Merge branch 'main' into alexpatterson/des-452-youtube-cover-upgrade-…

…community-addition-with-passkeys

.github/workflows/vale.yml

@@ -9,5 +9,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: errata-ai/vale-action@reviewdog
         with:
-          files: '["astro/src/content"]'
-          fail_on_error: false
+          files: '["astro/src/components","astro/src/content"]'
+          fail_on_error: true

.vale.ini

@@ -11,14 +11,31 @@ astro = md
 BasedOnStyles = Vale, write-good
 BlockIgnores = <RemoteCode ([^>]+)?/>
 TokenIgnores = (?m)^import .+ from [^\n]+$, \
-(?m)^export const .+, \
+(?m)^export const.*, \
+(?m)^image: .*oauth.*, \
+(?m)^tags: .*oauth.*, \
+(?m)^tags: .*ciam.*, \
+(?m)\[[^]]*\]\(.*/apis/.*\), \
+(?m)\[[^]]*\]\(.*-apis-.*\), \
+(?m)\[[^]]*\]\(.*/oauth/.*\), \
+class="[^"]*", \
+img src=\{.*supabase.*\}, \
 <Aside( [^>]+)?>, \
 </Aside>, \
 <InlineField>[^<]+<\/InlineField>, \
 <InlineUIElement>[^<]+<\/InlineUIElement>, \
 <API( [^>]+)?/>, \
 <DockerSpinup( [^>]+)?/>, \
+<OauthIdpOperations( [^>]+)?/>, \
+<LambdaTypeAPI( [^>]+)?/>, \
+<TokenStorageNote( [^>]+)?/>, \
 <Intro( [^>]+)?/>, \
 <LoginArchitecture([^>]+)?/>, \
 <APIField( [^>]+)?>[^<]+<\/APIField>, \
+{[^}]+}, \
+\s\s+mtls:.*, \
+```[^`]*```, \
+(<http[^\n]+>+?), \
 <APIURI( [^>]+)?>[^<]+<\/APIURI>
+
+

DocsDevREADME.md

@@ -1,4 +1,4 @@
-## Running builds
+# Running builds
 Almost all of the content for site now lives under the [astro](./astro) directory and is built by astro. You can run the site by cd-ing into the astro directory and running npm scripts from there or by running savant targets from the top level.
 
 The build targets are
@@ -456,10 +456,11 @@ The main configuration file is located at [`.vale.ini`](./.vale.ini), where we s
 - Right now, we're using [`write-good`](./config/vale/styles/write-good), a collection of simple rules to avoid common mistakes and awkward sentences.
 - We also have a custom vocabulary at [`config/vale/styles/config/vocabularies/FusionAuth/accept.txt`](./config/vale/styles/config/vocabularies/FusionAuth/accept.txt) with known words.
   - Note that this file can use regular expressions to match words in a case-insensitive manner, as described [in their docs](https://vale.sh/docs/topics/vocab/).
+- Anything marked as code (with backticks) is ignored, so if you have a UUID or config string, surrounding it with backticks is a good way to satisfy vale.
 
 ### GitHub Actions
 
-There's [a GitHub Action](./.github/workflows/vale.yml) that runs Vale on added/modified files when opening a pull request. It'll only cover files located at `astro/src/content`, but it won't block merging the PR, as we currently have lots of errors to fix. So, use it as a guide to improve what you are writing.
+There's [a GitHub Action](./.github/workflows/vale.yml) that runs Vale on added/modified files when opening a pull request. It'll only cover files located at `astro/src/content` and `astro/src/components`. It will block merging the PR.
 
 ### Running locally
 

astro/src/components/GitHubEdit.astro

@@ -54,7 +54,7 @@ export function getGithubEditUrl(Astro: Readonly<AstroGlobal>) {
             target="_blank"
             class="block border-l border-transparent pl-4 text-slate-700 text-sm -ml-px dark:text-slate-400 dark:hover:border-slate-400 dark:group-[.active]:border-indigo-400 dark:group-[.active]:text-indigo-400 group-[.active]:border-indigo-600 group-[.active]:font-semibold group-[.active]:text-indigo-600 hover:border-slate-900/50"
           >
-            Edit on Github
+            Edit on GitHub
           </a>
         </li>
       </ul>

