docs/release-notes/2022.rst
0.52.0 (2022-12-29)
Officially support Django 4.1.
New providers: OpenID Connect, Twitter (OAuth2), Wahoo, DingTalk.
Introduced a new provider setting OAUTH_PKCE_ENABLED that enables the
PKCE-enhanced Authorization Code Flow for OAuth 2.0 providers.
When ACCOUNT_PREVENT_ENUMERATION is turned on, enumeration is now also
prevented during signup, provided you are using mandatory email
verification. There is a new email template
(templates/account/email/acccount_already_exists_message.txt) that will be
used in this scenario.
Updated URLs of Google's endpoints to the latest version; removed a redundant
userinfo call.
Fixed Pinterest provider on new api version.
0.51.0 (2022-06-07)
The reset password form is protected by rate limits. There is a limit per IP, and per email. In previous versions, the latter rate limit could be bypassed by changing the casing of the email address. Note that in that case, the former rate limit would still kick in.
0.50.0 (2022-03-25)
Fixed compatibility issue with setuptools 61.
New providers: Drip.
The Facebook API version now defaults to v13.0.
0.49.0 (2022-02-22)
New providers: LemonLDAP::NG.
Fixed SignupForm setting username and email attributes on the User class
instead of a dummy user instance.
Email addresses POST'ed to the email management view (done in order to resend the confirmation email) were not properly validated. Yet, these email addresses were still added as secondary email addresses. Given the lack of proper validation, invalid email addresses could have entered the database.
New translations: Romanian.
The Microsoft tenant setting must now be specified using uppercase TENANT.
Changed naming of internal_reset_url_key attribute in
allauth.account.views.PasswordResetFromKeyView to reset_url_key.
0.48.0 (2022-02-03)
New translations: Catalan, Bulgarian.
Introduced a new setting ACCOUNT_PREVENT_ENUMERATION that controls whether
or not information is revealed about whether or not a user account exists.
Warning: this is a work in progress, password reset is covered, yet,
signing up is not.
The ACCOUNT_EMAIL_CONFIRMATION_COOLDOWN is now also respected when using
HMAC based email confirmations. In earlier versions, users could trigger email
verification mails without any limits.
Added builtin rate limiting (see ACCOUNT_RATE_LIMITS).
Added internal_reset_url_key attribute in
allauth.account.views.PasswordResetFromKeyView which allows specifying
a token parameter displayed as a component of password reset URLs.
It is now possible to use allauth without having sites installed. Whether or
not sites is used affects the data models. For example, the social app model
uses a many-to-many pointing to the sites model if the sites app is
installed. Therefore, enabling or disabling sites is not something you can
do on the fly.
The facebook provider no longer raises ImproperlyConfigured
within {% providers_media_js %} when it is not configured.
The newly introduced ACCOUNT_PREVENT_ENUMERATION defaults to True impacting
the current behavior of the password reset flow.
The newly introduced rate limiting is by default turned on. You will need to provide
a 429.html template.
The default of SOCIALACCOUNT_STORE_TOKENS has been changed to
False. Rationale is that storing sensitive information should be opt in, not
opt out. If you were relying on this functionality without having it
explicitly turned on, please add it to your settings.py.