This document lists changes between released versions of pwned-passwords-django.
Released to correct the date of the 1.2 release listed in this changelog document. No other changes.
- Password-validator error messages are now :ref:`customizable <validator-messages>`.
- The request-timeout value for contacting the Pwned Passwords API defaults to one second, and is customizable via the setting :data:`~django.conf.settings.PWNED_PASSWORDS_API_TIMEOUT`.
- When a request to the Pwned Passwords API times out, or encounters
an error, it logs the problem with a message of level
logging.WARNING
. The :class:`~pwned_passwords_django.validators.PwnedPasswordsValidator` will fall back to Django's CommonPasswordValidator, which has a smaller list of common passwords. The :class:`~pwned_passwords_django.middleware.PwnedPasswordsMiddleware` does not have a fallback behavior; :func:`~pwned_passwords_django.api.pwned_password` will returnNone
to indicate the error case.
N/A
- :func:`~pwned_passwords_django.api.pwned_password` will now raise
TypeError
if its argument is not a Unicode string (the typeunicode
on Python 2,str
on Python 3). This is debatably backwards-incompatible;pwned_password()
encodes its argument to UTF-8 bytes, which will raiseAttributeError
if attempted on abytes
object in Python 3. As a result, all supported environments other than Python 2.7/Django 1.11 would already raiseAttributeError
(due tobytes
objects lacking theencode()
method) in both 1.0 and 1.1. Enforcing theTypeError
on all supported environments ensures users of pwned-passwords-django do not write code that accidentally works in one and only one environment, and supplies a more accurate and comprehensible exception than theAttributeError
which would have been raised in previous versions. - The default error and help messages of
:class:`~pwned_passwords_django.validators.PwnedPasswordsValidator`
now match the messages of Django's
CommonPasswordValidator
. SincePwnedPasswordsValidator
falls back toCommonPasswordValidator
when the Pwned Passwords API is unresponsive, this provides consistency of messages, and also ensures the messages are translated (Django provides translations for its built-in messages).
N/A
- Case sensitivity issue. The Pwned Passwords API always uses uppercase hexadecimal digits for password hashes; pwned-passwords-django was using lowercase. Fixed by switching pwned-passwords-django to use uppercase.
N/A
Initial public release.