- The Battle.net login backend now recognizes
apacas a valid region. - User model using a
UUIDFieldas it's primary key can now be logged in upon email confirmation (if usingACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION). - New providers: Disqus.
- New providers: Telegram, QuickBooks.
- The Facebook API version now defaults to v2.12.
- ORCID upgraded to use API v2.1.
- In previous versions, the authentication backend did not invoke the
user_can_authenticate()method, potentially allowing users withis_active=Falseto authenticate when the allauth authentication backend was used in a non allauth context.
- Add support for Django 2.0
- As an extra security measure on top of what the standard Django password reset token generator is already facilitating, allauth now adds the user email address to the hash such that whenever the user's email address changes the token is invalidated.
- Drop support for Django 1.8 and Django 1.10.
- New provider: Azure, Microsoft Graph, Salesforce, Yahoo.
- The "Set Password" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.
- New provider: Meetup.
- Security: password reset tokens are now prevented from being leaked through the password reset URL.
- New providers: Patreon, Authentiq, Dataporten.
- Dropbox has been upgraded to API V2.
- New translation: Norwegian.
- Dropped support for Django 1.9.
- Improved AJAX support: the account management views (change/set password, manage e-mail addresses and social connections) now support AJAX GET requests. These views hand over all the required data for you to build your frontend application upon.
- New providers: Dwolla, Trello.
- Shopify: support for per-user access mode.
- In previous versions, the views only responded with JSON responses when issuing AJAX requests of type POST. Now, the views also respond in JSON when making AJAX GET requests.
- The structure of the response for AJAX requests has changed. Previously, it contained a
form_errorskey containing all form validation errors, if any. Now, it contains aformkey that describes the complete form, including the fields. Field specific errors are placed inform.fields['some_field'].errors, non-field errors inform.errors. - The parameters passed to the Facebook JS SDK
FB.init()method used to containcookie,status, andxfbml, all set totrue. These parameters are no longer explicitly passed. You can use the newly introducedINIT_PARAMSprovider setting to provide your own values.
- Added a new
user_logged_outsignal. - OpenId: Added support for requesting additional data.
- New providers: Auth0, Box, Line, Naver, Kakao, Daum, MailChimp, Eventbrite.
- Django 1.7 / Python 3.2 compatibility has been dropped.
- Due to providers being registered in the same file as their definition it was impossible to subclass a provider without having the parent be registered. This has been addressed. If you have implemented a custom provider, you will need to change
providers.registry.register(CustomProvider)intoprovider_classes = [CustomProvider].
- Changed the algorithm that generates unique usernames. Previously, in case the provider did not hand over any information to base the username on, the username "user" extended with an ever increasing numeric suffix would be attempted until a free username was found. In case of a large number of existing users, this could result in many queries being executed before a free username would be found, potentially resulting in a denial of service. The new algorithm uses a random suffix and only one query to determine the final username.
- Added a new setting:
ACCOUNT_PRESERVE_USERNAME_CASING. This setting determines whether the username is stored in lowercase (False) or whether its casing is to be preserved (True). Note that when casing is preserved, potentially expensive__iexactlookups are performed when filter on username. For now, the default is set toTrueto maintain backwards compatibility. - The OAuth2Adapter class has gained a
get_callback_urlmethod for when customizing the callback URL is desired. - The Battle.net login backend now accepts the
regionGET parameter. - New providers: 500px, Discord.
- In previous versions, the
DefaultAccountAdaptercontained ausername_regexproperty and accompanyingerror_messages['invalid_username']validation error message. These have been removed in favor of using the regex validation already defined at the user model level. Alternatively, you can use the newly introducedACCOUNT_USERNAME_VALIDATORSsetting. - The Battle.net backend no longer overrides username regex validation. In order to use battletags as usernames, you are expected to override either the
usernamefield on your User model, or to pass a custom validator which will accept the#character using the newACCOUNT_USERNAME_VALIDATORSsetting. Such a validator is available insocialaccount.providers.battlenet.validators.BattletagUsernameValidator.
- Addressed Django 1.10 deprecation warnings.
- Previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for
SCOPEand/orAUTH_PARAMS(part of the largerSOCIALACCOUNT_PROVIDERSsetting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings. Thanks to Ryan Kelly for reporting!
- New providers: Doximity.
- New translations: Korean.
- Django 1.10 compatibility.
- The Twitter and GitHub providers now support querying of the email address.
- When
ACCOUNT_SIGNUP_EMAIL_ENTER_TWICEwas turned on, the e-mail field key changed fromemailtoemail1, which could introduce subtle bugs. This has now been changed: there always is anemailfield, and optionally anemail2field. - The "You must type the same password each time" form validation error that can be triggered during signup is now added to the
password2field instead of being added to the non field errors. - The
email_confirmation_sentsignal is now passedrequest,confirmationandsignupinstead of only theconfirmation. ACCOUNT_PASSWORD_MIN_LENGTHwas already deprecated, but is now completely ignored ifAUTH_PASSWORD_VALIDATORSis not empty.
- Locale files wrongly packaged, fixed.
- Fixed bug (
KeyError) whenACCOUNT_SIGNUP_EMAIL_ENTER_TWICEwas set toTrue.
- New providers: Weixin, Battle.net, Asana, Eve Online, 23andMe, Slack
- Django's password validation mechanism (see
AUTH_PASSWORD_VALIDATORS) is now used to validate passwords. - By default, email confirmations are no longer stored in the database. Instead, the email confirmation mail contains an HMAC based key identifying the email address to confirm. The verification lookup includes a fallback to the previous strategy so that there is no negative impact on pending verification emails.
- A new setting
ACCOUNT_SIGNUP_EMAIL_ENTER_TWICEwas added, requiring users to input their email address twice. The settingACCOUNT_SIGNUP_PASSWORD_VERIFICATIONhas been renamed toACCOUNT_SIGNUP_PASSWORD_ENTER_TWICE. - New translations: Latvian, Kyrgyz.
- Dropped support for Django 1.6
- In order to accomodate for Django's password validation, the
clean_passwordmethod of the adapter now takes an (optional)userparameter as its second argument. - The new HMAC based keys may contain colons. If you have forked
account/urls.py, be sure to sync theaccount_confirm_emailpattern.
- Bug fix release (MemcachedKeyCharacterError: "Control characters not allowed")
- Bug fix release (AttributeError in password reset view).
- Many providers were added: Reddit, Untappd, GitLab, Stripe, Pinterest, Shopify, Draugiem, DigitalOcean, Robinhood, Bitbucket(OAuth2).
- The account connections view is now AJAX aware.
- You can now customize the template extension that is being used to render all HTML templates (
ACCOUNT_TEMPLATE_EXTENSION) - In order to be secure by default, users are now blocked from logging in after exceeding a maximum number of failed login attempts (see
ACCOUNT_LOGIN_ATTEMPTS_LIMIT,ACCOUNT_LOGIN_ATTEMPTS_TIMEOUT). SetACCOUNT_LOGIN_ATTEMPTS_LIMITtoNoneto disable this functionality. Important: while this protects the allauth login view, it does not protect Django's admin login from being brute forced. - New translations: Arabic, Lithuanian
None
- Non-test code accidentally had test packages as a dependency.
- Setting a password after logging in with a social account no longer logs out the user by default on Django 1.7+. Setting an initial password and changing the password both respect
settings.ACCOUNT_LOGOUT_ON_PASSWORD_CHANGE.
- Django 1.9b1 compatibility.
- Seppo Erviälä contributed a Finnish translation, thanks!
- Iurii Kriachko contributed a Basecamp provider, thanks!
- Increased
SocialAppkey/secret/token sizes to 191, decreasedSocialAccount.uidsize to 191. The latter was done in order to accomodate for MySQL in combination with utf8mb4 and contraints onuid. Note thatuidis used to store OpenID URLs, which can theoretically be longer than 191 characters, although in practice this does not seem to be the case. In case you really need to control theuidlength, setsettings.SOCIALACCOUNT_UID_MAX_LENGTHaccordingly. Migrations are in place.
- David Friedman contributed Edmodo support, thanks!
