ProcessWire Weekly #317

Latest core updates: ProcessWire 3.0.159 brings improvements to the built-in two-factor authentication support

In his latest post at the processwire.com blog Ryan introduces 3.0.159, the latest version of ProcessWire available via the dev branch (as of this writing). This week the focus has been on improving our built-in two-factor authentication (2FA) features, but there were also some other (minor) improvements included.

The intention behind these 2FA updates is, plain and simple, to increase the usage of this additional security measure. Although the core 2FA support is already technically fully functional, there are some additional steps that we believe will further drive its adoption, thus making even more ProcessWire websites even more secure.

Step one: improving the user-friendliness of 2FA

The first thing, and the part that has already been released, is a "remember me" feature for our two-factor authentication system. What this means in practice is that superuser can now define a number of days for ProcessWire to remember the authentication code provided by each individual user.

This is completely optional and even if you enable it globally users still have to check a checkbox during login for it to be enabled — but, in cases where users would otherwise view 2FA as too much of a hassle, this feature can lessen their burden and make 2FA seem far less of a nuisance.

For more details on this feature be sure to check out the blog post by Ryan.

Step two: adding the ability to enforce 2FA for specific roles

Until now it has only been possibly to "strongly recommend" 2FA, but Ryan is currently working on an update that will make it possible to actually enforce it for selected roles. This feature is currently a work in progress, but will likely land in the core by next week.

The gist here is that this will probably require the TfaEmail module, since email address is required for all ProcessWire users, and email verification is also the only 2FA method that doesn't require any configuration in advance.

Again, you can find more details from the blog post.

Step three: making enabling 2FA as easy as possible

Third step in our 3-step plan is making 2FA features a true turn-key solution. Currently support for this feature is built into the core, but you still need to install one or more Tfa-modules (and configure them), which means that there are some extra steps.

The idea that Ryan has proposed is bringing at least two popular 2FA modules — TOTP and email ones — into the core package. This is not a complete no-brainer since we're also always looking to make the core leaner, but from a security point of view it would probably be a good move.

What do you think — should these be a part of the core? Are there any other features that you feel could be stripped from the core simultaneously? Head down to the blog and let us know what you think via the comments section!

New module: hCaptcha

The latest addition to our modules directory is an Inputfield module called hCaptcha. Developed by Moritz L'Hoest and sponsored by schwarzdesign, this module can be enabled for any ProcessWire form — including those created by FormBuilder — and is basically a drop-in replacement for Google's ReCaptcha.

In case you're wondering "why", the short answer is "privacy". ReCaptcha is undoubtedly a powerful solution for blocking spam bots and other automated bad actors, but it will also collect quite a bit of personal information — and, especially in the EU where such things are now under very strict scrutiny, that can be a serious dealbreaker.

The main promise of hCaptcha is that of comparable level of security without any of those pesky privacy related issues. They also offer reward programs and more, so be sure to check their site for more details on that.

For more details on the features of this module, visit the dedicated hCaptcha module support forum thread. If you'd like to give this module a try, you can install it directly from the ProcessWire admin, or grab it from the hCaptcha GitHub repository.

Sneak peek into the upcoming Editor.js Fieldtype module

This week we're very happy to introduce a still work-in-progress Fieldtype module that has only just been unveiled via a support form post: FieldtypeEditorJS.

The goal of this module is to integrate the open source "block editor" Editor.js into the admin of ProcessWire. The block editor experience provided by Editor.js is pretty close to something like Gutenberg for WordPress; in some ways it's a pretty new paradigm, but one that has been growing in popularity in recent years.

It's very interesting to see how this module will look and feel once it's finished. All we can say at this point is that it's already looking really slick, and once released it will no doubt be a very interesting alternative to CKEditor and similar tools.

FieldtypeEditorJS is being developed by flydev, and he has posted a list of features as well as a screencast on the support forum, so visit the support forum thread for more details. While the module looks largely functional in the screencast, it's not quite yet publicly available — and, in fact, it may actually be released as a commercial module.

Site of the week: HUM Systems

Our latest site of the week belongs to HUM Systems — a Berlin based startup with a mission to improve people's lives with IoT technology and artificial intelligence. The name of HUM Systems name comes from HUMAN MACHINE SYSTEMS, which also serves as the fundamental idea and concept behind the company.

The HUM Systems website was designed and developed by VOLL digital GmbH. You can find a detailed case story for the project from the VOLL digital website, but here are the key reasons why the folks at VOLL felt that specifically ProcessWire was a great choice for this particular project:

• ProcessWire is an exceptionally flexible system, providing powerful features for content management. This, in turn, makes it easy for the client to manage their own content and allows them to always be on top of latest happenings.
• This website is multi-lingual, which brings another core strength of ProcessWire into play: having extensive multi-lingual features built-in means that you don't need any third party extensions to build a full-featured multi-lingual website.
• Finally, ProcessWire has exceptional track record when it comes to security, and the system remains easily updateable no matter how much custom work you've put into the project.

Now, the design of this website — another topic covered in more detail in the case story — is quite unique. This can be said about both the overall user interface of the website, menu structures and such, but also applies to the hand-crafted custom illustrations. All in all this is a really beautiful website, and though the UI is a bit unorthodox, the end result is easy to grasp and enjoyable to browse.

Be sure to check out the HUM Systems website, and definitely dig into the case story by VOLL digital as well. Our congratulations to both the client and the studio behind the implementation; fantastic work!

Stay tuned for our next issue

That's all for the 317th issue of ProcessWire Weekly. We'll be back with more news, updates, and content Saturday, 13th of June. As always, ProcessWire newsletter subscribers will get our updates a few days later.

Thanks for staying with us, once again. Hope you've had a great and productive week, and don't forget to check out the ProcessWire forums for more interesting topics. Until next week, happy hacking with ProcessWire!