django-allauth 0.48.0 released

Posted by Raymond Penners on 2022-02-03

Note worthy changes

New translations: Catalan, Bulgarian.
Introduced a new setting ACCOUNT_PREVENT_ENUMERATION that controls whether or not information is revealed about whether or not a user account exists. Warning: this is a work in progress, password reset is covered, yet, signing up is not.
The ACCOUNT_EMAIL_CONFIRMATION_COOLDOWN is now also respected when using HMAC based email confirmations. In earlier versions, users could trigger email verification mails without any limits.
Added builtin rate limiting (see ACCOUNT_RATE_LIMITS).
Added internal_reset_url_key attribute in allauth.account.views.PasswordResetFromKeyView which allows specifying a token parameter displayed as a component of password reset URLs.
It is now possible to use allauth without having sites installed. Whether or not sites is used affects the data models. For example, the social app model uses a many-to-many pointing to the sites model if the sites app is installed. Therefore, enabling or disabling sites is not something you can do on the fly.
The facebook provider no longer raises ImproperlyConfigured within {% providers_media_js %} when it is not configured.

The newly introduced ACCOUNT_PREVENT_ENUMERATION defaults to True impacting the current behavior of the password reset flow.
The newly introduced rate limiting is by default turned on. You will need to provide a 429.html template.
The default of SOCIALACCOUNT_STORE_TOKENS has been changed to False. Rationale is that storing sensitive information should be opt in, not opt out. If you were relying on this functionality without having it explicitly turned on, please add it to your settings.py.