usertour

v0.7.6 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 19d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

announcements appcues chameleon checklist in-app nps

+8 more

onboarding pendo surveys tooltips tour userflow userpilot walkme

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 9d

Release v0.7.6 introduces comprehensive two‑factor authentication (TOTP) with lifecycle management, instance‑wide enforcement, recovery codes, and enhanced security controls for login and API access.

Why it matters: Enables mandatory TOTP for all users on self‑hosted instances; encrypts secrets with AES-256‑GCM; blocks GraphQL operations from unenrolled accounts when the policy is active—critical for securing user login surfaces.

Summary

AI summary

Two-factor authentication added with TOTP, recovery codes, instance-wide enforcement, and email lockout after failed attempts.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Encrypts TOTP secrets with AES-256-GCM before storage. Encrypts TOTP secrets with AES-256-GCM before storage. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	High	Ensures atomic consumption of recovery codes to prevent concurrent replay attacks. Ensures atomic consumption of recovery codes to prevent concurrent replay attacks. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Security	High	Blocks non‑bootstrap GraphQL operations from users who have not enrolled in 2FA while the policy is active. Blocks non‑bootstrap GraphQL operations from users who have not enrolled in 2FA while the policy is active. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature
Feature	Medium	Two-factor authentication with TOTP-based flow using authenticator apps. Two-factor authentication with TOTP-based flow using authenticator apps. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	User Settings → Account provides 2FA lifecycle management (enable, regenerate, disable). User Settings → Account provides 2FA lifecycle management (enable, regenerate, disable). Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Self-hosted instances can require 2FA for all users via System Admin toggle. Self-hosted instances can require 2FA for all users via System Admin toggle. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Per-email lockout after 10 failed password attempts in a rolling 10-minute window. Per-email lockout after 10 failed password attempts in a rolling 10-minute window. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Adds TOTP-based two-factor authentication (2FA) for user accounts. Adds TOTP-based two-factor authentication (2FA) for user accounts. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Medium	Provides instance-wide toggle to require 2FA for all users on self-hosted deployments. Provides instance-wide toggle to require 2FA for all users on self-hosted deployments. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Medium	Adds step‑up authentication requiring a fresh 2FA code for disabling 2FA or regenerating recovery codes. Adds step‑up authentication requiring a fresh 2FA code for disabling 2FA or regenerating recovery codes. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Generates and stores 10 one-time recovery codes per user, bcrypt‑hashed, shown once during setup. Generates and stores 10 one-time recovery codes per user, bcrypt‑hashed, shown once during setup. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature	Low	Revokes refresh tokens of non‑enrolled users when the instance‑wide 2FA policy is enabled. Revokes refresh tokens of non‑enrolled users when the instance‑wide 2FA policy is enabled. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

This release adds two-factor authentication to Usertour. Every account can now opt into TOTP-based 2FA from Settings → Account, and
self-hosted system admins can require it for everyone on the instance. Password login also gets per-email lockout after repeated failures.

What's Changed

🔐 Two-factor authentication

New TOTP-based 2FA flow using authenticator apps (Google Authenticator, Authy, 1Password, etc.). Secrets are stored AES-256-GCM encrypted;
each user gets 10 one-time recovery codes (bcrypt-hashed) at setup, shown once with a Download / Copy / "I have saved" confirmation gate.
Sign-in adds an /auth/2fa step when 2FA is on. The page accepts both an authenticator code and — via "Use a recovery code instead" — a
one-time recovery code. The same flow applies to email/password and the Google/GitHub OAuth callbacks.
Step-up auth on sensitive operations: disabling 2FA and regenerating recovery codes both require a fresh authenticator (or recovery) code.
Recovery code consumption is an atomic CAS so a stolen list cannot be replayed concurrently.
Settings → Account exposes the full lifecycle: enable, regenerate, disable, plus a recovery-codes sub-row that reflects current state.

🏢 Instance-wide enforcement (self-hosted)

New Require 2FA for all users toggle on System Admin → Authentication. When on, non-enrolled users are redirected to a forced
/auth/2fa/setup page on their next request and cannot bypass it via API clients.
Server-side enforcement runs in two layers: turning the policy on revokes refresh tokens of every non-enrolled user, and a
TwoFactorEnrollmentGuard rejects non-bootstrap GraphQL operations from non-enrolled users while the policy is active.
The toggle is gated by the instance license. If the license stops covering 2FA, the policy goes dormant (not silently off): existing
enrolled users keep verifying, new non-enrolled users stop being forced. Admins cannot turn the policy on until they have enabled 2FA on
their own account, to avoid self-lockout.
SaaS deployments don't surface the instance-wide toggle — per-user 2FA only.

🛡️ Password lockout

Email/password login now locks out a given email after 10 failed attempts in a rolling 10-minute window, backed by a Redis Lua-script INCR

EXPIRE helper. Lockout is per-email, not per-IP, and clears automatically on success.

Full Changelog: https://github.com/usertour/usertour/compare/v0.7.5...v0.7.6

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track usertour

Get notified when new releases ship.

About usertour

Usertour is an open-source user onboarding platform. It allows you to create in-app product tours, checklists, and surveys in minutes—effortlessly and with full control.The open-source alternative to Userflow and Appcues

All releases →

Related context

Related tools

Earlier breaking changes

v0.8.3 Removes the insecure 'development-key-not-secure' fallback for ENCRYPTION_KEY; operators must set the env var explicitly.
v0.7.5 All 60 workspace packages move to @usertour/* from @usertour-packages/*