Django-authlib

====================

- Modified ``authlib.admin_oauth`` to persist the users' email address
and pass it to Google as a ``login_hint`` so that website managers do
not have to repeatedly select the account over and over.
- Allowed specifying arbitrary query parameters for Google's
authorization URL.
- Fixed an ``authlib.admin_oauth`` crash when fetching user data fails.
- Replaced ``ugettext*`` with ``gettext*``.
- Replaced ``url()`` with ``re_path()``.
- Fixed a crash when creating ``little_auth`` users with invalid email
addresses.
- Stopped carrying over login hints from one user to the other in the
Google OAuth client...
- **BACKWARDS INCOMPATIBLE** Dropped the request argument from
``authlib.email.get_confirmation_code``, it wasn't used, ever.

===================

- Dropped support for Python 2.
- Fixed a few problems around inactive users where authlib would either
handle them incorrectly or reveal that inactive users exist.
- Added many unittests, raised the code coverage to 100% (except for the
uncovered Facebook and Twitter OAuth clients). Switched to mocking
requests and responses instead of simply replacing the
``GoogleOAuth2Client`` for testing.
- Moved the ``BaseUser`` and ``BaseUserManager`` to
``authlib.base_user`` for consistency with
``django.contrib.auth.base_user``.
- Dropped the useless ``OAuthClient`` base class.
- Removed compatibility code for Django<1.11 when verifying whether a
redirection URL is safe.
- Changed the ``retrieve_next`` implementations to only consider HTTPS
URLs as safe when processing HTTPS requests.
- Changed the admin OAuth functionality to also use the cookies code
from ``authlib.views`` for redirecting users after authentication.
- Fixed a possible crash in the Twitter OAuth flow when the token from
the authentication redirect cannot be determined anymore.
- Fixed a crash in the OAuth2 view if fetching user data fails.

===================

- **BACKWARDS INCOMPATIBLE** Replaced the email registration
functionality of referencing users with arbitrary payloads. This
allows not only verifying the email address but also additional data
which may or may not be related to the user in question. On the other
hand the comparison of ``last_login`` timestamps is gone, which means
that links may be reused as long as less than ``max_age`` seconds have
passed. This makes it even more important to keep ``max_age`` small.
The change mostly affects the functions in ``authlib.email``.

===================

- Fixed a race condition when creating new users by using
``get_or_create`` instead of some homegrown ``exists`` and
``create`` trickery.
- Changed all locations to pass ``new_user`` as keyword argument to
``post_login_response``.
- Changed the ``admin/login.html`` template in ``authlib.admin_oauth``
to make the SSO button a bit more prominent. Also, replaced "SSO" with
"Google" because that is all that is supported right now.
- Added the possibility to use callables in ``ADMIN_OAUTH_PATTERNS``
instead of hard-coded staff email addresses.
- Extracted the confirmation code generation from
``get_confirmation_url`` as ``get_confirmation_code``.
- Fixed usage of deprecated Google OAuth2 scopes.
- Added compatibility with Python 2.
- Extracted the post login redirect cookie setting into a new
``set_next_cookie`` decorator.
- Dropped compatibility shims for Django<1.11.
- Changed the ``EmailBackend`` to use ``_default_manager`` instead of
assuming that the default manager is called ``objects``.
- Fixed an edge case bug where ``render_to_mail`` would crash when
encountering an empty text for the subject and body.
- Enforced keyword-only usage of the views and functions in
``authlib.views`` where it is appropriate.
- Removed the default messages emitted when creating a new user and when
logging out.
- Added a ``post_logout_response`` callable and argument to
``authlib.views.logout`` to customize messages and redirects after
logging an user out.
- Added a ``email_login`` callable and argument to the ``oauth2`` and
``email_registration`` view to customize the creation, authentication
and login of users.
- Changed the ``EmailRegistrationForm`` to save the request as
``self.request``, not ``self._request``. Made use of this for moving
the email sending to the form class as well, further shortening the
view.

===================

- Fixed usage of a few deprecated APIs.
- Modified ``little_auth.User`` to fall back to an obfuscated email
address if the full name is empty.
- Made it possible to override the default max age of three hours for
magic links sent by email.
- Fixed a problem where the ``little_auth`` migrations were depending on
the latest ``django.contrib.auth`` migration instead of the first
migration without good reason.

===================

- Moved from ``ADMIN_OAUTH_DOMAINS`` to ``ADMIN_OAUTH_PATTERNS`` to
allow regular expression searching.
- Finally started adding tests.
- Added django-authlib_ documentation to Read the Docs.