News In 2024
django-allauth 0.63.6 released
Posted by Raymond Penners on 2024-07-12
Security notice When the Facebook provider was configured to use the js_sdk method the login page could become vulnerable to an XSS attack.
django-allauth 0.63.5 released
Posted by Raymond Penners on 2024-07-11
Fixes The security fix in 0.63.4 that altered the __str__() of SocialToken caused issues within the Amazon Cognito, Atlassian, JupyterHub, LemonLDAP, Nextcloud and OpenID Connect providers. Fixed.
django-allauth 0.63.4 released
Posted by Raymond Penners on 2024-07-10
Security notice The __str__() method of the SocialToken model returned the access token. As a consequence, logging or printing tokens otherwise would expose the access token. Now, the method no longer returns the token. If you want to log/print tokens, you will now have to explicitly log the token field of the SocialToken instance.
Read moredjango-allauth 0.63.3 released
Posted by Raymond Penners on 2024-05-31
Note worthy changes In HEADLESS_ONLY mode, the /accounts/<provider>/login/ URLs were still available, fixed. The few remaining OAuth 1.0 providers were not compatible with headless mode, fixed. Depending on where you placed the secure_admin_login(admin.site.login) protection you could run into circular import errors, fixed.
Read moredjango-allauth 0.63.2 released
Posted by Raymond Penners on 2024-05-24
Note worthy changes allauth.headless now supports the is_open_for_signup() adapter method. In case signup is closed, a 403 is returned during signup. Connecting a third-party account in HEADLESS_ONLY mode failed if the connections view could not be reversed, fixed. In case a headless attempt was made to connect a third-party account that was already connected to a different account, no error was communicated to the frontend.
Read more