Django-allauth

*******************

Note worthy changes
-------------------

- When only ``allauth.account`` was installed, you could run into an exception
stating "allauth.socialaccount not installed, yet its models are
imported.". This has been fixed.

- When ``SOCIALACCOUNT_EMAIL_AUTHENTICATION`` was turned on, and a user would
connect a third-party account for which email authentication would kick in,
the connect was implicitly skipped. Fixed.

- The recommendation from the documentation to protect the Django admin login
could cause an infinite redirect loop in case of
``AUTHENTICATED_LOGIN_REDIRECTS``. A decorator ``secure_admin_login()`` is now
offered out of the box to ensure that the Django admin is properly secured by
allauth (e.g. rate limits, 2FA).

- Subpackages from the ``tests`` package were packaged, fixed.

*******************

Note worthy changes
-------------------

- New providers: TikTok, Lichess.

- Starting since version 0.62.0, new email addresses are always stored as lower
case. In this version, we take the final step and also convert existing data
to lower case, alter the database indices and perform lookups
accordingly. Migrations are in place. For rationale, see the note about email
case sensitivity in the documentation.

- An official API for single-page and mobile application support is now
available, via the new ``allauth.headless`` app.

- Added support for a honeypot field on the signup form. Real users do not see
the field and therefore leave it empty. When bots do fill out the field
account creation is silently skipped.

*******************

- The ``tests`` package was accidentally packaged, fixed.

*******************

Note worthy changes
-------------------

- Added a dummy provider, useful for testing purposes: ``allauth.socialaccount.providers.dummy``.

- Added a new provider, Atlassian

- Next URL handling been streamlined to be consistently applied. Previously, the
password reset, change and email confirmation views only supported the
``success_url`` class-level property.

- Added support for logging in by email using a special code, also known as
"Magic Code Login"

- Email addresses are now always stored as lower case. For rationale, see the
note about email case sensitivity in the documentation.

- You can now alter the ``state`` parameter that is typically passed to the
provider by overriding the new ``generate_state_param()`` adapter method.

- The URLs were not "hackable". For example, while ``/accounts/login/`` is valid
``/accounts/`` was not. Similarly, ``/accounts/social/connections/`` was
valid, but ``/accounts/social/`` resulted in a 404. This has been
addressed. Now, ``/accounts/`` redirects to the login or email management
page, depending on whether or not the user is authenticated. All
``/accounts/social/*`` URLs are now below ``/accounts/3rdparty/*``, where
``/accounts/social/connections`` is moved to the top-level
``/accounts/3rdparty/``. The old endpoints still work as redirects are in
place.

- Added a new setting, ``SOCIALACCOUNT_ONLY``, which when set to ``True``,
disables all functionality with respect to local accounts.

- The OAuth2 handshake was not working properly in case of
``SESSION_COOKIE_SAMESITE = "Strict"``, fixed.

- Facebook: the default Graph API version is now v19.0.


Backwards incompatible changes
------------------------------

- The django-allauth required dependencies are now more fine grained. If you do
not use any of the social account functionality, a `pip install
django-allauth` will, e.g., no longer pull in dependencies for handling
JWT. If you are using social account functionality, install using `pip install
django-allauth[socialaccount]`. That will install the dependencies covering
most common providers. If you are using the Steam provider, install using `pip
install django-allauth[socialaccount,steam]`.

*******************

Fixes
-----

- Fixed a ``RuntimeWarning`` that could occur when running inside an async
environment (``'SyncToAsync' was never awaited``).


Security notice
---------------

- As part of the Google OAuth handshake, an ID token is obtained by direct
machine to machine communication between the server running django-allauth and
Google. Because of this direct communication, we are allowed to skip checking
the token signature according to the `OpenID Connect Core 1.0 specification
<https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation>`_.
However, as django-allauth is used and built upon by third parties, this is an
implementation detail with security implications that is easily overlooked. To
mitigate potential issues, verifying the signature is now only skipped if it
was django-allauth that actually fetched the access token.

*******************

Note worthy changes
-------------------

- Added support for account related security notifications. When
``ACCOUNT_EMAIL_NOTIFICATIONS = True``, email notifications such as "Your
password was changed", including information on user agent / IP address from where the change
originated, will be emailed.

- Google: Starting from 0.52.0, the ``id_token`` is being used for extracting
user information. To accommodate for scenario's where django-allauth is used
in contexts where the ``id_token`` is not posted, the provider now looks up
the required information from the ``/userinfo`` endpoint based on the access
token if the ``id_token`` is absent.


Security notice
---------------

- MFA: It was possible to reuse a valid TOTP code within its time window. This
has now been addressed. As a result, a user can now only login once per 30
seconds (``MFA_TOTP_PERIOD``).


Backwards incompatible changes
------------------------------

- The rate limit mechanism has received an update. Previously, when specifying
e.g. ``"5/m"`` it was handled implicitly whether or not that limit was per IP,
per user, or per action specific key. This has now been made explicit:
``"5/m/user"`` vs ``"5/m/ip"`` vs ``"5/m/key"``. Combinations are also supported
now: ``"20/m/ip,5/m/key"`` . Additionally, the rate limit mechanism is now used
throughout, including email confirmation cooldown as well as limitting failed login
attempts. Therefore, the ``ACCOUNT_LOGIN_ATTEMPTS_LIMIT`` and
``ACCOUNT_EMAIL_CONFIRMATION_COOLDOWN`` settings are deprecated.
See :doc:`Rate Limits <../account/rate_limits>` for details.