Changelog¶
This document lists changes between released versions of pwned-passwords-django.
1.4 – released 2020-01-28¶
New features:¶
- The
PwnedPasswordsValidator
is now serializable. This is unlikely to be useful, however, as the validator is not intended to be attached to a model.
Other changes:¶
- The supported versions of Django are now 2.2 and 3.0. This means Python 2 support is dropped; if you still need to use pwned-passwords-django on Python 2 with Django 1.11, stay with the 1.3 release series of pwned-passwords-django.
1.3.2 – released 2019-05-07¶
No new features. No bug fixes. Released to add explicit markers of Django 2.2 compatibility.
1.3.1 – released 2018-09-18¶
Released to include documentation updates which were inadvertently left out of the 1.3 package.
1.3 – released 2018-09-18¶
No new features. No bug fixes. Released only to add explicit markers of Python 3.7 and Django 2.1 compatibility.
1.2.1 – released 2018-06-18¶
Released to correct the date of the 1.2 release listed in this changelog document. No other changes.
1.2 – released 2018-06-18¶
New features:¶
- Password-validator error messages are now customizable.
- The request-timeout value for contacting the Pwned Passwords API
defaults to one second, and is customizable via the setting
PWNED_PASSWORDS_API_TIMEOUT
. - When a request to the Pwned Passwords API times out, or encounters
an error, it logs the problem with a message of level
logging.WARNING
. ThePwnedPasswordsValidator
will fall back toCommonPasswordValidator
, which has a smaller list of common passwords. ThePwnedPasswordsMiddleware
does not have a fallback behavior;pwned_password()
will returnNone
to indicate the error case.
Bugs fixed:¶
N/A
Other changes:¶
pwned_password()
will now raiseTypeError
if its argument is not a Unicode string (the typeunicode
on Python 2,str
on Python 3). This is debatably backwards-incompatible;pwned_password()
encodes its argument to UTF-8 bytes, which will raiseAttributeError
if attempted on abytes
object in Python 3. As a result, all supported environments other than Python 2.7/Django 1.11 would already raiseAttributeError
(due tobytes
objects lacking theencode()
method) in both 1.0 and 1.1. Enforcing theTypeError
on all supported environments ensures users of pwned-passwords-django do not write code that accidentally works in one and only one environment, and supplies a more accurate and comprehensible exception than theAttributeError
which would have been raised in previous versions.- The default error and help messages of
PwnedPasswordsValidator
now match the messages of Django’sCommonPasswordValidator
. SincePwnedPasswordsValidator
falls back toCommonPasswordValidator
when the Pwned Passwords API is unresponsive, this provides consistency of messages, and also ensures the messages are translated (Django provides translations for its built-in messages).
1.1 – released 2018-03-06¶
New features:¶
N/A
Bugs fixed:¶
- Case sensitivity issue. The Pwned Passwords API always uses uppercase hexadecimal digits for password hashes; pwned-passwords-django was using lowercase. Fixed by switching pwned-passwords-django to use uppercase.
Other changes¶
N/A
1.0 – released 2018-03-06¶
Initial public release.