- Added support for
ACCOUNT_LOGIN_ON_PASSWORD_RESET(thanks Julen!)
None
- Reversal of the email confirmation url can now be overridden in the adapter (
get_email_confirmation_url). Additionally, the complete confirmation email handling can be overridden viasend_confirmation_mail. - Template context processors are no longer used.
- The Facebook Graph API fields (/me/?fields=...) can now be configured using the provider
FIELDSsetting.
- Dropped support for Python 2.6 and Django <1.6.
- The default Facebook Graph API version is now v2.4.
- Template context processors are no longer used. The context processor for
allauth.accountwas already empty, and the context processor forallauth.socialaccounthas been converted into the :doc:{% get_providers %} <templates>template tag.
- You can now tweak the authentication params per OAuth provider, as you already could for OAuth2. Contributed by Peter Rowlands, thanks.
- Nattaphoom Ch. contributed a Thai translation, thanks!
- Guoyu Hao contributed a Baidu provider, thanks!
- Rod Xavier Bondoc contributed support logging out on password change (see setting:
ACCOUNT_LOGOUT_ON_PASSWORD_CHANGE)
- In version 0.20.0 an
accountmigration (0002_email_max_length) was added to alter the maximum length of the email field. Unfortunately, a side effect of this migration was that theunique=Truesetting slipped through as well. Hardcoding this toTrueis wrong, as uniqueness actually depends on theACCOUNT_UNIQUE_EMAILsetting. We cannot create a followup0003migration to set things straight, as the0002migration may fail on installations where email addresses are not unique. Therefore, we had to resort to changing an existing migration which is normally not the right thing to do. In case your installation hasACCOUNT_UNIQUE_EMAILset toTrue, you need not take any further action. In case it is set toFalseand migration0002already ran, please issue a--fakemigration down to0001, followed by a re-run of the updated0002.
- Patrick Paul contributed a provider for Evernote, thanks!
- Josh Wright contributed a provider for Spotify, thanks!
- Björn Andersson added support for Dropbox OAuth2, thanks!
- guoqiao contributed a provider for Douban, thanks!
- Given that the
max_lengthfor the Django 1.8EmailFieldhas been bumped to 254, allauth is following up. Migrations (account) are in place.
- Fixed migrations when using South & Django 1.6.
- Basil Shubin contributed an Odnoklassniki provider, thanks!
- Facebook: If the JS SDK is not available, for example due to a browser plugin like Disconnect.me that blocks it, login falls back to the regular non JS handshake.
is_safe_urlcan now be overriden- Facebook: The Graph API version is now configurable via
SOCIALACCOUNT_PROVIDERS. - A Firefox Accounts provider was added by Jannis Leidel, thanks!
- Josh Owen contributed Coinbase support, thanks!
- Tomas Babej contributed a Slovak translation, thanks!
- Moved existing migrations into
south_migrations - "zbryikt" contributed a Taiwanese Chinese translation, thanks!
- Added support for custom password rules via
clean_password.
- In the upcoming Django 1.8 it is no longer possible to hookup an unsaved
Userinstance to aSocialAccount. Therefore, if you are inspecting thesocialloginobject, you should now usesociallogin.userinstead ofsociallogin.account.user. - When users logged in while
User.is_activewasFalse, they were sent to/accounts/inactive/in case of a social login, and received a form validation error in case of a local login. This needless inconsistency has been removed. The validation error no longer appears and local logins are also redirected to/accounts/inactive/. - In case you were overriding the
ResetPasswordForm: the save method now takesrequestas its first argument. - All existing migrations have been moved into
south_migrationspackages, this in order not to conflict with Django's built-in support for migrations. South 1.0 automatically picks up this new location. Upgrade South if you are still dependent on these migrations.
- Storing social access tokens is now optional (
SOCIALACCOUNT_STORE_TOKENS). nimiqcontributed ORCID support, thanks.- All forms are now pluggable via a new setting:
(SOCIAL)ACCOUNT_FORMS. - James Thompson contributed Windows Live support, thanks!
