0.47.0 (2021-12-09)#
Note worthy changes#
New providers: Gumroad.
Backwards incompatible changes#
Added a new setting
SOCIALACCOUNT_LOGIN_ON_GETthat controls whether or not the endpoints for initiating a social login (for example, “/accounts/google/login/”) require a POST request to initiate the handshake. As requiring a POST is more secure, the default of this new setting isFalse.
Security notice#
Automatically signing in users into their account and connecting additional
third party accounts via a simple redirect (“/accounts/facebook/login/”) can
lead to unexpected results and become a security issue especially when the
redirect is triggered from a malicious web site. For example, if an attacker
prepares a malicious website that (ab)uses the Facebook password recovery
mechanism to first sign into his/her own Facebook account, followed by a
redirect to connect a new social account, you may end up with the attacker’s
Facebook account added to the account of the victim. To mitigate this,
SOCIALACCOUNT_LOGIN_ON_GET is introduced.
0.46.0 (2021-11-15)#
Note worthy changes#
New providers: Gitea, MediaWiki.
New translations: Georgian, Mongolian.
Django 3.2 compatibility.
0.45.0 (2021-07-11)#
Note worthy changes#
New providers: Feishu, NetIQ, Frontier, CILogin.