-Forwarded-For if the original (REMOTE_ADDR) is allowed to overwrite the client ip.
(Side effect of 1392)
* Remove submodules/authmodules from git repository and from base package (1516)
* Allow userid as integer in SQLResolver (1513)
* Fix revocation of certificates (1510)
* Fix manual resync of TOTP token (1479)
* Fix audit log entry if token resync fails (1416)
* Fix authcache to actually *write* values to the authcache (1386)
* Fix UI language determiniation in IE (1379)
* Fix tokenjanitor which sometimes did not delete all matching tokens (1322)
* Fix bug in two step enrollment (1347)
* Do not pass LDAP service account credentials in GET /resolver (1271)
* Redirect to login page in case of missing authorization header (1326)
* Respond with 404 if a non-existing object (like deleting event handler)
is accessed (817)
* fix setrealm policy not to fail, if the original user does not exist (1205)
* Optimize hidden SQL queries (1457)
* Improve installation process and schema migration by initially stamping
the database (1489)

Redesign:
* Remove flask imports from libs to make code more modular (331)
* Making Token-User relation an n:m relation by moving the token assignment
into its own database table. This will allow to assign several users to
one token (1288)
* Unify password hashing in SQLResolver by using passlib (1372)
* Redesign the cryptolayer and replace pycrypto with cryptography (1340)
* Remove the old statistics, that were based on the audit log in favour
of the generic event handler based statistics (1314)
* Deterministic installation with pinned dependencies on all distributions (1127)

Fixes:
* Fix authcache
* Fix correct syncwindow for manually resyncing TOTP tokens

Fixes:
* Make triggerchallenge HTTP response consistent
* Add tokentype and message to response of triggerchallenges
* Allow concurrent challenges
* Fix accepted-language to support _only_ de-DE.
* Avoid user resolving in event handler condition
* Point the support button to better landing pages