- SECURITY: The Persona provider now requires the
AUDIENCEparameter to be explicitly configured, as required by the Persona specification for security reasons. - The inline Javascript is removed from the
fbconnect.htmltemplate, which allows for a more strictContent-Security-Policy. If you were using the builtinfbconnect.htmlthis change should go by unnoticed.
sourenarayacontributed Mail.Ru support, thanks.- account: Justin Michalicek contributed support to control session life time and age:
ACCOUNT_SESSION_COOKIE_AGEandACCOUNT_SESSION_REMEMBER. - Serafeim Papastefanos contributed an Ukrainian translation, thanks!
kkarwowscontributed AppConfig support, thanks.- socialaccount: Added Xing provider.
- socialaccount: Marcin Skarbek contributed Hubic support, thanks!
- Volodymyr Yatsyk contributed an Ukrainian translation, thanks!
joke2kcontributed an Italian translation, thanks!- socialaccount: All providers now support the
VERIFIED_EMAILproperty have e-mail addresses forced to be interpreted as verified.
None
- Facebook login via Javascript was broken if
auth_typewas not set toreauthenticate, fixed. - Support for hooking up a callback when
FB.init()is ready (allauth.facebook.onInit)
None
- Nariman Gharib contributed a Persian translation, thanks!
- The custom signup form
savehas been deprecated in favour of adef signup(request, user)method. - Facebook reauthentication now uses an
auth_nonce. - Added a new option
ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION, to indicate whether or not e-mail confirmation is to automatically log in. - socialaccount: Added Bitbucket provider.
- Jack Shedd contributed Tumblr support, thanks!
- Romanos Tsouroplis contributed Foursquare support, thanks!
- "excessivedemon" contributed Flickr support, thanks!
- Luis Diego García contributed Amazon and Paypal support, thanks!
- Stuart Ross contributed LinkedIn OAuth 2.0 support, thanks!
- Previously, the
save(user)was called on the custom signup form. However, this shadowed the existingsavemethod in case a model form was used. To avoid confusion, thesavemethod has been deprecated in favour of adef signup(request, user)method. - The Amazon provider requires more space for
token_secret, so the maximum length restriction has been dropped. Migrations are in place.
- socialaccount: Added
is_auto_signup_allowedto social account adapter. - facebook: Added a new setting: VERIFIED_EMAIL.
- socialaccount: a collision on e-mail address when you sign up using a third party social account is now more clearly explained: "An account already exists with this e-mail address. Please sign in to that account first, then connect your Google account".
- account: You are now automatically logged in after confirming your e-mail address during sign up.
- account: The
/accounts/login/view now supports AJAX requests. - facebook: The fbconnect.js script is now more pluggable.
- socialaccount: Markus Kaiserswerth contributed a Feedly provider, thanks!
- socialaccount: Dropped django-avatar support.
- openid: First, last and full name are now also queried together with the e-mail address. Thanks, @andrvb.
- openid: Compatibility fix for Django 1.6 (JSON serializer).
- account: Added support for
ACCOUNT_CONFIRM_EMAIL_ON_GET.
- Instead of directly rendering and returning a template, logging in while the account is inactive or not yet confirmed now redirects to two new views:
/accounts/inactive/respectively/accounts/confirm-email/. - The
account/verification_sent.htmltemplate no longer receives the e-mail address in the context (email). Note that a message containing that e-mail address is still emitted using the messages framework. - The
/accounts/confirm_email/key/view has been renamed to/accounts/confirm-email/(human friendlier). Redirects are in place to handle old still pending confirmations. - Built-in support for django-avatar has been removed. Offering such functionality means making choices which may not be valid for everyone. For example, allauth was downloading the image (which can take some time, or even block) in the context of the login, whereas a better place might be some celery background job. Additionally, in case of an error it simply ignored this. How about retries et al? Also, do you want to copy the avatar once at sign up, or do you want to update on each login? All in all, this functionality goes way beyond authentication and should be addressed elsewhere, beyond allauth scope. The original code has been preserved here so that you can easily reinstate it in your own project: https://gist.github.com/pennersr/7571752
- Compatibility fix for logging in with Django 1.6.
- Maksim Rukomoynikov contributed a Russian translation, thanks!
