Django-allauth

*******************

Fixes
-----

- User sessions: after changing your password in case of ``ACCOUNT_LOGOUT_ON_PASSWORD_CHANGE = False``, the list of
sessions woud be empty instead of showing your current session.

- SAML: accessing the SLS/ACS views using a GET request would result in a crash (500).

- SAML: the login view did not obey the ``SOCIALACCOUNT_LOGIN_ON_GET = False`` setting.


Backwards incompatible changes
------------------------------

- Formally, email addresses are case sensitive because the local part (the part
before the "") can be a case sensitive user name. To deal with this,
workarounds have been in place for a long time that store email addresses in
their original case, while performing lookups in a case insensitive
style. This approach led to subtle bugs in upstream code, and also comes at a
performance cost (``__iexact`` lookups). The latter requires case insensitive
index support, which not all databases support. Re-evaluating the approach in
current times has led to the conclusion that the benefits do not outweigh the
costs. Therefore, email addresses are now always stored as lower case, and
migrations are in place to address existing records.

*******************

Note worthy changes
-------------------

- Google One Tap Sign-In is now supported.

- You can now more easily change the URL to redirect to after a successful password
change/set via the newly introduced ``get_password_change_redirect_url()``
adapter method.

- You can now configure the primary key of all models by configuring
``ALLAUTH_DEFAULT_AUTO_FIELD``, for example to:
``"hashid_field.HashidAutoField"``.


Backwards incompatible changes
------------------------------

- You can now specify the URL path prefix that is used for all OpenID Connect
providers using ``SOCIALACCOUNT_OPENID_CONNECT_URL_PREFIX``. By default, it is
set to ``"oidc"``, meaning, an OpenID Connect provider with provider ID
``foo`` uses ``/accounts/oidc/foo/login/`` as its login URL. Set it to empty
(``""``) to keep the previous URL structure (``/accounts/foo/login/``).

- The SAML default attribute mapping for ``uid`` has been changed to only
include ``urn:oasis:names:tc:SAML:attribute:subject-id``. If the SAML response
does not contain that, it will fallback to use ``NameID``.

*******************

Note worthy changes
-------------------

- The MFA authenticator model now features "created at" an "last used "at"
timestamps.

- The MFA authenticator model is now registered with the Django admin.

- Added MFA signals emitted when authenticators are added, removed or (in case
of recovery codes) reset.

- There is now an MFA adapter method ``can_delete_authenticator(authenticator)``
available that can be used to prevent users from deactivating e.g. their TOTP
authenticator.

- Added a new app, user sessions, allowing users to view a list of all their
active sessions, as well as offering a means to end these sessions.

- A configurable timeout (``SOCIALACCOUNT_REQUESTS_TIMEOUT``) is now applied to
all upstream requests.

- Added a setting ``ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS`` to disable sending of
emails to unknown accounts.

- You can now override the MFA forms via the ``MFA_FORMS`` setting.


Backwards incompatible changes
------------------------------

- The account adapter method ``should_send_confirmation_mail()`` signature
changed. It now takes an extra ``signup`` (boolean) parameter.

- Removed OAuth 1.0 based Bitbucket provider and LinkedIn provider.

*******************

Fixes
-----

- Added rate limiting to the MFA login form.

*******************

Fixes
-----

- Fixed missing ``{% load allauth %}`` in the login cancelled and verified email
required template.

*******************

Note worthy changes
-------------------

- The ``SocialAccount.extra_data`` field was a custom JSON field that used
``TextField`` as the underlying implementation. It was once needed because
Django had no ``JSONField`` support. Now, this field is changed to use the
official ``JSONField()``. Migrations are in place.

- Officially support Django 5.0.

- In previous versions, users could never remove their primary email address.
This is constraint is now relaxed. In case the email address is not required,
for example, because the user logs in by username, removal of the email
address is allowed.

- Added a new setting ``ACCOUNT_REAUTHENTICATION_REQUIRED`` that, when enabled,
requires the user to reauthenticate before changes (such as changing the
primary email address, adding a new email address, etc.) can be performed.


Backwards incompatible changes
------------------------------

- Refactored the built-in templates, with the goal of being able to adjust the
look and feel of the whole project by only overriding a few core templates.
This approach allows you to achieve visual results fast, but is of course more
limited compared to styling all templates yourself. If your project provided
its own templates then this change will not affect anything, but if you rely
on (some of) the built-in templates your project may be affected.

- The Azure provider has been removed in favor of keeping the Microsoft
provider. Both providers were targeting the same goal.


Security notice
---------------

- Facebook: Using the JS SDK flow, it was possible to post valid access tokens
originating from other apps. Facebook user IDs are scoped per app. By default
that user ID (not the email address) is used as key while
authenticating. Therefore, such access tokens can not be abused by
default. However, in case ``SOCIALACCOUNT_EMAIL_AUTHENTICATION`` was
explicitly enabled for the Facebook provider, these tokens could be used to
login.