News In 2024
django-allauth 65.3.1 released
Posted by Raymond Penners on 2024-12-25
Fixes Headless: When using email verification by code, you could incorrectly encounter a 409 when attempting to add a new email address while logged in. Headless: In contrast to the headed version, it was possible to remove the last 3rd party account from a user that has no usable password.
Read moredjango-allauth 65.3.0 released
Posted by Raymond Penners on 2024-11-30
Note worthy changes Added support for TOTP code tolerance (see MFA_TOTP_TOLERANCE). Security notice Authentication by email/password was vulnerable to account enumeration by means of a timing attack. Thanks to Julie Rymer for the report and the patch.
django-allauth 65.2.0 released
Posted by Raymond Penners on 2024-11-08
Note worthy changes OIDC: You can now configure whether or not PKCE is enabled per app by including "oauth_pkce_enabled": True in the app settings. The OpenStreetMap provider is deprecated. You can set it up as an OpenID Connect provider instead.
Read moredjango-allauth 65.1.0 released
Posted by Raymond Penners on 2024-10-23
Note worthy changes OAuth2/OIDC: When setting up multiple apps for the same provider, you can now configure a different scope per app by including "scope": [...] in the app settings. Facebook login: Facebook Limited Login is now supported via the Headless API.
Read moredjango-allauth 65.0.2 released
Posted by Raymond Penners on 2024-09-27
Fixes A regression occurred in the newly introduced support using LoginRequiredMiddleware, fixed. For email verification by link, it is not an issue if the user runs into rate limits. The reason is that the link is session independent. Therefore, if the user hits rate limits, we can just silently skip sending additional verification emails, as the previous emails that were already sent still contain valid links.
Read more