~~~~~~~~~~~
Released June 2018
* Password-validator error messages are now :ref:`customizable
<validator-messages>`.
* The request-timeout value for contacting the Pwned Passwords API defaults to
one second, and is customizable via the setting
:data:`~django.conf.settings.PWNED_PASSWORDS_API_TIMEOUT`.
* When a request to the Pwned Passwords API times out, or encounters an error,
it logs the problem with a message of level :data:`logging.WARNING`. The
:class:`~pwned_passwords_django.validators.PwnedPasswordsValidator` will fall
back to
:class:`~django.contrib.auth.password_validation.CommonPasswordValidator`,
which has a smaller list of common passwords. The
:class:`~pwned_passwords_django.middleware.PwnedPasswordsMiddleware` does not
have a fallback behavior; :func:`~pwned_passwords_django.api.pwned_password`
will return :data:`None` to indicate the error case.
* :func:`~pwned_passwords_django.api.pwned_password` will now raise
:exc:`TypeError` if its argument is not a Unicode string (the type
:class:`unicode` on Python 2, :class:`str` on Python 3). This is debatably
backwards-incompatible; :func:`~pwned_passwords_django.api.pwned_password`
encodes its argument to UTF-8 bytes, which will raise :exc:`AttributeError`
if attempted on a :class:`bytes` object in Python 3. As a result, all
supported environments other than Python 2.7/Django 1.11 would already raise
:exc:`AttributeError` (due to :class:`bytes` objects lacking the
:meth:`~str.encode` method) in both 1.0 and 1.1. Enforcing the
:exc:`TypeError` on all supported environments ensures users of
``pwned-passwords-django`` do not write code that accidentally works in one
and only one environment, and supplies a more accurate and comprehensible
exception than the :exc:`AttributeError` which would have been raised in
previous versions.
* The default error and help messages of
:class:`~pwned_passwords_django.validators.PwnedPasswordsValidator` now match
the messages of Django's
:class:`~django.contrib.auth.password_validation.CommonPasswordValidator`. Since
:class:`~pwned_passwords_django.validators.PwnedPasswordsValidator` falls
back to
:class:`~django.contrib.auth.password_validation.CommonPasswordValidator`
when the Pwned Passwords API is unresponsive, this provides consistency of
messages, and also ensures the messages are translated (Django provides
translations for its built-in messages).