Release Notes ============= Version 1.2.0 ------------- Released: November 17, 2025 New Features ~~~~~~~~~~~~ - **MFA TOTP**: Added REST endpoints for TOTP-based multi-factor authentication using ``django-allauth`` MFA: - ``POST /mfa/setup/``: returns provisioning URI (otpauth), secret, and QR code (SVG) - ``POST /mfa/activate/``: activates TOTP and returns recovery codes - ``POST /mfa/verify/``: completes login when MFA is required - ``POST /mfa/verify-recovery/``: completes login using one-time recovery codes - ``POST /mfa/deactivate/``: disables TOTP for the current user - ``GET /mfa/authenticators/``: lists user authenticators Requires enabling ``allauth.mfa`` in your project ``INSTALLED_APPS`` and running migrations. Configurable via ``JWT_ALLAUTH_MFA_TOTP_MODE`` setting with three modes: - ``'disabled'`` (default): MFA TOTP is disabled - ``'optional'``: Users can enable MFA TOTP but it's not required for login - ``'required'``: Users must enable MFA TOTP and provide TOTP code during login - **Admin-Managed User Registration**: New registration flow controlled via ``JWT_ALLAUTH_ADMIN_MANAGED_REGISTRATION`` setting. When enabled: - Self-registration endpoint is disabled - Only users with allowed roles (configurable via ``JWT_ALLAUTH_REGISTRATION_ALLOWED_ROLES``) can register new users - New ``/user-register/`` endpoint for admin registration - Invited users set their own password via email verification link before gaining access - No authentication tokens issued during registration; one-time password setup token issued after email verification Version 1.1.1 ------------- Released: October 11, 2025 Breaking Change ~~~~~~~~~~~~~~~ - ``JWT_ALLAUTH_USER_ATTRIBUTES`` now expects a dictionary mapping output claim names to user attribute paths (e.g., ``{"organization_id": "organization.id"}``) instead of a list of paths. This change prevents duplicate final attribute names (e.g., multiple ``id`` keys) in JWT payloads. The previous list format is still accepted for backward compatibility, but it is deprecated and may be removed in a future release. Version 1.1.0 ------------- Released: October 7, 2025 New Features ~~~~~~~~~~~~ - Added support for including additional user attributes in refresh tokens via the ``JWT_ALLAUTH_USER_ATTRIBUTES`` setting, allowing flexible configuration of user data included in JWT payloads while maintaining the existing role assignment logic. Bug Fixes ~~~~~~~~~ - Fixed API endpoints that incorrectly required refresh token in request payload when ``JWT_ALLAUTH_REFRESH_TOKEN_AS_COOKIE`` was enabled, now properly extracting refresh tokens from cookies when configured. - Fixed a bug that caused migrations not to run correctly in some situations. Version 1.0.3 ------------- Released: August 5, 2025 New Features ~~~~~~~~~~~~ - New :func:`~jwt_allauth.utils.load_user` decorator that loads the complete user object from the database for stateless JWT authentication. - Added ``JWT_ALLAUTH_COLLECT_USER_AGENT`` setting to control user agent data collection during token refresh. - Added support for refresh tokens via HTTP cookies with the new ``JWT_ALLAUTH_REFRESH_TOKEN_AS_COOKIE`` setting. - Enhanced token refresh security by moving user agent data collection from request payload to server-side context. - Compatibility with ``django-allauth`` 65.10.0, ``djangorestframework-simplejwt`` 5.5.1, and ``djangorestframework`` 3.16.0. Bug Fixes ~~~~~~~~~ - Improved security for token refresh operations - Fixed a bug that caused migrations not to run correctly in some situations. Version 1.0.2 ------------- Released: April 16, 2025 This release introduces significant improvements to the role management system and authentication configuration. New Features ~~~~~~~~~~~~ - Added automatic role assignment in ``UserManager``: - ``create_superuser`` now automatically sets the role to ``STAFF_CODE`` - ``create_user`` automatically assigns roles based on user flags: - ``STAFF_CODE`` for staff users - ``SUPER_USER_CODE`` for superusers - Added database constraints to ensure role consistency: - Staff users must have ``STAFF_CODE`` role - Superusers must have ``SUPER_USER_CODE`` role Minor Bug Fixes ~~~~~~~~~~~~~~~ - Automatic configuration of ``DEFAULT_AUTHENTICATION_CLASSES`` was not working when using addiotional ``REST_FRAMEWORK`` settings.