Bump django-allauth from 0.58.2 to 0.61.0

[dependabot[bot]]

Bumps django-allauth from 0.58.2 to 0.61.0.

Changelog

Sourced from django-allauth's changelog.

0.61.0 (2024-02-07)

---

Note worthy changes

• Added support for account related security notifications. When ACCOUNT_EMAIL_NOTIFICATIONS = True, email notifications such as "Your password was changed", including information on user agent / IP address from where the change originated, will be emailed.

• Google: Starting from 0.52.0, the id_token is being used for extracting user information. To accommodate for scenario's where django-allauth is used in contexts where the id_token is not posted, the provider now looks up the required information from the /userinfo endpoint based on the access token if the id_token is absent.

Security notice

• MFA: It was possible to reuse a valid TOTP code within its time window. This has now been addressed. As a result, a user can now only login once per 30 seconds (MFA_TOTP_PERIOD).

Backwards incompatible changes

• The rate limit mechanism has received an update. Previously, when specifying e.g. "5/m" it was handled implicitly whether or not that limit was per IP, per user, or per action specific key. This has now been made explicit: "5/m/user" vs "5/m/ip" vs "5/m/key". Combinations are also supported now: "20/m/ip,5/m/key" . Additionally, the rate limit mechanism is now used throughout, including email confirmation cooldown as well as limitting failed login attempts. Therefore, the ACCOUNT_LOGIN_ATTEMPTS_LIMIT and ACCOUNT_EMAIL_CONFIRMATION_COOLDOWN settings are deprecated. See :doc:Rate Limits <../account/rate_limits> for details.

0.60.1 (2024-01-15)

---

Fixes

• User sessions: after changing your password in case of ACCOUNT_LOGOUT_ON_PASSWORD_CHANGE = False, the list of sessions woud be empty instead of showing your current session.

• SAML: accessing the SLS/ACS views using a GET request would result in a crash (500).

... (truncated)

Commits

• 6123cca chore: Release 0.61.0
• c3b0af2 fix(account): Don't check redirect url if there's no redirect
• 93d47fd fix(google): Gracefully handle cases where id_token is absent
• 48a661a fix(mfa): Prevent reuse of TOTP codes
• ad89388 docs(README): Add demo link
• d5e33b3 docs(README): Add downloads badge
• d80939d chore(examples): Remove outdated .example file
• d775ea4 chore(examples): run regular-django using docker
• 83b45d0 fix(openid): Remove outdated providers
• b025fdc docs(ChangeLog): Moved rate limit note to where it belongs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Superseded by #131.