I have some good news and some bad news.

The bad news is that traditionally, some of the most convoluted code in Gazelle deals with logging people into the site. This is not a comfortable situation to be in. The good news is that the login code has been completely rewritten.

The user experience changes somewhat: the login page now sports a third field for entering a Two Factor Authentication (2FA) token (or recovery key if you lost your device – the code will deal gracefully with both cases). If you do not use 2FA, you can ignore the field. The login process is now immune to timing attacks.

Configuring 2FA has also been simplified. If you have not enabled 2FA, you should consider it. A few times a year we have people who lose access to their account (password and email changed), or their account is used by a third party to invite people to the site. Using 2FA goes a long way in preventing this from happening.

From a technical standpoint, the main login code has shrunk from several hundred lines to just 58 lines, with the heavy lifting being handled by some easily testable objects. Overall, nearly 400 lines of code, and 5 files of source code were removed, and as the saying goes, there are no vulnerabilities in code that isn't there.