astro/src/components/docs/release-notes/ReleaseNoteIssueResolvedVia.astro

@@ -0,0 +1,16 @@
+---
+export interface Props {
+  resolvedIn: string;
+  viaIssue: string;
+}
+
+const { resolvedIn, viaIssue } = Astro.props as Props;
+---
+<Fragment>
+<slot></slot>
+<ul>
+  <li>
+    Resolved in version <code>{resolvedIn}</code> via <a target="_" href={`https://github.com/FusionAuth/fusionauth-issues/issues/${viaIssue}`}>GitHub Issue #{viaIssue}</a>
+  </li>
+</ul>
+</Fragment>

astro/src/components/docs/release-notes/ReleaseNotesIssue.astro

@@ -0,0 +1,15 @@
+---
+export interface Props {
+  issue: string;
+}
+
+const { issue } = Astro.props as Props;
+---
+<Fragment>
+<slot></slot>
+<ul>
+  <li>
+    Resolves <a target="_" href={`https://github.com/FusionAuth/fusionauth-issues/issues/${issue}`}>GitHub Issue #{issue}</a>
+  </li>
+</ul>
+</Fragment>

astro/src/content/articles/authentication/login-failures.md

@@ -124,7 +124,7 @@ All things in software (and life) have  tradeoffs, and tracking login failures i
 
 Once you implement tracking, you may determine that you want to do something to improve your login failure rates. Here are some ideas for how to increase successful logins.
 
-1. **Provide automated help to anyone struggling to log in.** Present tailored advice or reminders in the user experience based on the problem they’re experiencing. An example of this is offering to send a password reset email with one click after a certain number of failed login attempts. Or, if you’re noticing that legitimate-looking users are failing at the captcha step frequently, consider a [CAPTCHA alternative](https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts).
+1. **Provide automated help to anyone struggling to log in.** Present tailored advice or reminders in the user experience based on the problem they’re experiencing. An example of this is offering to send a password reset email with one click after a certain number of failed login attempts. Or, if you’re noticing that legitimate-looking users are failing at the CAPTCHA step frequently, consider a [CAPTCHA alternative](https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts).
 
 2. **Give secure options for account credentials reset.** Once a problem has been detected, offer a login with a security code. Once the user is authenticated, allow them to modify their credentials so that they can remember them. For an added layer of security, send the user an email any time their username or password changes. In case it wasn’t them, they can be alerted of a possible malicious actor and take further steps such as changing their credentials or locking their account. 
 

astro/src/content/articles/authentication/mfa-compliance-fusionauth.mdx

@@ -7,7 +7,7 @@ tags: mfa compliance
 icon: /img/icons/compliance.svg
 darkIcon: /img/icons/compliance-dark.svg
 ---
-[Multifactor authentication](/articles/authentication/multi-factor-authentication), or MFA, is an approach to application security that requires a user to present two or more credentials ("factors") to log in to an application. Factors are normally selected from different categories:
+[Multi-factor authentication](/articles/authentication/multi-factor-authentication), or MFA, is an approach to application security that requires a user to present two or more credentials ("factors") to log in to an application. Factors are normally selected from different categories:
 
 - Something the user knows (PIN or password)
 

astro/src/content/articles/authentication/multi-factor-authentication.md

@@ -276,7 +276,7 @@ As a developer, avoid this factor. If you must implement it, let the user provid
 
 Like all factors, you could use this option as part of defense in depth solution, in combination with other factors.
 
-Counsel your users to answer these questions wisely. Frankly, they should pick fake answers. For example, if a question is "what was your first pet's name", and their first pet's name was Fluffy, pick anything other than "Fluffy". Anything. Perhaps "fido" or "killer". 
+Counsel your users to answer these questions wisely. Frankly, they should pick fake answers. For example, if a question is "what was your first pet's name", and their first pet's name was Fluffy, pick anything other than "Fluffy". Anything. Perhaps "spot" or "killer". 
 
 If the user is saving these answers in a password manager, I would even suggest "h941TphXOL3h0ws7M0U2" or "relevance-middle-yellow-horoscope". The goal is to prevent someone from learning the name of a childhood pet from a Facebook post and using that information to gain illicit access. 
 

astro/src/content/articles/authentication/user-experience-ux-mfa.mdx

@@ -12,7 +12,7 @@ Saying *[cyberattacks](https://www.ibm.com/topics/cyber-attack) are becoming inc
 
 Even though the days are gone when a somewhat decent password would thwart [unauthorized access](/blog/breached-password-detection), end users still struggle with creating strong passwords---despite the extensive security training many organizations conduct for employees. Many users continue to fall for ploys to get their passwords, like [phishing attacks](/articles/authentication/why-passwordless-authentication-matters), resulting in [significant financial losses](https://www.upguard.com/blog/cost-of-data-breach) for companies.
 
