Django-allauth

*******************

Fixes
-----

- To make way for a future ``"phone"`` method, ``AUTHENTICATION_METHOD`` was
removed in favor of a new ``LOGIN_METHODS``. While this change was done in a
backwards compatible manner within allauth scope, other packages accessing
``allauth.account.app_settings.AUTHENTICATION_METHOD`` would break. Fixed.

*******************

Note worthy changes
-------------------

- The setting ``ACCOUNT_AUTHENTICATION_METHOD: str`` (with values
``"username"``, ``"username_email"``, ``"email"``) has been replaced by
``ACCOUNT_LOGIN_METHODS: set[str]``. which is a set of values including
``"username"`` or ``"email"``. This change is performed in a backwards
compatible manner.

- Headless: when ``HEADLESS_SERVE_SPECIFICATION`` is set to ``True``, the API
specification will be served dynamically, over at
``/_allauth/openapi.(yaml|json|html)``. The
``HEADLESS_SPECIFICATION_TEMPLATE_NAME`` can be configured to choose between
Redoc (``"headless/spec/redoc_cdn.html"``) and Swagger (
(``"headless/spec/swagger_cdn.html"``).

- Headless: added a new setting, ``HEADLESS_CLIENTS`` which you can use to limit
the types of API clients (app/browser).

- Headless: expanded the React SPA example to showcase integration with
Django Ninja as well as Django REST framework.

- Headless: added out of the box support for being able to use the headless
session tokens with Django Ninja and Django REST framework.

*******************

Fixes
-----

- Headless: When using email verification by code, you could incorrectly
encounter a 409 when attempting to add a new email address while logged in.

- Headless: In contrast to the headed version, it was possible to remove the
last 3rd party account from a user that has no usable password. Fixed.

- Headless: The setting ``ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION`` was not respected,
and always assumed to be ``True``.

*******************

Note worthy changes
-------------------

- Added support for TOTP code tolerance (see ``MFA_TOTP_TOLERANCE``).


Security notice
---------------

- Authentication by email/password was vulnerable to account enumeration by
means of a timing attack. Thanks to Julie Rymer for the report and the patch.

*******************

Note worthy changes
-------------------

- OIDC: You can now configure whether or not PKCE is enabled per app by
including ``"oauth_pkce_enabled": True`` in the app settings.

- The OpenStreetMap provider is deprecated. You can set it up as an OpenID Connect provider instead.


Fixes
-----

- A ``NoReverseMatch`` could occur when using ``ACCOUNT_LOGIN_BY_CODE_REQUIRED =
True`` while ``ACCOUNT_LOGIN_BY_CODE_ENABLED = False``, fixed.

- The ``PasswordResetDoneView`` did not behave correctly when using Django's
``LoginRequiredMiddleware``, as it was not properly marked as
``login_not_required``.

- When verifying an email address by code, the success URL was hardcoded to the
email management view, instead of calling the
``get_email_verification_redirect_url()`` adapter method.


Security notice
---------------

- Headless: ``settings.ACCOUNT_EMAIL_VERIFICATION_BY_CODE_MAX_ATTEMPTS`` was not
enforced, fixed. Note that the related verification endpoint will return a
409 in case the maximum limit is exceeded, as at that point the pending email
verification stage is aborted.

*******************

Note worthy changes
-------------------

- OAuth2/OIDC: When setting up multiple apps for the same provider, you can now
configure a different scope per app by including ``"scope": [...]`` in the app
settings.

- Facebook login: Facebook `Limited Login
<https://developers.facebook.com/docs/facebook-login/limited-login>`_ is now
supported via the Headless API. When you have a Limited Login JWT obtained
from the iOS SDK, you can use the Headless "provider token" flow to login with
it.


Fixes
-----

- When using ``HEADLESS_ONLY = True`` together with
``ACCOUNT_REAUTHENTICATION_REQUIRED = True``, you could run into a
``NoReverseMatch`` when connecting a social acount. Fixed.

- In headless mode, submitting a login code when the login flow expired resulted
in a 500. Fixed -- it now returns a 409.