Fixed a RuntimeWarning that could occur when running inside an async
environment ('SyncToAsync' was never awaited).
Security notice
As part of the Google OAuth handshake, an ID token is obtained by direct
machine to machine communication between the server running django-allauth and
Google. Because of this direct communication, we are allowed to skip checking
the token signature according to the OpenID Connect Core 1.0 specification <https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation>_.
However, as django-allauth is used and built upon by third parties, this is an
implementation detail with security implications that is easily overlooked. To
mitigate potential issues, verifying the signature is now only skipped if it
was django-allauth that actually fetched the access token.
0.61.0 (2024-02-07)
Note worthy changes
Added support for account related security notifications. When
ACCOUNT_EMAIL_NOTIFICATIONS = True, email notifications such as "Your
password was changed", including information on user agent / IP address from where the change
originated, will be emailed.
Google: Starting from 0.52.0, the id_token is being used for extracting
user information. To accommodate for scenario's where django-allauth is used
in contexts where the id_token is not posted, the provider now looks up
the required information from the /userinfo endpoint based on the access
token if the id_token is absent.
Security notice
MFA: It was possible to reuse a valid TOTP code within its time window. This
has now been addressed. As a result, a user can now only login once per 30
seconds (MFA_TOTP_PERIOD).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps django-allauth from 0.59.0 to 0.61.1.
Changelog
Sourced from django-allauth's changelog.
... (truncated)
Commits
da3fe9b
chore: Release 0.61.12fa4294
tests(google): python 3.7 compatibility4037177
fix(account/middleware): SyncToAsync never awaiteda2a051d
feat(google): Verify id_token signature701bcc6
refactor(socialaccount): Extract JWT verification9c08094
chore: Opening 0.61.1-dev6123cca
chore: Release 0.61.0c3b0af2
fix(account): Don't check redirect url if there's no redirect93d47fd
fix(google): Gracefully handle cases where id_token is absent48a661a
fix(mfa): Prevent reuse of TOTP codesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show