| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-04-27 | Fixed #36901 -- Centralized auth timing attack mitigations. | afenoum | |
| Thank you Mar Bartolome and Tim Schilling for reviews. | |||
| 2026-04-02 | Fixed #37017 -- Fixed setting or clearing of request.user after ↵ | Jacob Walls | |
| alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be. | |||
| 2026-02-10 | Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵ | 93578237 | |
| deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. | |||
| 2025-09-17 | Refs #35530 -- Removed request.user or auser() fallback in auth.login and ↵ | Jacob Walls | |
| auth.alogin. Per deprecation timeline. | |||
| 2025-08-27 | Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵ | Sarah Boyce | |
| django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0. | |||
| 2025-08-25 | Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵ | SaJH | |
| favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com> | |||
| 2025-08-22 | Refs #35530 -- Corrected deprecation message in auth.alogin(). | Mariusz Felisiak | |
| Follow up to ceecd518b19044181a3598c55ebed7c2545963cc. | |||
| 2025-08-20 | Refs #35303 -- Made small optimizations in alogout() and aget_user(). | Mariusz Felisiak | |
| In alogout(), there is no need to check the is_authenticated attribute when user is None. In aget_user(), there is no need to call get_session_auth_hash() twice. Follow up to 50f89ae850f6b4e35819fe725a08c7e579bfd099. | |||
| 2025-08-20 | Fixed #36561 -- Used request.auser() in ↵ | Xinyi Rong | |
| contrib.auth.aupdate_session_auth_hash(). | |||
| 2025-08-08 | Fixed #36540 -- Updated request.auser() in contrib.auth.alogin() and ↵ | Xinyi Rong | |
| contrib.auth.alogout(). | |||
| 2024-11-28 | Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin. | Jaap Roes | |
| 2024-10-07 | Fixed #35303 -- Implemented async auth backends and utils. | Jon Janzen | |
| 2024-03-13 | Fixed #34901 -- Added async-compatible interface to session engines. | Jon Janzen | |
| Thanks Andrew-Chen-Wang for the initial implementation which was posted to the Django forum thread about asyncifying contrib modules. | |||
| 2023-06-27 | Fixed #34391 -- Added async-compatible interface to auth functions and ↵ | Jon Janzen | |
| related methods test clients. | |||
| 2023-03-08 | Fixed #34384 -- Fixed session validation when rotation secret keys. | David Wobrock | |
| Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report. | |||
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2021-01-14 | Refs #27468 -- Removed support for the pre-Django 3.1 user sessions. | Mariusz Felisiak | |
| Per deprecation timeline. | |||
| 2020-10-28 | Refs #28215 -- Marked auth credentials as sensitive variables. | Hasan Ramezani | |
| Co-authored-by: Collin Anderson <collin@onetencommunications.com> | |||
| 2020-07-21 | Fixed #31180 -- Configured applications automatically. | Aymeric Augustin | |
| 2020-04-29 | Refs #27468 -- Made user sessions use SHA-256 algorithm. | Mariusz Felisiak | |
| 2019-12-10 | Fixed #26480 -- Fixed crash of contrib.auth.authenticate() on decorated ↵ | Baptiste Mispelon | |
| authenticate() methods of authentication backends. The Signature API (PEP 362) has better support for decorated functions (by default, it follows the __wrapped__ attribute set by functools.wraps for example). | |||
| 2019-02-14 | Refs #15902 -- Deprecated storing user's language in the session. | Claude Paroz | |
| 2018-03-28 | Fixed #29258 -- Added type checking for login()'s backend argument. | Abeer Upadhyay | |
| 2018-01-03 | Fixed #28985 -- Removed unneeded None checks before hasattr(). | Дилян Палаузов | |
| 2017-09-22 | Refs #25187 -- Required the authenticate() method of authentication backends ↵ | Tim Graham | |
| to have request as the first positional argument. Per deprecation timeline. | |||
| 2017-05-22 | Refs #28207 -- Fixed contrib.auth.authenticate() if 'backend' is in the ↵ | Daniel Hahler | |
| credentials. Regression in 3008f30f194af386c354416be4c483f0f6b15f33. | |||
| 2017-05-15 | Fixed #28207 -- Fixed contrib.auth.authenticate() if multiple auth backends ↵ | Tamas Szabo | |
| don't accept a request. | |||
| 2017-02-24 | Refs #25187 -- Fixed AuthBackend.authenticate() compatibility for signatures ↵ | Tim Graham | |
| that accept a request kwarg. | |||
| 2017-02-04 | Refs #27656 -- Updated django.contrib docstring verb style according to PEP 257. | Anton Samarchyan | |
| 2016-11-25 | Fixed #25966 -- Made get_user_model() work at import time. | Aymeric Augustin | |
| This makes it equivalent to: `from django.contrib.auth.models import User`. Thanks Aymeric Augustin for the initial patch and Tim Graham for the review. | |||
| 2016-11-14 | Fixed E305 flake8 warnings. | Ramin Farajpour Cami | |
| 2016-09-12 | Fixed #23155 -- Added request argument to user_login_failed signal. | Gavin Wahl | |
| 2016-09-12 | Fixed #25187 -- Made request available in authentication backends. | Aleksej Manaev | |
| 2016-08-15 | Fixed #27009 -- Made update_session_auth_hash() rotate the session key. | Tim Graham | |
| 2016-05-13 | Fixed #26614 -- Used constant_time_compare() in checking session auth hash ↵ | Tim Graham | |
| in login(). | |||
| 2016-04-09 | Fixed #25847 -- Made User.is_(anonymous|authenticated) properties. | Jeremy Lainé | |
| 2016-04-08 | Fixed E128 flake8 warnings in django/. | Tim Graham | |
| 2016-03-12 | Fixed #26343 -- Sent user_login_failed signal if an auth backend raises ↵ | ieatkittens | |
| PermissionDenied. | |||
| 2016-01-07 | Fixed #24855 -- Allowed using contrib.auth.login() without credentials. | Paulo Poiati | |
| Added an optional `backend` argument to login(). | |||
| 2015-09-23 | Refs #23957 -- Required session verification per deprecation timeline. | Tim Graham | |
| 2015-02-12 | Fixed #24161 -- Stored the user primary key as a serialized value in the ↵ | Tim Graham | |
| session. This allows using a UUIDField primary key along with the JSON session serializer. Thanks to Trac alias jamesbeith for the report and Simon Charette for the initial patch. | |||
| 2014-12-03 | Fixed #23939 -- Moved session verification out of ↵ | Tim Graham | |
| SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review. | |||
| 2014-11-28 | Fixed #23925 -- Allowed settings.AUTHENTICATION_BACKENDS to reference import ↵ | sdeprez | |
| aliases | |||
| 2014-09-05 | Limited lines to 119 characters in django/ | Tim Graham | |
| refs #23395. | |||
| 2014-04-17 | Fixed a KeyError on login with legacy sessions; refs #21649. | Tim Graham | |
| Thanks Loic for the report. | |||
| 2014-04-05 | Fixed #21649 -- Added optional invalidation of sessions when user password ↵ | Tim Graham | |
| changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews. | |||
| 2014-03-21 | Removed reading of old 'django_language' session variable per deprecation ↵ | Tim Graham | |
| timeline. refs #5789. | |||
| 2014-02-22 | Fixed #22120 -- Documented persistent activation of languages and cleaned up ↵ | Erik Romijn | |
| language session key use | |||
| 2014-02-18 | Fixed #21790 -- Removed reliance on an assert in auth.get_user(). | Tim Graham | |
| Thanks matklad for the report. | |||