- In case you were using the internal method
generate_unique_username, note that its signature has changed. It now takes a list of candidates to base the username on.
- PyPi did not render the README.rst properly.
None
- Stuart Ross contributed AngelList support, thanks!
- LinkedIn: profile fields that are to be fetched are now configurable (
PROFILE_FIELDSprovider-level setting). - Udi Oron contributed a Hebrew translation, thanks!
- Add setting
ACCOUNT_DEFAULT_HTTP_PROTOCOL(HTTPS support). - George Whewell contributed Instagram support, thanks!
- Refactored adapter methods relating to creating and populating
Userinstances. - User creation methods in the
Default(Social)AccountAdapternow have access to therequest.
- The
socialaccount/account_inactive.htmltemplate has been moved toaccount/account_inactive.html. - The adapter API for creating and populating users has been overhauled. As a result, the
populate_new_useradapter methods have disappeared. Please refer to the section on "Creating and Populating User Instances" for more information.
- Koichi Harakawa contributed a Japanese translation, thanks!
- Added
is_open_for_signupto DefaultSocialAccountAdapter. - Added VK provider support.
- Marcin Spoczynski contributed a Polish translation, thanks!
- All views are now class-based.
django.contrib.messagesis now optional.- "jresins" contributed a simplified Chinese, thanks!
- The password reset from key success response now redirects to a "done" view (
/accounts/password/reset/key/done/). This view has its ownaccount/password_reset_from_key_done.htmltemplate. In previous versions, the success template was intertwined with theaccount/password_reset_from_key.htmltemplate.
- Added support for re-authenticated (forced prompt) by means of a new
action="reauthenticate"parameter to the{% provider_login_url %} - Roberto Novaes contributed a Brazilian Portuguese translation, thanks!
- Daniel Eriksson contributed a Swedish translation, thanks!
- You can now logout from both allauth and Facebook via a Javascript helper:
window.allauth.facebook.logout(). - Connecting a social account is now a flow that needs to be explicitly triggered, by means of a
process="connect"parameter that can be passed along to the{% provider_login_url %}, or aprocess=connectGET parameter. - Tomas Marcik contributed a Czech translation, thanks!
- The
{% provider_login_url %}tag now takes an optional process parameter that indicates how to process the social login. As a result, if you include the templatesocialaccount/snippets/provider_list.htmlfrom your own overridensocialaccount/connections.htmltemplate, you now need to pass along the process parameter as follows:{% include "socialaccount/snippets/provider_list.html" with process="connect" %}. - Instead of inlining the required Facebook SDK Javascript wrapper code into the HTML, it now resides into its own .js file (served with
{% static %}). If you were using the builtinfbconnect.htmlthis change should go by unnoticed.
- Released (due to issue in disconnecting social accounts).
None
- Moved logic whether or not a social account can be disconnected to the
SocialAccountAdapter(validate_disconnect). - Added
social_account_removedsignal. - Implemented CSRF protection (http://tools.ietf.org/html/draft-ietf-oauth-v2-30#section-10.12).
- The
user_logged_insignal now optionally receives asocialloginparameter, in case of a social login. - Added
social_account_added(contributed by orblivion, thanks). - Hatem Nassrat contributed Bitly support, thanks!
- Bojan Mihelac contributed a Croatian translation, thanks!
- Messages (as in
django.contrib.messages) are now configurable through templates. - Added support for differentiating e-mail handling (verification, required) between local and social accounts:
SOCIALACCOUNT_EMAIL_REQUIREDandSOCIALACCOUNT_EMAIL_VERIFICATION.
None
- Cleaning of
usernamecan now be overriden viaDefaultAccountAdapter.clean_username - Fixed potential error (
assert) when connecting social accounts. - Added support for custom username handling in case of custom user models (
ACCOUNT_USER_MODEL_USERNAME_FIELD).
None
- Chris Davis contributed Vimeo support, thanks!
- Added support for overriding the URL to return to after connecting a social account (
allauth.socialaccount.adapter.DefaultSocialAccountAdapter.get_connect_redirect_url). - Python 3 is now supported!
