Changelog

0.8.2

Documentation/CLAUDE.md converted from a symlink to a real file. The TYPO3 render-guides pipeline aborts on symlinks with League\Flysystem\SymbolicLinkEncountered, so the v0.8.1 docs render failed and no /0.8/en-us/ tree was published. Other symlinks in the repository are outside the render scope and are untouched.

Release orchestrator now verifies the docs build by polling the upstream TYPO3-Documentation/t3docs-ci-deploy workflow run instead of the rendered URL. Failures are reported immediately (previously we would time out after 45 minutes without being able to distinguish "still rendering" from "render failed").
Release evidence block in the GitHub release body now uses the correct /major.minor/en-us/ docs URL (Intercept maps tags to major.minor branches).

Release pipeline consolidated into a single orchestrator workflow (netresearch/typo3-ci-workflows/.github/workflows/release-typo3-extension.yml). Tag push now runs build + TER publish + Packagist verification + docs.typo3.org verification + atomic GitHub release creation in one workflow run, replacing the previous split that relied on a release: published chain-trigger (which broke silently under workflow-created releases). New republish manual workflow allows re-running any subset of {TER, docs, Packagist} verification against an existing tag without mutating the release. No runtime behaviour change; the extension code shipped in 0.8.1 is identical to 0.8.0.
E2E test triage: six pre-existing broken Playwright specs marked .fixme() with root-cause TODOs. Unblocks the CI matrix after the shared reusable workflow was repaired to actually execute specs (netresearch/typo3-ci-workflows#60, netresearch/typo3-ci-workflows#61, netresearch/typo3-ci-workflows#62).

New skipMfaOnPasskeyAuth extension setting (default enabled): when a user authenticates with a passkey, the TYPO3 MFA challenge is skipped for that session. A passkey is already multi-factor, so requiring TOTP on top is redundant. Password-based logins are unaffected and still go through MFA as configured. This resolves the MFA-policy dilemma where forcing MFA for password users also forced passkey users through a second factor they had already provided.
Help tab "Passkeys & MFA" section rewritten to name the password-only loophole (disabling requireMfa lets password-only logins through without any second factor) and document the recommended production combination of requireMfa + skipMfaOnPasskeyAuth + disablePasswordLogin.

Help icon button in DocHeader (question-mark icon via TYPO3 ButtonBar API) so the Help tab is discoverable without the dropdown menu
Adoption rate gamification badges on Dashboard: Getting started, Bronze (25%), Silver (50%), Gold (75%), Platinum (100%) with icons
Quick Start guide on Dashboard for new installations with step-by-step setup instructions and auto-detected rpId display
MFA hint on Dashboard informing admins that passkeys are inherently multi-factor and TOTP may be redundant
Configuration status hints when rpId and origin are both auto-detected
Enhanced Help page MFA section: renamed to "Passkeys & MFA", added prominent infobox answering "Are passkeys secure enough without MFA?"
README: Quick Start section, Passkeys & MFA guidance, TER docs link, rpId/rpName/origin in configuration table

Use InfoboxViewHelper::STATE_* integer constants for cross-version f:be.infobox compatibility (v12/v13/v14)
Use enum_exists(IconSize::class) runtime check for getIcon() v12 compatibility (v12 uses string, v13+ uses IconSize enum)
Badge labels are translatable via TranslationTrait

Per-group passkey enforcement with 4 levels: Off, Encourage, Required, Enforced
Configurable grace periods for Required enforcement (1--365 days)
PSR-15 interstitial middleware prompting users to register passkeys (skippable during grace period, mandatory after expiry)
Encourage-stage dismissible banner with passkey explanation, docs link, and administrator contact guidance (supports TYPO3 v12/v13/v14)
Admin dashboard backend module (Admin Tools > Passkey Management) with adoption statistics, per-group enforcement controls, and user list
Admin actions: Send Reminder (nudge), Clear Nudge, Revoke All
EnforcementLevel enum, EnforcementStatus DTO, EnforcementService, AdoptionStatsService
PasskeyBanner.js, PasskeyDashboard.js JavaScript modules
TCA fields passkey_enforcement and passkey_grace_period_days on be_groups
5 new admin AJAX endpoints for enforcement and nudge management
153 i18n translation units across 4 XLF files
Context-sensitive help tab in admin module with rollout guide, recovery procedures, MFA coexistence, and FAQ

Per-user password login enforcement: disablePasswordLogin now blocks passwords only for users who have registered passkeys, enabling gradual onboarding without locking out new users
Deployment Scenarios documentation chapter covering multi-environment setup, database sync, user onboarding, and local DDEV development

TYPO3 12.4 LTS support (PHP 8.2+ required)
Event listener registered via Services.yaml tag for v12 compatibility (#[AsEventListener] attribute retained for v13+)
PasskeyInfoElement DI-aware FormEngine node with setData() for v12 NodeFactory compatibility
CI matrix expanded with TYPO3 v12.4 test jobs
DDEV development environment includes v12 installation

Inline name input for passkey registration -- users can name their passkey before registering (defaults to "Passkey")
Accessible aria-label on the name input field
Input is disabled during registration and reset after success

Rewrote PasskeyManagement.js from IIFE to ES module using TYPO3 native APIs: AjaxRequest, Notification, Modal, SeverityEnum, sudoModeInterceptor, DocumentService
Replaced PageRenderer::addJsFile() with loadJavaScriptModule()
Replaced inline style with CSS class

Escape label in removal confirmation modal (XSS prevention)
Defer DOM initialization with DocumentService.ready()
Resolve AjaxRequest responses and check status before showing success notifications

Warn about short or missing TYPO3 encryption key in the passkey settings panel (minimum 32 characters required)
Include exception details in management API error responses for authenticated users

Added Troubleshooting section covering encryption key issues, HTTPS requirements, log location, and debug mode

Initial release.

Passwordless backend authentication via WebAuthn/FIDO2 Passkeys
Passkey button injected into the standard TYPO3 login form via PSR-14 event listener (no login provider switching)
Support for TouchID, FaceID, YubiKey, Windows Hello, and other FIDO2-compliant authenticators
Authentication service at priority 80 (above standard password service)
Authentication data packed into userident field as JSON ($GLOBALS['TYPO3_REQUEST'] is null during auth chain)
Credential registration, listing, renaming, and removal for users
Admin API for listing, revoking credentials and unlocking accounts
HMAC-SHA256 signed challenge tokens with nonce replay protection
Per-endpoint rate limiting by IP address
Account lockout after configurable failed attempt threshold
Discoverable login (usernameless, Conditional UI) behind feature flag
Option to disable password login entirely (passkey-only mode)
Configurable signing algorithms (ES256, ES384, ES512, RS256)
Configurable user verification requirement
User enumeration prevention with randomized timing
Soft delete and admin revocation with audit trails
Signature counter tracking for clone detection
Passkey-specific error message on failed login attempts via sessionStorage detection
Default audit log writer (WARNING+ to typo3temp/var/log/passkey_auth.log)
TYPO3 13.4 LTS and TYPO3 14.x compatibility
PHP 8.2, 8.3, 8.4, and 8.5 support
Comprehensive test suite (unit, fuzz, functional, JavaScript)
PSR-3 logging for all significant events