search

pik-software / django-service-boilerplate

Initial Django Microservice template
MIT License
15 stars 7 forks source link

Pin django-oauth-toolkit to latest version 1.3.0 #603

Open pyup-bot opened 4 years ago

pyup-bot commented 4 years ago

This PR pins django-oauth-toolkit to the latest release 1.3.0.

Changelog ### 1.3.0 ``` Added * Add support for Python 3.7 & 3.8 * Add support for Django>=2.1,<3.1 * Add requirement for oauthlib>=3.0.1 * Add support for [Proof Key for Code Exchange (PKCE, RFC 7636)](https://tools.ietf.org/html/rfc7636). * Add support for custom token generators (e.g. to create JWT tokens). * Add new `OAUTH2_PROVIDER` [settings](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html): - `ACCESS_TOKEN_GENERATOR` to override the default access token generator. - `REFRESH_TOKEN_GENERATOR` to override the default refresh token generator. - `EXTRA_SERVER_KWARGS` options dictionary for oauthlib's Server class. - `PKCE_REQUIRED` to require PKCE. * Add `createapplication` management command to create an application. * Add `id` in toolkit admin console applications list. * Add nonstandard Google support for [urn:ietf:wg:oauth:2.0:oob] `redirect_uri` for [Google OAuth2](https://developers.google.com/identity/protocols/OAuth2InstalledApp) "manual copy/paste". **N.B.** this feature appears to be deprecated and replaced with methods described in [RFC 8252: OAuth2 for Native Apps](https://tools.ietf.org/html/rfc8252) and *may* be deprecated and/or removed from a future release of Django-oauth-toolkit. Changed * Change this change log to use [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format. * **Backwards-incompatible** squashed migrations: If you are currently on a release < 1.2.0, you will need to first install 1.2.0 then `manage.py migrate` before upgrading to >= 1.3.0. * Improved the [tutorial](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial.html). Removed * Remove support for Python 3.4 * Remove support for Django<=2.0 * Remove requirement for oauthlib<3.0 Fixed * Fix a race condition in creation of AccessToken with external oauth2 server. * Fix several concurrency issues. ([638](https://github.com/jazzband/django-oauth-toolkit/issues/638)) * Fix to pass `request` to `django.contrib.auth.authenticate()` ([636](https://github.com/jazzband/django-oauth-toolkit/issues/636)) * Fix missing `oauth2_error` property exception oauthlib_core.verify_request method raises exceptions in authenticate. ([633](https://github.com/jazzband/django-oauth-toolkit/issues/633)) * Fix "django.db.utils.NotSupportedError: FOR UPDATE cannot be applied to the nullable side of an outer join" for postgresql. ([714](https://github.com/jazzband/django-oauth-toolkit/issues/714)) * Fix to return a new refresh token during grace period rather than the recently-revoked one. ([702](https://github.com/jazzband/django-oauth-toolkit/issues/702)) * Fix a bug in refresh token revocation. ([625](https://github.com/jazzband/django-oauth-toolkit/issues/625)) ``` ### 1.2.0 ``` * **Compatibility**: Python 3.4 is the new minimum required version. * **Compatibility**: Django 2.0 is the new minimum required version. * **New feature**: Added TokenMatchesOASRequirements Permissions. * validators.URIValidator has been updated to match URLValidator behaviour more closely. * Moved `redirect_uris` validation to the application clean() method. ``` ### 1.1.2 ``` * Return state with Authorization Denied error (RFC6749 section 4.1.2.1) * Fix a crash with malformed base64 authentication headers * Fix a crash with malformed IPv6 redirect URIs ``` ### 1.1.1 ``` * **Critical**: Django OAuth Toolkit 1.1.0 contained a migration that would revoke all existing RefreshTokens (`0006_auto_20171214_2232`). This release corrects the migration. If you have already ran it in production, please see the following issue for more details: https://github.com/jazzband/django-oauth-toolkit/issues/589 ``` ### 1.1.0 ``` * **Notice**: The Django OAuth Toolkit project is now hosted by