- Dropped dependency on (unmaintained?) oauth2 package, in favor of requests-oauthlib.
- account: E-mail confirmation mails generated at signup can now be differentiated from regular e-mail confirmation mails by placing e.g. a welcome message into the
account/email/email_confirmation_signup*templates. Thanks to Sam Solomon for the patch. - account: Moved User instance creation to adapter so that e.g. username generation can be influenced. Thanks to John Bazik for the patch.
- Robert Balfre contributed Dropbox support, thanks!
- socialaccount: Added support for Weibo.
- account: Added support for sending HTML e-mail. Add
*_message.htmltemplates and they will be automatically picked up. - Added support for passing along extra parameters to the OAuth2 authentication calls, such as
access_type(Google) orauth_type(Facebook). - Both the login and signup view now immediately redirect to the login redirect url in case the user was already authenticated.
- Added support for closing down signups in a pluggable fashion, making it easy to hookup your own invitation handling mechanism.
- Added support for passing along extra parameters to the
FB.loginAPI call.
- Logout no longer happens on GET request. Refer to the
LogoutViewdocumentation for more background information. Logging out on GET can be restored by the settingACCOUNT_LOGOUT_ON_GET. Furthermore, after logging out you are now redirected toACCOUNT_LOGOUT_REDIRECT_URLinstead of rendering theaccount/logout.htmltemplate. LOGIN_REDIRECT_URLNAMEis now deprecated. Django 1.5 accepts both URL names and URLs forLOGIN_REDIRECT_URL, so we do so as well.DefaultAccountAdapter.stash_email_verifiedis now namedstash_verified_email.- Django 1.4.3 is now the minimal requirement.
- Dropped dependency on (unmaintained?) oauth2 package, in favor of requests-oauthlib. So you will need to update your (virtual) environment accordingly.
- We noticed a very rare bug that affects end users who add Google social login to existing accounts. The symptom is you end up with users who have multiple primary email addresses which conflicts with assumptions made by the code. In addition to fixing the code that allowed duplicates to occur, there is a managegement command you can run if you think this effects you (and if it doesn't effect you there is no harm in running it anyways if you are unsure):
python manage.py account_unsetmultipleprimaryemails- Will silently remove primary flags for email addresses that aren't the same as
user.email. - If no primary
EmailAddressisuser.emailit will pick one at random and print a warning.
- Will silently remove primary flags for email addresses that aren't the same as
- The expiry time, if any, is now stored in a new column
SocialToken.expires_at. Migrations are in place. - Furthermore, Facebook started returning longer tokens, so the maximum token length was increased. Again, migrations are in place.
- Login and signup views have been turned into class-based views.
- The template variable
facebook_permsis no longer passed to the "facebook/fbconnect.html" template. Instead,fb_login_optionscontaining all options is passed.
- account:
user_signed_upsignal now emits an optionalsocialloginparameter so that receivers can easily differentiate between local and social signups. - account: Added
email_removedsignal. - socialaccount: Populating of User model fields is now centralized in the adapter, splitting up
nameintofirst_nameandlast_nameif these were not individually available. - Ahmet Emre Aladağ contributed a Turkish translation, thanks!
- socialaccount: Added SocialAccountAdapter hook to allow for intervention in social logins.
- google: support for Google's
verified_emailflag to determine whether or not to send confirmation e-mails. - Fábio Santos contributed a Portugese translation, thanks!
- socialaccount: Added support for Stack Exchange.
- socialaccount: Added
get_social_accountstemplate tag. - account: Default URL to redirect to after login can now be overriden via the adapter, both for login and e-mail confirmation redirects.
requestsis now a dependency (droppedhttplib2).- Added a new column
SocialApp.client_id. The value ofkeyneeds to be moved to the newclient_idcolumn. Thekeycolumn is required for Stack Exchange. Migrations are in place to handle all of this automatically.
- Markus Thielen contributed a German translation, thanks!
- The
siteforeign key fromSocialApptoSitehas been replaced by aManyToManyField. Many apps can be used across multiple domains (Facebook cannot). - account: Added adapter class for increased pluggability. Added hook for 3rd party invitation system to by pass e-mail verification (
stash_email_verified). Moved sending of mail to adapter. - account: Added option to completely disable e-mail verification during signup.
