Repoze.who

------------------

- Ported to Py3k using the "compatible subset" mode.
- Dropped support for Python < 2.6.x.
- Dropped dependency on Paste (forking some code from it).
- Added dependency on WebOb instead.
Thanks to Atsushi Odagiri (aodag) for the initial effort.

----------------

- ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated
cookies. http://bugs.repoze.org/issue66

- Further harden middleware, calling ``close()`` on the iterable even if
raising an exception for a missing challenger.
http://bugs.repoze.org/issue174

------------------

- Enabled standard use of logging module's configuration mechanism.
See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library
Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178


- ``repoze.who.plugins.htpasswd``: defend against timing-based attacks.

------------------

- Ensure that the middleware calls ``close()`` (if it exists) on the
iterable returned from thw wrapped application, as required by PEP 333.
http://bugs.repoze.org/issue174

- Make ``make_api_factory_with_config`` tolerant of invalid filenames /
content for the config file: in such cases, the API factory will have
*no* configured plugins or policies: it will only be useful for retrieving
the API from an environment populated by middleware.

- Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()``
methods could return a None if the identifier plugin returned a None.

- Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See
http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html

- Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when
configured with ``secure=True``: these attributes prevent the browser from
sending cookies over insecure channels, which could be vulnerable to some
XSS attacks.

- Avoid propagating unicode 'max_age' value into cookie headers. See
https://bugs.launchpad.net/bugs/674123 .

- Added a single-file example BFG application demonstrating the use of
the new 'login' and 'logout' methods of the API object.

- Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object,
as a convenience for application-driven login / logout code, which would
otherwise need to use private methods of the API, and reach down into
its plugins.

------------------

- Deprecated the following plugins, moving their modules, tests, and docs
to a new project, ``repoze.who.deprecatedplugins``:

- ``repoze.who.plugins.cookie.InsecureCookiePlugin``

- ``repoze.who.plugins.form.FormPlugin``

- ``repoze.who.plugins.form.RedirectingFormPlugin``

- Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a
``charset`` argument, and use to to encode / decode login and password.
See http://bugs.repoze.org/issue155

- Updated ``repoze.who.restrict`` to return headers as a list, to keep
``wsgiref`` from complaining.

- Helped default request classifier cope with xml submissions with an
explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo
M. Catucci)

- Corrected the handling of type and subtype when matching an XML post
to ``xmlpost`` in the default classifier, which, according to RFC
2045, must be matched case-insensitively:
http://bugs.repoze.org/issue145 (Lorenzo M. Catucci)

- Added ``repoze.who.config:make_api_factory_with_config``, a convenience
method for applications which want to set up their own API Factory from
a configuration file.

- Fixed example call to ``repoze.who.config:make_middleware_with_config``
(added missing ``global_config`` argument). See
http://bugs.repoze.org/issue114

------------------

Bugs Fixed
~~~~~~~~~~

- Fixed failure to pass substution values in log message string formatting
for ``repoze.who.api:API.challenge``. Fix included adding tests for all
logging done by the API object. See http://bugs.repoze.org/issue122

Backward Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~

- Adjusted logging level for some lower-level details from ``info``
to ``debug``.