Better Security | Secure your paymenter v1.4.0

• Extension no longer requires any short of license key
• VPN doesnt affect guest users now
• instead of a 403 error it shows the ban reason

Technical Changelog

• Fixed a registration crash caused by the client IP resolver not being available inside the registration hook.
• Fixed suspension releases so they now also release related IP bans created with the suspension.
• Fixed VPN reputation handling so stale cache is reused briefly during vpnapi outages instead of retrying on every request.
• Fixed fail2ban whitelist checks to use the resolved client IP behind trusted proxies.
• Reverted core Paymenter proxy edits and moved proxy-aware client IP handling back into the extension.
• Made the extension’s Cloudflare handling compatible with Paymenter’s built-in trusted_proxies setting.
• Added dedicated AccountProtection debug logging to storage/logs/account-protection.log.
• Reduced duplicate extension.booted log spam by deduplicating repeated boot entries.
• Made VPN/proxy checks run on login/register submit rather than on guest page load.
• Changed network-detection bans to expire and be re-checked instead of sticking forever on old detections.
• Improved login / registration / suspension error messages to show clearer reasons and timings.
• Added fail2ban escalation controls and automatic pruning of old login-attempt / login-ban records.

User Changelog

• Fixed an issue where some signups could fail unexpectedly.
• Fixed an issue where users could stay blocked by IP even after an account suspension was removed.
• Improved VPN/proxy detection so false positives are less likely to stick forever.
• Improved compatibility behind Cloudflare and trusted proxies.
• Login and registration now check network restrictions when the form is submitted, instead of blocking users just for opening the page.
• Error messages for blocked logins, suspended accounts, and restricted networks are now clearer.
• Improved login security with smarter repeat-attempt protection and cleanup of old security records.
• Added readable debug logs to help diagnose access and detection issues faster.

• Added Account whitelist commands
• Added default imports
• Fixed some bugs

• Added login Fail2Ban protections with configurable limits, Filament resources for attempts/bans, and CLI telemetry.
• Introduced the Email Blocklist subsystem with remote disposable domain sync, manual overrides, and scheduler integration.
• Expanded IP whitelist entries with a Fail2Ban bypass flag and enriched admin tables with source & sync metadata.
• Delivered artisan command account-protection:email-blocklist:sync with progress reporting and grace-period pruning.
• Updated admin UI actions for whitelists, bans, and blocklists to expose import/export/sync workflows.
• Enforced configurable password strength requirements during registration (length / case / number / symbol) with dedicated settings.

Added

• Import/export service for whitelist data with shared logic across the extension.
• Artisan commands account-protection:ip-whitelist:export and account-protection:ip-whitelist:import, supporting JSON/CSV formats and replace/force flags.

Improved

• IP Whitelist admin page now features Import/Export header actions with file-format detection, replace option, and inline success/error feedback.
• Documentation in docs/extensions/account-protection/cli.md and usage.md describing bulk whitelist tooling and expected payload formats.

Fixed
- Resolved an issue where enabling the Account Protection extension preloaded the Artisan kernel too early, preventing app:* commands from registering. Command registration now defers to an Artisan::starting hook, restoring all core application commands while keeping the extension’s namespace available.