django-allauth 0.58.0 released

Posted by Raymond Penners on 2023-10-26

Note worthy changes

The SocialAccount.extra_data field was a custom JSON field that used TextField as the underlying implementation. It was once needed because Django had no JSONField support. Now, this field is changed to use the official JSONField(). Migrations are in place.
Officially support Django 5.0.
In previous versions, users could never remove their primary email address. This is constraint is now relaxed. In case the email address is not required, for example, because the user logs in by username, removal of the email address is allowed.
Added a new setting ACCOUNT_REAUTHENTICATION_REQUIRED that, when enabled, requires the user to reauthenticate before changes (such as changing the primary email address, adding a new email address, etc.) can be performed.

Refactored the built-in templates, with the goal of being able to adjust the look and feel of the whole project by only overriding a few core templates. This approach allows you to achieve visual results fast, but is of course more limited compared to styling all templates yourself. If your project provided its own templates then this change will not affect anything, but if you rely on (some of) the built-in templates your project may be affected.
The Azure provider has been removed in favor of keeping the Microsoft provider. Both providers were targeting the same goal.

Facebook: Using the JS SDK flow, it was possible to post valid access tokens originating from other apps. Facebook user IDs are scoped per app. By default that user ID (not the email address) is used as key while authenticating. Therefore, such access tokens can not be abused by default. However, in case SOCIALACCOUNT_EMAIL_AUTHENTICATION was explicitly enabled for the Facebook provider, these tokens could be used to login.