-[Multifactor authentication](/glossary/multi-factor-authentication), or MFA, allows you to protect your users from the security issues that plague passwords. Instead of focusing so much on [strong passwords](https://support.microsoft.com/en-us/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb) and keeping those passwords safe, MFA adds an extra layer of authentication to the login process. This means that even if users' passwords are intercepted, MFA can prevent most cases of unauthorized access.
+[Multi-factor authentication](/glossary/multi-factor-authentication), or MFA, allows you to protect your users from the security issues that plague passwords. Instead of focusing so much on [strong passwords](https://support.microsoft.com/en-us/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb) and keeping those passwords safe, MFA adds an extra layer of authentication to the login process. This means that even if users' passwords are intercepted, MFA can prevent most cases of unauthorized access.
 
 The only downside is that MFA introduces an additional step in the login process, which raises concerns about user experience (UX).
 

astro/src/content/articles/authentication/webauthn.mdx

@@ -50,9 +50,9 @@ You may have guided many a user through the ritual of password resets, only to w
 
 You've witnessed family members enter their Google account password on a phishing site that has the logos of four different tech companies in stretched aspect ratios and a big green padlock.
 
-### Multifactor Authentication
+### Multi-factor Authentication
 
-While [Multifactor Authentication](/articles/authentication/multi-factor-authentication) (MFA) has put up a good fight, patching some holes in the password paradigm, it's often the last pick during the cybersecurity kickball game. It is an absolute chore. Users dread that extra step almost as much as changing passwords, leaving MFA adoption to be driven more by mandate than by choice. When left to their own devices (ugh) users typically won't bother with MFA, even though it can be the one thing standing between them and someone taking over their Gmail to buy high-end umbrellas in London using someone else's stolen credit card. Yes, this is a real example.
+While [Multi-factor Authentication](/articles/authentication/multi-factor-authentication) (MFA) has put up a good fight, patching some holes in the password paradigm, it's often the last pick during the cybersecurity kickball game. It is an absolute chore. Users dread that extra step almost as much as changing passwords, leaving MFA adoption to be driven more by mandate than by choice. When left to their own devices (ugh) users typically won't bother with MFA, even though it can be the one thing standing between them and someone taking over their Gmail to buy high-end umbrellas in London using someone else's stolen credit card. Yes, this is a real example.
 
 ### The digital threat landscape
 

astro/src/content/articles/authentication/why-passwordless-authentication-matters.md

@@ -19,7 +19,7 @@ At its core, WebAuthn is an API that builds upon the [FIDO2 specification](/blog
 
 The importance of moving towards passwordless authentication cannot be stressed enough. It eliminates the inherent risks associated with the username and password combinations we're accustomed to using today. One of the largest advantages of a passwordless internet is the eradication of the common practice of reusing passwords.
 
-WebAuthn isn't just an innovation. It acts as a wall of protection against one of the most pervasive and damaging forms of cyber-attacks—phishing. Phishing attacks are notorious for [exploiting human error](/articles/security/steps-secure-your-authentication-system), relying on deception to harvest login credentials. But WebAuthn flips the script. It safeguards against phishing by using asymmetric cryptography and eliminating passwords. Even if someone tricks you into revealing your authentication data, you're still protected because you can't share the key on your device. It also protects against phishing because the prompt to authenticate is tied to the domain of the website, so users are not vulnerable to [unicode domain attacks](https://www.thesslstore.com/blog/unicode-domain-phishing/).
+WebAuthn isn't just an innovation. It acts as a wall of protection against one of the most pervasive and damaging forms of cyber-attacks—phishing. Phishing attacks are notorious for [exploiting human error](/articles/security/steps-secure-your-authentication-system), relying on deception to harvest login credentials. But WebAuthn flips the script. It safeguards against phishing by using asymmetric cryptography and eliminating passwords. Even if someone tricks you into revealing your authentication data, you're still protected because you can't share the key on your device. It also protects against phishing because the prompt to authenticate is tied to the domain of the website, so users are not vulnerable to [Unicode domain attacks](https://www.thesslstore.com/blog/unicode-domain-phishing/).
 
 ## WebAuthn Key Components
 

astro/src/content/articles/gaming-entertainment/cross-platform-game-accounts.md

@@ -146,7 +146,7 @@ You need to enter the following:
 
 Click "Submit". 
 