- The
ACCOUNT_EMAIL_VERIFICATIONsetting is no longer a boolean based setting. Use a string value of "none", "optional" or "mandatory" instead. - The template "account/password_reset_key_message.txt" has been moved to "account/email/password_reset_key_message.txt". The subject of the message has been moved into a template ("account/email/password_reset_key_subject.txt").
- The
siteforeign key fromSocialApptoSitehas been replaced by aManyToManyField. Many apps can be used across multiple domains (Facebook cannot).
- Twitter: Login was broken due to change at in URLs at Twitter, fixed.
- LinkedIn: Added support for passing along the OAuth scope.
- account: Improved e-mail confirmation error handling, no more confusing 404s.
- account: Aldiantoro Nugroho contributed support for a new setting: ACCOUNT_USERNAME_MIN_LENGTH
- socialaccount: Added preliminary support for Mozilla Persona.
- account: Sam Solomon added various signals for email and password related changes.
- account: Usernames may now contain @, +, . and - characters.
- Dropped support for
CONTACT_EMAILfrom theaccounttemplate context processor. It was never documented and only used in the templates as an example -- there is no need to pollute theallauthsettings with that. If your templates rely on it then you will have to put it in a context processor yourself.
- Python 2.6.2 compatibility issue, fixed.
- The example project was unintentionally packaged, fixed.
None
- account: Dropped dependency on the emailconfirmation app, integrating its functionality into the account app. This change is of major impact, please refer to the documentation on how to upgrade.
- account: Documented ACCOUNT_USERNAME_REQUIRED. This is actually not a new setting, but it somehow got overlooked in the documentation.
- account/socialaccount: Dropped the _tags postfix from the template tag libraries. Simply use {% load account %} and {% load socialaccount %}.
- Added signup and social login signals.
- SoundCloud: Rabi Alam contributed a SoundCloud provider, thanks!
- account: Sam Solomon cleaned up the e-mail management view: added proper redirect after POSTs, prevent deletion of primary e-mail. Thanks.
- account: When signing up, instead of generating a completely random username a more sensible username is automatically derived from first/last name or e-mail.
allauthnow depends on Django 1.4 or higher.- Major impact: dropped dependency on the
emailconfirmationapp, as this project is clearly left unmaintained. Important tickets such as pinax-archives/django-email-confirmation#5 are not being addressed. All models and related functionality have been directly integrated into theallauth.accountapp. When upgrading take care of the following:- The
emailconfirmationsettingEMAIL_CONFIRMATION_DAYShas been replaced byACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS. - Instead of directly confirming the e-mail address upon the GET request the confirmation is now processed as part of an explicit POST. Therefore, a new template
account/email_confirm.htmlmust be setup. - Existing
emailconfirmationdata should be migrated to the new tables. For this purpose a special management command is available:python manage.py account_emailconfirmationmigration. This command does not drop the oldemailconfirmationtables -- you will have to do this manually yourself. Why not use South? EmailAddress uniqueness depends on the configuration (ACCOUNT_UNIQUE_EMAIL), South does not handle settings dependent database models.
- The
{% load account_tags %}is deprecated, simply use:{% load account %}{% load socialaccount_tags %}is deprecated, simply use:{% load socialaccount %}
- Facebook: Facundo Gaich contributed support for dynamically deriving the Facebook locale from the Django locale, thanks!.
- OAuth: All OAuth/OAuth2 tokens are now consistently stored across the board. Cleaned up OAuth flow removing superfluous redirect.
- Facebook: Dropped Facebook SDK dependency.
- socialaccount: DRY focused refactoring of social login.
- socialaccount: Added support for Google OAuth2 and Facebook OAuth2. Fixed GitHub.
- account: Added verified_email_required decorator.
- socialaccount: When signing up, user.first/last_name where always taken from the provider signup data, even when a custom signup form was in place that offered user inputs for editting these fields. Fixed.
None
- account: Added ACCOUNT_USER_DISPLAY to render a user name without making assumptions on how the user is represented.
