After fixing the most urgent vulnerability in the previous release, here is another one
Small breaking change on the change password
This route now request to have the hash of the old password to be allowed to change it.
Server now support a different key for the signing validation.
Indeed using the same key for both signing and encryption is not a best practice, it has been fixed in the lib and is supported by the server secretin/secretin-lib#58
Rescue code is now protected from the server
The rescue codes you could use if you forgot/lost your TOTP device was generated on the server and stored in clear text.
They are now generated by the client and xored with the hash of the password so the server can't retrieve them.
They are also bigger so less easier to bruteforce.