Django-allauth

*******************

Note worthy changes
-------------------

- MFA: Added support for "Trust this browser?" functionality, which presents users with MFA
enabled the choice to trust their browser allowing them to skip authenticating
per MFA on each login.


Fixes
-----

- A check is in place to verify that ``ACCOUNT_LOGIN_METHODS`` is aligned with
``ACCOUNT_SIGNUP_FIELDS``. The severity level of that check has now been
lowered from "critical" to "warning", as there may be valid use cases for
configuring a login method that you are not able to sign up with. This check
(``account.W001``) can be silenced using Django's ``SILENCED_SYSTEM_CHECKS``.

- The setting ``ACCOUNT_LOGIN_ON_PASSWORD_RESET = True`` was not respected when using
password reset by code.

*******************

Note worthy changes
-------------------

- Added support for phone (SMS) authentication.

- Added support for resetting passwords by code, instead of a link
(``ACCOUNT_PASSWORD_RESET_BY_CODE_ENABLED``).

- Added support for Tumblr OAuth2.

- Simplified signup form configuration. The following settings all controlled
signup form: ``ACCOUNT_EMAIL_REQUIRED``, ``ACCOUNT_USERNAME_REQUIRED``,
``ACCOUNT_SIGNUP_EMAIL_ENTER_TWICE``, ``ACCOUNT_SIGNUP_PASSWORD_ENTER_TWICE``.
This setup had its issues. For example, when email was not required it was
still available as an optional field, whereas the username field disappeared
when not required. Also, for phone/SMS support, additional settings
would have been required. The settings are now all deprecated, and replaced by one
new setting: ``ACCOUNT_SIGNUP_FIELDS``, which can be configured to
e.g. ``['username*', 'email', 'password1*', 'password2*']`` to indicate which
fields are present and required (``'*'``). This change is performed in a
backwards compatible manner.

- Headless: if, while signing up using a third-party provider account, there is
insufficient information received from the provider to automatically complete
the signup process, an additional step is needed to complete the missing data
before the user is fully signed up and authenticated. You can now perform a
``GET`` request to ``/_allauth/{client}/v1/auth/provider/signup`` to obtain
information on the pending signup.

- Headless: OpenID Connect providers now support token authentication.

- The "Forgot your password?" help text can now be more easily customized by
providing your own ``"account/password_reset_help_text.html"`` template.

- Removed inline scripts, so that it becomes possible to use a strong Content
Security Policy.

- Headless: The OpenAPI specification now dynamically reflects the
``ACCOUNT_SIGNUP_FIELDS`` configuration, as well as any custom fields you have
in ``ACCOUNT_SIGNUP_FORM_CLASS``.

- Added official support for Python 3.13.


Fixes
-----

- Headless: In case you had multiple apps of the same provider configured,
you could run into a ``MultipleObjectsReturned``. Fixed.

*******************

Fixes
-----

- To make way for a future ``"phone"`` method, ``AUTHENTICATION_METHOD`` was
removed in favor of a new ``LOGIN_METHODS``. While this change was done in a
backwards compatible manner within allauth scope, other packages accessing
``allauth.account.app_settings.AUTHENTICATION_METHOD`` would break. Fixed.

*******************

Note worthy changes
-------------------

- The setting ``ACCOUNT_AUTHENTICATION_METHOD: str`` (with values
``"username"``, ``"username_email"``, ``"email"``) has been replaced by
``ACCOUNT_LOGIN_METHODS: set[str]``. which is a set of values including
``"username"`` or ``"email"``. This change is performed in a backwards
compatible manner.

- Headless: when ``HEADLESS_SERVE_SPECIFICATION`` is set to ``True``, the API
specification will be served dynamically, over at
``/_allauth/openapi.(yaml|json|html)``. The
``HEADLESS_SPECIFICATION_TEMPLATE_NAME`` can be configured to choose between
Redoc (``"headless/spec/redoc_cdn.html"``) and Swagger (
(``"headless/spec/swagger_cdn.html"``).

- Headless: added a new setting, ``HEADLESS_CLIENTS`` which you can use to limit
the types of API clients (app/browser).

- Headless: expanded the React SPA example to showcase integration with
Django Ninja as well as Django REST framework.

- Headless: added out of the box support for being able to use the headless
session tokens with Django Ninja and Django REST framework.

*******************

Fixes
-----

- Headless: When using email verification by code, you could incorrectly
encounter a 409 when attempting to add a new email address while logged in.

- Headless: In contrast to the headed version, it was possible to remove the
last 3rd party account from a user that has no usable password. Fixed.

- Headless: The setting ``ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION`` was not respected,
and always assumed to be ``True``.

*******************

Note worthy changes
-------------------

- Added support for TOTP code tolerance (see ``MFA_TOTP_TOLERANCE``).


Security notice
---------------

- Authentication by email/password was vulnerable to account enumeration by
means of a timing attack. Thanks to Julie Rymer for the report and the patch.