- allauth, socialaccount: Removed the last remaining bits of hardcodedness with respect to the enabled social authentication providers.
- account: Added ACCOUNT_AUTHENTICATION_METHOD setting, supporting login by username, e-mail or both.
- The
ACCOUNT_EMAIL_AUTHENTICATIONsetting has been dropped in favor ofACCOUNT_AUTHENTICATION_METHOD. - The login form field is now always named
login. This used to by eitherusernameoremail, depending on the authentication method. If needed, update your templates accordingly. - The
allauthtemplate tags (containing template tags for OpenID, Twitter and Facebook) have been removed. Use thesocialaccounttemplate tags instead (specifically:{% provider_login_url ... %}). - The
allauth.context_processors.allauthcontext processor has been removed, in favor ofallauth.socialaccount.context_processors.socialaccount. In doing so, all hardcodedness with respect to providers (e.gallauth.facebook_enabled) has been removed.
- account: Added setting ACCOUNT_PASSWORD_MIN_LENGTH for specifying the minimum password length.
- socialaccount: Added generic OAuth2 support. Added GitHub support as proof of concept.
- socialaccount: More refactoring: generic provider & OAuth consumer approach. Added LinkedIn support to test this approach.
- socialaccount: Introduced generic models for storing social apps, accounts and tokens in a central and consistent manner, making way for adding support for more account providers. Note: there is more refactoring to be done -- this first step only focuses on the database models.
- account: E-mail confirmation mails are now automatically resent whenever a user attempts to login with an unverified e-mail address (if ACCOUNT_EMAIL_VERIFICATION=True).
- Upgrade your
settings.INSTALLED_APPS: Replaceallauth.<provider>(where provider is one oftwitter,facebookoropenid) withallauth.socialaccount.providers.<provider> - All provider related models (
FacebookAccount,FacebookApp,TwitterAccount,TwitterApp,OpenIDAccount) have been unified into genericSocialAppandSocialAccountmodels. South migrations are in place to move the data over to the new models, after which the original tables are dropped. Therefore, be sure to run migrate using South.
- account: The render_value parameter of all PasswordInput fields used can now be configured via a setting.
- account: Added support for prefixing the subject of sent emails.
- account: Added support for a plugging in a custom signup form used for additional questions to ask during signup.
- account:
is_activeis no longer used to keep users with an unverified e-mail address from loging in. - Dropping uniform dependency. Moved uniform templates into example project.
None
- The e-mail authentication backend now attempts to use the 'username' parameter as an e-mail address. This is needed to properly integrate with other apps invoking authenticate.
- SmileyChris contributed support for automatically generating a user name at signup when
ACCOUNT_USERNAME_REQUIREDis set to False. - Vuong Nguyen contributed support for (optionally) asking for the password just once during signup (
ACCOUNT_SIGNUP_PASSWORD_VERIFICATION). - The Twitter oauth sequence now respects the "oauth_callback" parameter instead of defaulting to the callback URL configured at Twitter.
- Pass along
?next=parameter between login and signup views. - Added Dutch translation.
- Added template tags for pointing to social login URLs. These tags automatically pass along any
?next=parameter. Additionally, added an overall allauth_tags that gracefully degrades when e.g. allauth.facebook is not installed. - Pass along next URL, if any, at
/accounts/social/signup/. - Duplicate email address handling could throw a MultipleObjectsReturned exception, fixed.
- Removed separate social account login view, in favour of having a single unified login view including both forms of login.
- Added support for passing along a next URL parameter to Facebook, OpenID logins.
- Added support for django-avatar, copying the Twitter profile image locally on signup.
allauth/account/forms.py(BaseSignupForm.clean_email): WithACCOUNT_EMAIL_REQUIRED=False, empty email addresses were considered duplicates. Fixed.- The existing migrations for allauth.openid were not compatible with MySQL due to the use of an URLField with max_length above 255. The issue has now been addressed but unfortunately at the cost of the existing migrations for this app. Existing installations will have to be dealt with manually (altering the "identity" column of OpenIDAccount, deleting ghost migrations).
- None