django-allauth 65.2.0 released

Posted by Raymond Penners on 2024-11-08

Note worthy changes

  • OIDC: You can now configure whether or not PKCE is enabled per app by including "oauth_pkce_enabled": True in the app settings.
  • The OpenStreetMap provider is deprecated. You can set it up as an OpenID Connect provider instead.

Fixes

  • A NoReverseMatch could occur when using ACCOUNT_LOGIN_BY_CODE_REQUIRED = True while ACCOUNT_LOGIN_BY_CODE_ENABLED = False, fixed.
  • The PasswordResetDoneView did not behave correctly when using Django's LoginRequiredMiddleware, as it was not properly marked as @login_not_required.
  • When verifying an email address by code, the success URL was hardcoded to the email management view, instead of calling the get_email_verification_redirect_url() adapter method.

Security notice

  • Headless: settings.ACCOUNT_EMAIL_VERIFICATION_BY_CODE_MAX_ATTEMPTS was not enforced, fixed. Note that the related verification endpoint will return a 409 in case the maximum limit is exceeded, as at that point the pending email verification stage is aborted.

Next: django-allauth 65.3.0 released Previous: django-allauth 65.1.0 released
Archives