Bump django-allauth from 0.60.1 to 0.61.1
Bumps django-allauth from 0.60.1 to 0.61.1.
Changelog
Sourced from django-allauth's changelog.
0.61.1 (2024-02-09)
Fixes
- Fixed a
RuntimeWarning
that could occur when running inside an async environment ('SyncToAsync' was never awaited
).Security notice
- As part of the Google OAuth handshake, an ID token is obtained by direct machine to machine communication between the server running django-allauth and Google. Because of this direct communication, we are allowed to skip checking the token signature according to the
OpenID Connect Core 1.0 specification <https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation>
_. However, as django-allauth is used and built upon by third parties, this is an implementation detail with security implications that is easily overlooked. To mitigate potential issues, verifying the signature is now only skipped if it was django-allauth that actually fetched the access token.0.61.0 (2024-02-07)
Note worthy changes
Added support for account related security notifications. When
ACCOUNT_EMAIL_NOTIFICATIONS = True
, email notifications such as "Your password was changed", including information on user agent / IP address from where the change originated, will be emailed.Google: Starting from 0.52.0, the
id_token
is being used for extracting user information. To accommodate for scenario's where django-allauth is used in contexts where theid_token
is not posted, the provider now looks up the required information from the/userinfo
endpoint based on the access token if theid_token
is absent.Security notice
- MFA: It was possible to reuse a valid TOTP code within its time window. This has now been addressed. As a result, a user can now only login once per 30 seconds (
MFA_TOTP_PERIOD
).
... (truncated)
Commits
-
da3fe9b
chore: Release 0.61.1 -
2fa4294
tests(google): python 3.7 compatibility -
4037177
fix(account/middleware): SyncToAsync never awaited -
a2a051d
feat(google): Verify id_token signature -
701bcc6
refactor(socialaccount): Extract JWT verification -
9c08094
chore: Opening 0.61.1-dev -
6123cca
chore: Release 0.61.0 -
c3b0af2
fix(account): Don't check redirect url if there's no redirect -
93d47fd
fix(google): Gracefully handle cases where id_token is absent -
48a661a
fix(mfa): Prevent reuse of TOTP codes - Additional commits viewable in compare view