JazzBand. * **Compatibility**: Django 1.11 is the new minimum required version. Django 1.10 is no longer supported. * **Compatibility**: This will be the last release to support Django 1.11 and Python 2.7. * **New feature**: Option for RFC 7662 external AS that uses HTTP Basic Auth. * **New feature**: Individual applications may now override the `ALLOWED_REDIRECT_URI_SCHEMES` setting by returning a list of allowed redirect uri schemes in `Application.get_allowed_schemes()`. * **New feature**: The new setting `ERROR_RESPONSE_WITH_SCOPES` can now be set to True to include required scopes when DRF authorization fails due to improper scopes. * **New feature**: The new setting `REFRESH_TOKEN_GRACE_PERIOD_SECONDS` controls a grace period during which refresh tokens may be re-used. * An `app_authorized` signal is fired when a token is generated. ``` ### 1.0.0 ``` * **New feature**: AccessToken, RefreshToken and Grant models are now swappable. * 477: **New feature**: Add support for RFC 7662 (IntrospectTokenView, introspect scope) * **Compatibility**: Django 1.10 is the new minimum required version * **Compatibility**: Django 1.11 is now supported * **Backwards-incompatible**: The `oauth2_provider.ext.rest_framework` module has been moved to `oauth2_provider.contrib.rest_framework` * 177: Changed `id` field on Application, AccessToken, RefreshToken and Grant to BigAutoField (bigint/bigserial) * 321: Added `created` and `updated` auto fields to Application, AccessToken, RefreshToken and Grant * 476: Disallow empty redirect URIs * Fixed bad `url` parameter in some error responses. * Django 2.0 compatibility fixes. * The dependency on django-braces has been dropped. * The oauthlib dependency is no longer pinned. ``` ### 0.12.0 ``` * **New feature**: Class-based scopes backends. Listing scopes, available scopes and default scopes is now done through the class that the `SCOPES_BACKEND_CLASS` setting points to. By default, this is set to `oauth2_provider.scopes.SettingsScopes` which implements the legacy settings-based scope behaviour. No changes are necessary. * **Dropped support for Python 3.2 and Python 3.3**, added support for Python 3.6 * Support for the `scopes` query parameter, deprecated in 0.6.1, has been dropped * 448: Added support for customizing applications' allowed grant types * 141: The `is_usable(request)` method on the Application model can be overridden to dynamically enable or disable applications. * 434: Relax URL patterns to allow for UUID primary keys ``` ### 0.11.0 ``` * 315: AuthorizationView does not overwrite requests on get * 425: Added support for Django 1.10 * 396: added an IsAuthenticatedOrTokenHasScope Permission * 357: Support multiple-user clients by allowing User to be NULL for Applications * 389: Reuse refresh tokens if enabled. ``` ### 0.10.0 ``` * **322: dropping support for python 2.6 and django 1.4, 1.5, 1.6** * 310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant * 333: Added possibility to specify the default list of scopes returned when scope parameter is missing * 325: Added management views of issued tokens * 249: Added a command to clean expired tokens * 323: Application registration view uses custom application model in form class * 299: `server_class` is now pluggable through Django settings * 309: Add the py35-django19 env to travis * 308: Use compact syntax for tox envs * 306: Django 1.9 compatibility * 288: Put additional information when generating token responses * 297: Fixed doc about SessionAuthenticationMiddleware * 273: Generic read write scope by resource ``` ### 0.9.0 ``` * ``oauthlib_backend_class`` is now pluggable through Django settings * 127: ``application/json`` Content-Type is now supported using ``JSONOAuthLibCore`` * 238: Fixed redirect uri handling in case of error * 229: Invalidate access tokens when getting a new refresh token * added support for oauthlib 1.0 ``` ### 0.8.2 ``` * Fix the migrations to be two-step and allow upgrade from 0.7.2 ``` ### 0.8.1 ``` * South migrations fixed. Added