summaryrefslogtreecommitdiff
path: root/django/contrib/auth/__init__.py
AgeCommit message (Collapse)Author
2026-04-27Fixed #36901 -- Centralized auth timing attack mitigations.afenoum
Thank you Mar Bartolome and Tim Schilling for reviews.
2026-04-02Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2025-09-17Refs #35530 -- Removed request.user or auser() fallback in auth.login and ↵Jacob Walls
auth.alogin. Per deprecation timeline.
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-22Refs #35530 -- Corrected deprecation message in auth.alogin().Mariusz Felisiak
Follow up to ceecd518b19044181a3598c55ebed7c2545963cc.
2025-08-20Refs #35303 -- Made small optimizations in alogout() and aget_user().Mariusz Felisiak
In alogout(), there is no need to check the is_authenticated attribute when user is None. In aget_user(), there is no need to call get_session_auth_hash() twice. Follow up to 50f89ae850f6b4e35819fe725a08c7e579bfd099.
2025-08-20Fixed #36561 -- Used request.auser() in ↵Xinyi Rong
contrib.auth.aupdate_session_auth_hash().
2025-08-08Fixed #36540 -- Updated request.auser() in contrib.auth.alogin() and ↵Xinyi Rong
contrib.auth.alogout().
2024-11-28Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin.Jaap Roes
2024-10-07Fixed #35303 -- Implemented async auth backends and utils.Jon Janzen
2024-03-13Fixed #34901 -- Added async-compatible interface to session engines.Jon Janzen
Thanks Andrew-Chen-Wang for the initial implementation which was posted to the Django forum thread about asyncifying contrib modules.
2023-06-27Fixed #34391 -- Added async-compatible interface to auth functions and ↵Jon Janzen
related methods test clients.
2023-03-08Fixed #34384 -- Fixed session validation when rotation secret keys.David Wobrock
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report.
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-01-14Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.Mariusz Felisiak
Per deprecation timeline.
2020-10-28Refs #28215 -- Marked auth credentials as sensitive variables.Hasan Ramezani
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
2020-07-21Fixed #31180 -- Configured applications automatically.Aymeric Augustin
2020-04-29Refs #27468 -- Made user sessions use SHA-256 algorithm.Mariusz Felisiak
2019-12-10Fixed #26480 -- Fixed crash of contrib.auth.authenticate() on decorated ↵Baptiste Mispelon
authenticate() methods of authentication backends. The Signature API (PEP 362) has better support for decorated functions (by default, it follows the __wrapped__ attribute set by functools.wraps for example).
2019-02-14Refs #15902 -- Deprecated storing user's language in the session.Claude Paroz
2018-03-28Fixed #29258 -- Added type checking for login()'s backend argument.Abeer Upadhyay
2018-01-03Fixed #28985 -- Removed unneeded None checks before hasattr().Дилян Палаузов
2017-09-22Refs #25187 -- Required the authenticate() method of authentication backends ↵Tim Graham
to have request as the first positional argument. Per deprecation timeline.
2017-05-22Refs #28207 -- Fixed contrib.auth.authenticate() if 'backend' is in the ↵Daniel Hahler
credentials. Regression in 3008f30f194af386c354416be4c483f0f6b15f33.
2017-05-15Fixed #28207 -- Fixed contrib.auth.authenticate() if multiple auth backends ↵Tamas Szabo
don't accept a request.
2017-02-24Refs #25187 -- Fixed AuthBackend.authenticate() compatibility for signatures ↵Tim Graham
that accept a request kwarg.
2017-02-04Refs #27656 -- Updated django.contrib docstring verb style according to PEP 257.Anton Samarchyan
2016-11-25Fixed #25966 -- Made get_user_model() work at import time.Aymeric Augustin
This makes it equivalent to: `from django.contrib.auth.models import User`. Thanks Aymeric Augustin for the initial patch and Tim Graham for the review.
2016-11-14Fixed E305 flake8 warnings.Ramin Farajpour Cami
2016-09-12Fixed #23155 -- Added request argument to user_login_failed signal.Gavin Wahl
2016-09-12Fixed #25187 -- Made request available in authentication backends.Aleksej Manaev
2016-08-15Fixed #27009 -- Made update_session_auth_hash() rotate the session key.Tim Graham
2016-05-13Fixed #26614 -- Used constant_time_compare() in checking session auth hash ↵Tim Graham
in login().
2016-04-09Fixed #25847 -- Made User.is_(anonymous|authenticated) properties.Jeremy Lainé
2016-04-08Fixed E128 flake8 warnings in django/.Tim Graham
2016-03-12Fixed #26343 -- Sent user_login_failed signal if an auth backend raises ↵ieatkittens
PermissionDenied.
2016-01-07Fixed #24855 -- Allowed using contrib.auth.login() without credentials.Paulo Poiati
Added an optional `backend` argument to login().
2015-09-23Refs #23957 -- Required session verification per deprecation timeline.Tim Graham
2015-02-12Fixed #24161 -- Stored the user primary key as a serialized value in the ↵Tim Graham
session. This allows using a UUIDField primary key along with the JSON session serializer. Thanks to Trac alias jamesbeith for the report and Simon Charette for the initial patch.
2014-12-03Fixed #23939 -- Moved session verification out of ↵Tim Graham
SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review.
2014-11-28Fixed #23925 -- Allowed settings.AUTHENTICATION_BACKENDS to reference import ↵sdeprez
aliases
2014-09-05Limited lines to 119 characters in django/Tim Graham
refs #23395.
2014-04-17Fixed a KeyError on login with legacy sessions; refs #21649.Tim Graham
Thanks Loic for the report.
2014-04-05Fixed #21649 -- Added optional invalidation of sessions when user password ↵Tim Graham
changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
2014-03-21Removed reading of old 'django_language' session variable per deprecation ↵Tim Graham
timeline. refs #5789.
2014-02-22Fixed #22120 -- Documented persistent activation of languages and cleaned up ↵Erik Romijn
language session key use
2014-02-18Fixed #21790 -- Removed reliance on an assert in auth.get_user().Tim Graham
Thanks matklad for the report.