This document lists changes between released versions of pwned-passwords-django.
1.3.1 – released 2018-09-18¶
Released to include documentation updates which were inadvertently left out of the 1.3 package.
1.3 – released 2018-09-18¶
No new features. No bug fixes. Released only to add explicit markers of Python 3.7 and Django 2.1 compatibility.
1.2.1 – released 2018-06-18¶
Released to correct the date of the 1.2 release listed in this changelog document. No other changes.
1.2 – released 2018-06-18¶
- Password-validator error messages are now customizable.
- The request-timeout value for contacting the Pwned Passwords API
defaults to one second, and is customizable via the setting
- When a request to the Pwned Passwords API times out, or encounters
an error, it logs the problem with a message of level
PwnedPasswordsValidatorwill fall back to Django’s CommonPasswordValidator, which has a smaller list of common passwords. The
PwnedPasswordsMiddlewaredoes not have a fallback behavior;
Noneto indicate the error case.
pwned_password()will now raise
TypeErrorif its argument is not a Unicode string (the type
unicodeon Python 2,
stron Python 3). This is debatably backwards-incompatible;
pwned_password()encodes its argument to UTF-8 bytes, which will raise
AttributeErrorif attempted on a
bytesobject in Python 3. As a result, all supported environments other than Python 2.7/Django 1.11 would already raise
bytesobjects lacking the
encode()method) in both 1.0 and 1.1. Enforcing the
TypeErroron all supported environments ensures users of pwned-passwords-django do not write code that accidentally works in one and only one environment, and supplies a more accurate and comprehensible exception than the
AttributeErrorwhich would have been raised in previous versions.
- The default error and help messages of
PwnedPasswordsValidatornow match the messages of Django’s
PwnedPasswordsValidatorfalls back to
CommonPasswordValidatorwhen the Pwned Passwords API is unresponsive, this provides consistency of messages, and also ensures the messages are translated (Django provides translations for its built-in messages).
1.1 – released 2018-03-06¶
- Case sensitivity issue. The Pwned Passwords API always uses uppercase hexadecimal digits for password hashes; pwned-passwords-django was using lowercase. Fixed by switching pwned-passwords-django to use uppercase.
1.0 – released 2018-03-06¶
Initial public release.