new django migrations. ``` ### 0.8.0 ``` * Several docs improvements and minor fixes * 185: fixed vulnerabilities on Basic authentication * 173: ProtectResourceMixin now allows OPTIONS requests * Fixed `client_id` and `client_secret` characters set * 169: hide sensitive informations in error emails * 161: extend search to all token types when revoking a token * 160: return empty response on successful token revocation * 157: skip authorization form with ``skip_authorization_completely`` class field * 155: allow custom uri schemes * fixed ``get_application_model`` on Django 1.7 * fixed non rotating refresh tokens * 137: fixed base template * customized ``client_secret`` length * 38: create access tokens not bound to a user instance for *client credentials* flow ``` ### 0.7.2 ``` * Don't pin oauthlib ``` ### 0.7.1 ``` * Added database indexes to the OAuth2 related models to improve performances. **Warning: schema migration does not work for sqlite3 database, migration should be performed manually** ``` ### 0.7.0 ``` * Make Application model truly "swappable" (introduces a new non-namespaced setting `OAUTH2_PROVIDER_APPLICATION_MODEL`) ``` ### 0.6.1 ``` * added support for `scope` query parameter keeping backwards compatibility for the original `scopes` parameter. * __str__ method in Application model returns content of `name` field when available ``` ### 0.6.0 ``` * oauthlib 0.6.1 support * Django dev branch support * Python 2.6 support * Skip authorization form via `approval_prompt` parameter **Bugfixes** * Several fixes to the docs * Issue 71: Fix migrations * Issue 65: Use OAuth2 password grant with multiple devices * Issue 84: Add information about login template to tutorial. * Issue 64: Fix urlencode clientid secret ``` ### 0.5.0 ``` * `backends.py` module has been renamed to `oauth2_backends.py` so you should change your imports whether you're extending this module **Bugfixes** * Issue 54: Auth backend proposal to address 50 * Issue 61: Fix contributing page * Issue 55: Add support for authenticating confidential client with request body params * Issue 53: Quote characters in the url query that are safe for Django but not for oauthlib ``` ### 0.4.1 ``` * Optimize queries on access token validation ``` ### 0.4.0 ``` * `SCOPE` attribute in settings is now a dictionary to store `{'scope_name': 'scope_description'}` * Namespace `oauth2_provider` is mandatory in urls. See issue 36 **Bugfixes** * Issue 25: Bug in the Basic Auth parsing in Oauth2RequestValidator * Issue 24: Avoid generation of `client_id` with ":" colon char when using HTTP Basic Auth * Issue 21: IndexError when trying to authorize an application * Issue 9: `default_redirect_uri` is mandatory when `grant_type` is implicit, `authorization_code` or all-in-one * Issue 22: Scopes need a verbose description * Issue 33: Add django-oauth-toolkit version on example main page * Issue 36: Add mandatory namespace to urls * Issue 31: Add docstring to OAuthToolkitError and FatalClientError * Issue 32: Add docstring to `validate_uris` * Issue 34: Documentation tutorial part1 needs corsheaders explanation * Issue 36: Add mandatory namespace to urls * Issue 45: Add docs for AbstractApplication * Issue 47: Add docs for views decorators ``` ### 0.3.2 ``` * Bugfix 37: Error in migrations with custom user on Django 1.5 ``` ### 0.3.1 ``` * Bugfix 27: OAuthlib refresh token refactoring ``` ### 0.3.0 ``` * `requested_scopes` parameter in ScopedResourceMixin changed to `required_scopes` ``` ### 0.2.1 ``` * Core optimizations ``` ### 0.2.0 ``` * Add support for Django1.4 and Django1.6 * Add support for Python 3.3 * Add a default ReadWriteScoped view * Add tutorial to docs ``` ### 0.1.0 ``` * Support OAuth2 Authorization Flows ``` ### 0.0.0 ``` * Discussion with Daniel Greenfeld at Django Circus * Ignition ```
Links - PyPI: https://pypi.org/project/django-oauth-toolkit - Changelog: https://pyup.io/changelogs/django-oauth-toolkit/ - Repo: https://github.com/jazzband/django-oauth-toolkit/tarball/master