Repoze.who

-------------------

- Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins
are allowed to add keys to the ``identity`` dictionary (e.g., to save a
second database query in an ``IMetadataProvider`` plugin).

- Patch supplied for issue 71 (http://bugs.repoze.org/issue71)
whereby a downstream app can return a generator, relying on an
upstream component to call start_response. We do this because the
challenge decider needs the status and headers to decide what to do.

-------------------
- auth_tkt plugin tried to append REMOTE_USER_TOKENS data to
existing tokens data returned by auth_tkt.parse_tkt; this was
incorrect; just overwrite.

- Extended auth_tkt plugin factory to allow passing secret in a separate
file from the main config file. See http://bugs.repoze.org/issue40 .

-------------------

- Fix auth_tkt plugin; cookie values are now quoted, making it possible
to put spaces and other whitespace, etc in usernames. (thanks to Michael
Pedersen).

- Fix corner case issue of an exception raised when attempting to log
when there are no identifiers or authenticators.

-------------------

- The RedirectingFormPlugin now passes along SetCookie headers set
into the response by the application within the NotFound response
(fixes TG2 "flash" issue).

------------------

- The RedirectingFormPlugin now attempts to find a header named
``X-Authentication-Failure-Reason`` among the response headers set
by the application when a challenge is issued. If a value for this
header exists (and is non-blank), the value is attached to the
redirect URL's query string as the ``reason`` parameter (or a
user-settable key). This makes it possible for downstream
applications to issue a response that initiates a challenge with
this header and subsequently display the reason in the login form
rendered as a result of the challenge.

------------------

- The ``PluggableAuthenticationMiddleware`` constructor accepts a
``log_stream`` argument, which is typically a file. After this
release, it can also be a PEP 333 ``Logger`` instance; if it is a
PEP 333 ``Logger`` instance, this logger will be used as the
repoze.who logger (instead of one being constructed by the
middleware, as was previously always the case). When the
``log_stream`` argument is a PEP 333 Logger object, the
``log_level`` argument is ignored.