-> If you do encounter the error ***Exception in thread main java.lang.NoClassDefFoundError: com/inversoft/mysql/MySQLHelper***, make sure you've [installed the MySQL driver](/docs/get-started/download-and-install/database#install-mysql-connector).
+> If you do encounter the error `Exception in thread main java.lang.NoClassDefFoundError: com/inversoft/mysql/MySQLHelper`, make sure you've [installed the MySQL driver](/docs/get-started/download-and-install/database#install-mysql-connector).
 
 ### Complete the Setup Wizard
 

astro/src/content/articles/identity-basics/passwordless-regulatory-compliance.mdx

@@ -89,9 +89,7 @@ More importantly, mobile-based authentication methods are at the forefront of ac
 
 If passwordless authentication still seems like a risky innovation, consider that major tech players, like Microsoft, have recognized the importance of investing in alternative authentication methods that improve on password-based ones. Microsoft's [endorsement and integration](https://www.microsoft.com/en-us/security/business/solutions/passwordless-authentication) of passwordless authentication signal a possible shift for other organizations to do likewise, enhancing the likelihood that passwordless authentication will achieve compliance.
 
-Other tech giants ha
-
-ve also made significant contributions to include passwordless in the regulatory compliance space. Google and Apple have incorporated biometric authentication into their ecosystems and are experimenting with more [passwordless features](https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/).
+Other tech giants have also made significant contributions to include passwordless in the regulatory compliance space. Google and Apple have incorporated biometric authentication into their ecosystems and are experimenting with more [passwordless features](https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/).
 
 The collective efforts of these industry leaders indicate a shift towards a future where compliance and user-friendly authentication can coexist.
 

astro/src/content/articles/identity-basics/registration-best-practices.md

@@ -69,7 +69,7 @@ If a form field is optional, clearly mark it so. Even better, don't ask for opti
 
 Provide clear error messages when data fails to validate. Use both client side validation, which is faster, and server side validation, which is tamper proof. On the topic of tampering, ensure any form is submitted over TLS. You want to keep submitted information confidential and secure.
 
-Make use of the full suite of HTML elements. Dropdowns and radio buttons are powerful, but number and email input fields leverage browsers' built-in validation and should be used as well. If you aren't sure what's supported, use tools like [caniuse.com](https://caniuse.com/) to verify compatibility.
+Make use of the full suite of HTML elements. Dropdowns and radio buttons are powerful, but number and email input fields leverage browsers' built-in validation and should be used as well. If you aren't sure what's supported, use tools like [Caniuse](https://caniuse.com/) to verify compatibility.
 
 ### Registration forms are unique
 

astro/src/content/articles/identity-basics/what-is-oidc.mdx

@@ -124,7 +124,7 @@ There are also user profile claims. Here's an incomplete list:
 * `phone_number`, the user's preferred telephone number.
 * `updated_at`, the time the user's information was last updated.
 
-All times are numbers representing the number of seconds since the unix epoch. The `iss`, `sub`, `aud`, `exp`, and `iat` claims are required and will be present in every Id token. Every other claim is optional, though some are required if the RP requests them or the OP is configured in certain ways. 
+All times are numbers representing the number of seconds since the UNIX epoch. The `iss`, `sub`, `aud`, `exp`, and `iat` claims are required and will be present in every Id token. Every other claim is optional, though some are required if the RP requests them or the OP is configured in certain ways. 
 
 You can see that an RP can get a decent amount of information about a user and the authentication from the OP. It's all transmitted in the Id token, which must be validated to ensure that there's no funny business going on.
 

astro/src/content/articles/login-authentication-workflows/authentication-workflows-overview.md

@@ -52,4 +52,4 @@ Native mobile applications are usually installed via a store and installed on th
 
 Native applications often call APIs to handle user interactions and input. For example, if a user clicks a button or submits a form, the application might call an API on the server. This API might be called via HTTP or some other type of protocol. Often, native applications use various libraries for making API calls simpler.
 
-Some experts recommend that native applications (including mobile apps) use OAuth's authorization code grant. This method works fine with many IdPs, including FusionAuth, but is not listed in this section because it is covered in the SPA and WebApp sections above. The only difference is that at the end of the OAuth workflow, the native application pulls the JWT and refresh tokens from the web-view.
+Some experts recommend that native applications (including mobile apps) use OAuth's authorization code grant. This method works fine with many IdPs, including FusionAuth, but is not listed in this section because it is covered in the Single Page Application and Traditional Web Application sections above. The only difference is that at the end of the OAuth workflow, the native application pulls the JWT and refresh tokens from the web-view.